Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545005
MD5:	bc172e909f941b88af9d0eb4fb0c16ff
SHA1:	d5d4a9130808b2270b4945d84aef86de47f820ca
SHA256:	d9749480b21a4d4c977133fe24b27a65a18955cda393d243c331e7d30c786b5c
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\file.exe" MD5: BC172E909F941B88AF9D0EB4FB0C16FF)

taskkill.exe (PID: 7420 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7520 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7584 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7648 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7712 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7780 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7816 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7836 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8072 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2200 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8102d085-471f-4a36-be62-010be7f63302} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b91c66ff10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7612 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -parentBuildID 20230927232528 -prefsHandle 4024 -prefMapHandle 3984 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7decf7cf-7d92-40f7-929e-0a4f03d2d61b} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b92e7ace10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3260 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5348 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b6a0efd-c338-4d1a-9e37-77649038c4f6} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b93631f710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7404	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0034EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0034EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0034ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0034ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0034EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0033AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0033AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00369576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00369576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1678415645.0000000000392000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_49f9be47-0
Source: file.exe, 00000000.00000000.1678415645.0000000000392000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_12a7d33d-9
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9bbb6108-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5e721fdf-5

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B823088977 NtQuerySystemInformation,		16_2_000001B823088977
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B8230A2EF2 NtQuerySystemInformation,		16_2_000001B8230A2EF2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0033D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0033D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00331201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00331201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0033E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0033E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002DBF40	0_2_002DBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002D8060	0_2_002D8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00342046	0_2_00342046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00338298	0_2_00338298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0030E4FF	0_2_0030E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0030676B	0_2_0030676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00364873	0_2_00364873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002FCAA0	0_2_002FCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002DCAF0	0_2_002DCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002ECC39	0_2_002ECC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00306DD9	0_2_00306DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002ED064	0_2_002ED064
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002D90BC	0_2_002D90BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002EB119	0_2_002EB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002D91C0	0_2_002D91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F1394	0_2_002F1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F1706	0_2_002F1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F781B	0_2_002F781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002D7920	0_2_002D7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002E997D	0_2_002E997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F19B0	0_2_002F19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F7A4A	0_2_002F7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F1C77	0_2_002F1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F7CA7	0_2_002F7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0035BE44	0_2_0035BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00309EEE	0_2_00309EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F1F32	0_2_002F1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B823088977	16_2_000001B823088977
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B8230A2EF2	16_2_000001B8230A2EF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B8230A361C	16_2_000001B8230A361C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001B8230A2F32	16_2_000001B8230A2F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 002F0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 002EF9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003437B5 GetLastError,FormatMessageW,

0_2_003437B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003310BF AdjustTokenPrivileges,CloseHandle,		0_2_003310BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003316C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003451CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0033D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0033D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0034648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0034648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002D42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1882387253.000001B935E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846800237.000001B935E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843456689.000001B9363B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1813242751.000001B9363B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893850384.000001B935E85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1882387253.000001B935E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846800237.000001B935E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893850384.000001B935E85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1882387253.000001B935E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846800237.000001B935E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893850384.000001B935E85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1882387253.000001B935E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846800237.000001B935E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893850384.000001B935E85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1812198479.000001B936B43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1882387253.000001B935E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846800237.000001B935E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893850384.000001B935E85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1882387253.000001B935E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846800237.000001B935E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893850384.000001B935E85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1882387253.000001B935E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846800237.000001B935E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893850384.000001B935E85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1882387253.000001B935E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846800237.000001B935E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893850384.000001B935E85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1882387253.000001B935E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846800237.000001B935E6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893850384.000001B935E85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2200 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8102d085-471f-4a36-be62-010be7f63302} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b91c66ff10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -parentBuildID 20230927232528 -prefsHandle 4024 -prefMapHandle 3984 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7decf7cf-7d92-40f7-929e-0a4f03d2d61b} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b92e7ace10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5348 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b6a0efd-c338-4d1a-9e37-77649038c4f6} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b93631f710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2200 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8102d085-471f-4a36-be62-010be7f63302} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b91c66ff10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -parentBuildID 20230927232528 -prefsHandle 4024 -prefMapHandle 3984 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7decf7cf-7d92-40f7-929e-0a4f03d2d61b} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b92e7ace10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5348 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b6a0efd-c338-4d1a-9e37-77649038c4f6} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b93631f710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1808426596.000001B9306A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1889884154.000001B92BDC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: firefox.exe, 0000000D.00000003.1886104064.000001B92D953000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1887533451.000001B92BDB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1889884154.000001B92BDC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: firefox.exe, 0000000D.00000003.1886104064.000001B92D953000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1887844107.000001B92BDB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1808426596.000001B9306A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1887533451.000001B92BDB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: firefox.exe, 0000000D.00000003.1886104064.000001B92D953000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1887844107.000001B92BDB7000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002D42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002F0A76 push ecx; ret

0_2_002F0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_002EF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00361C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00361C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95033

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001B823088977 rdtsc

16_2_000001B823088977

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0033DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0033DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003468EE FindFirstFileW,FindClose,	0_2_003468EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0034698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0033D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0033D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0033D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0033D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00349642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00349642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0034979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0034979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00349B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00349B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00345C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00345C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002D42DE

Source: firefox.exe, 0000000F.00000002.2929393535.000002019EDC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: firefox.exe, 0000000F.00000002.2929393535.000002019EDC0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2933142033.000001B823110000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2927964755.000001CFC2D7A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2932472433.000001CFC32D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2933069274.000002019F119000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.2929393535.000002019EDC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: firefox.exe, 00000010.00000002.2928062263.000001B8228FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPb
Source: firefox.exe, 0000000F.00000002.2928255506.000002019ECAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: firefox.exe, 0000000F.00000002.2929393535.000002019EDC0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2933142033.000001B823120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001B823088977 rdtsc

16_2_000001B823088977

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0034EAA2 BlockInput,

0_2_0034EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00302622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00302622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002D42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002F4CE8 mov eax, dword ptr fs:[00000030h]

0_2_002F4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00330B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00330B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00302622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00302622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002F083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F09D5 SetUnhandledExceptionFilter,	0_2_002F09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002F0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00331201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00312BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00312BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0033B226 SendInput,keybd_event,

0_2_0033B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_003522DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00330B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00331663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00331663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1817973000.000001B9306A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002F0698 cpuid

0_2_002F0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00348195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00348195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0032D27A GetUserNameW,

0_2_0032D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0030BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0030BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002D42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7404, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7404, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00351204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00351204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00351806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00351806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggestabout	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://truecolors.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.193.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	172.217.18.14	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.65.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000010.00000002.2929561992.000001B822BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2929397493.000001CFC31C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1811677835.000001B937AD9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1843456689.000001B9363B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1813242751.000001B9363B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2929958227.000002019F0C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2929561992.000001B822BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2932672685.000001CFC3403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1824586906.000001B934561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1760304032.000001B93468B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1762609877.000001B934561000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.2929561992.000001B822B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2929397493.000001CFC318F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1886104064.000001B92D953000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1864439800.000001B934758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B934738000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1869016599.000001B9346BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1811677835.000001B937AC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.comT	firefox.exe, 0000000D.00000003.1831829410.000001B92DB14000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1729362463.000001B92C220000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729084392.000001B92C000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729820047.000001B92C27B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729568047.000001B92C23E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729691228.000001B92C25D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1762086888.000001B92D198000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1762086888.000001B92D17E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1882387253.000001B935E6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846800237.000001B935E6C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1763084622.000001B93468B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814996390.000001B93468B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847487120.000001B93468B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1760304032.000001B93468B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1814996390.000001B93467A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729820047.000001B92C27B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832272646.000001B92EE20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729568047.000001B92C23E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729691228.000001B92C25D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1815731490.000001B92FA6B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1729362463.000001B92C220000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729084392.000001B92C000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729820047.000001B92C27B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729568047.000001B92C23E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729691228.000001B92C25D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1876519291.000001B934439000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920131636.000001B9344A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865118561.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896332637.000001B93445F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815452713.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898898330.000001B92EA49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844781721.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921384876.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763302544.000001B93447C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1886104064.000001B92D995000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1886104064.000001B92D953000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2929958227.000002019F0C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2929561992.000001B822BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2932672685.000001CFC3403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1814996390.000001B93467A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2929958227.000002019F0C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2929561992.000001B822BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2932672685.000001CFC3403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000D.00000003.1858131744.000001B92847D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865118561.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815452713.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844781721.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921384876.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2929561992.000001B822B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2929397493.000001CFC3103000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1798694084.000001B92F087000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1800478465.000001B92F073000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1864439800.000001B934758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B934738000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1814371955.000001B9357E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893906762.000001B9357E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917782812.000001B9357D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864128668.000001B9357E9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000010.00000002.2929561992.000001B822BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2929397493.000001CFC31C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1800346150.000001B92F09A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798694084.000001B92F087000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1859904131.000001B92DCD5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1917782812.000001B9357AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1811677835.000001B937AD9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000010.00000002.2929561992.000001B822B5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2929397493.000001CFC3113000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1864439800.000001B934758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B934738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1814371955.000001B935790000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 0000000F.00000002.2929958227.000002019F072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1763084622.000001B93468B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814996390.000001B93468B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847487120.000001B93468B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1760304032.000001B93468B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl3.digi	firefox.exe, 0000000D.00000003.1808786529.000001B92BD7F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1859904131.000001B92DCD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877859505.000001B92DEAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1836835593.000001B92D4C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1760304032.000001B93467A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1782133051.000001B92DCE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775711466.000001B92DCDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1824586906.000001B93453B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1784016376.000001B92DC22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1760810526.000001B93465B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1760810526.000001B93466B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917324119.000001B92C247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763210840.000001B9344F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837711166.000001B92EECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815731490.000001B92FA43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1784016376.000001B92DC1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832272646.000001B92EE29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1856414492.000001B92BA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1762429062.000001B92D127000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832118191.000001B936408000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1824586906.000001B934549000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816070482.000001B92FA0E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1815731490.000001B92FA6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1878345100.000001B92DE30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815731490.000001B92FA6B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1760304032.000001B9346B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869016599.000001B9346B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876301596.000001B9346B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908069495.000001B9346B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814996390.000001B9346B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847487120.000001B9346B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919191088.000001B9346B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1762963600.000001B9346B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1812198479.000001B936B94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B93470F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843164106.000001B936B94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1812198479.000001B936B94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B93470F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843164106.000001B936B94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1824586906.000001B934561000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1760304032.000001B9346B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1814961568.000001B93476E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1847487120.000001B93469A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1731623063.000001B92BA12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1730879959.000001B92BA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1731743593.000001B92BA2F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1866016375.000001B92EC3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922078887.000001B92EC44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873390908.000001B92EC3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850186913.000001B92EC42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1800346150.000001B92F09A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798694084.000001B92F087000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1800414770.000001B92F09E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1800478465.000001B92F073000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1731623063.000001B92BA12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1730879959.000001B92BA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1858131744.000001B92847D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1731743593.000001B92BA2F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1814371955.000001B9357E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893906762.000001B9357E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917782812.000001B9357D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864128668.000001B9357E9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2929958227.000002019F0C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2929561992.000001B822BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2932672685.000001CFC3403000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1864785522.000001B93467A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1864439800.000001B934758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B934738000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1843248626.000001B936B58000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1729691228.000001B92C25D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1814371955.000001B935790000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1847081216.000001B934764000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729084392.000001B92C000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849847820.000001B92ECCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873390908.000001B92EC87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866016375.000001B92EC87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850186913.000001B92EC87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729820047.000001B92C27B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832272646.000001B92EE20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729568047.000001B92C23E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729691228.000001B92C25D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1763084622.000001B93468B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814996390.000001B93468B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847487120.000001B93468B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1760304032.000001B93468B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2928923564.000002019ED50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2929052883.000001B8229A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2928842146.000001CFC2F30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.1886104064.000001B92D953000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.18.14	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545005
Start date and time:	2024-10-30 00:44:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@68/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 316
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.11.191.138, 35.160.212.113, 54.185.230.140, 142.250.185.234, 172.217.18.10, 142.250.185.110, 2.22.61.56, 2.22.61.72, 142.250.185.206
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
19:45:09	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
example.org	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFmiRUl-2BtxcZ73D3PC6s7dEdSEpNEVf7BmEr33HzpWyzDy2Qc_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZML5SAWON4OCquRGeOrZOG6X7bKIH2ouDi7O5ssZhkwdV9j8BuAetGO74HzivTb4yjw5AGX5ZMnsGYBS3vBuNNgFYRVSYVxc5dN7eCLDUr43XjgYUZE2GmJzXmN-2BelIHWKsvaOOIeqiW6cnMf2CI6MeEhodwtV2LpZJtWZhkGi5I2rlc08PnxbPlMsOj2Cr9oC-2BCWb9WuPqmZU8rqYD8CNL-2BgY3UElGOq-2BfG3NfYFdrc0Rb11eU0t5G2ihyqzzZVfI-3D#cHNjaG1pdHRAZ3Jpc3Qub3Jn	Get hash	malicious	Unknown	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.199.111.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://mailhotcmhakamloops.wordpress.com/	Get hash	malicious	Unknown	Browse	151.101.2.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	LummaC	Browse	185.199.109.133
	https://www.directo.com.bo/dok	Get hash	malicious	Unknown	Browse	151.101.129.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	belks.arm.elf	Get hash	malicious	Mirai	Browse	57.44.124.158
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	belks.sh4.elf	Get hash	malicious	Mirai	Browse	34.17.28.191
	belks.ppc.elf	Get hash	malicious	Mirai	Browse	57.43.170.29
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	belks.arm.elf	Get hash	malicious	Mirai	Browse	57.44.124.158
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	belks.sh4.elf	Get hash	malicious	Mirai	Browse	34.17.28.191
	belks.ppc.elf	Get hash	malicious	Mirai	Browse	57.43.170.29

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_90977c2a-2535-45b2-aa00-c72931e3c4d4.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.175220220553857
Encrypted:	false
SSDEEP:	192:0jMXOo7cbhbVbTbfbRbObtbyEl7n4rkJA6WnSrDtTUd/SkDrl:0YLcNhnzFSJYr3BnSrDhUd/j
MD5:	56F2FB7E9D188C450AB5F4006C2057BE
SHA1:	C83F5CC5871EEBDCD2865666655284D697758A56
SHA-256:	464FC493CFD2C02A3D4E1E716DF1CEE4733A0A86F7033702F8B8310DCBC17BEF
SHA-512:	B83C5305F5A09FB0E3398ACDC7D0842A377253D23EF122A57BE603512863885FAC31DF1810EC76076E367FC437DC6483A2BA434EE24F0189135DCA18743C2825
Malicious:	false
Preview:	{"type":"uninstall","id":"90977c2a-2535-45b2-aa00-c72931e3c4d4","creationDate":"2024-10-30T00:47:30.449Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_90977c2a-2535-45b2-aa00-c72931e3c4d4.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.175220220553857
Encrypted:	false
SSDEEP:	192:0jMXOo7cbhbVbTbfbRbObtbyEl7n4rkJA6WnSrDtTUd/SkDrl:0YLcNhnzFSJYr3BnSrDhUd/j
MD5:	56F2FB7E9D188C450AB5F4006C2057BE
SHA1:	C83F5CC5871EEBDCD2865666655284D697758A56
SHA-256:	464FC493CFD2C02A3D4E1E716DF1CEE4733A0A86F7033702F8B8310DCBC17BEF
SHA-512:	B83C5305F5A09FB0E3398ACDC7D0842A377253D23EF122A57BE603512863885FAC31DF1810EC76076E367FC437DC6483A2BA434EE24F0189135DCA18743C2825
Malicious:	false
Preview:	{"type":"uninstall","id":"90977c2a-2535-45b2-aa00-c72931e3c4d4","creationDate":"2024-10-30T00:47:30.449Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925130513003033
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLwLV8P:8S+OBIUjOdwiOdYVjjwLwV8P
MD5:	6388278BF42885CF19FDB0B068FC6298
SHA1:	09DFC3FEE1DC9EC9824818F0A02E790BA5CECE73
SHA-256:	A24A7D7AA56148D7BAC263BA4A4464E77926398DCE2A61816DF793B6CEB0AE25
SHA-512:	6DA1B9C262F5320D0CCBA9AD4F75297AD8E192A673DF34E131801A1DD43C53E9ACEF430050D484632AF79E2D177EB44376E010C8925F25494D5C62B9FB3A8F8C
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925130513003033
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLwLV8P:8S+OBIUjOdwiOdYVjjwLwV8P
MD5:	6388278BF42885CF19FDB0B068FC6298
SHA1:	09DFC3FEE1DC9EC9824818F0A02E790BA5CECE73
SHA-256:	A24A7D7AA56148D7BAC263BA4A4464E77926398DCE2A61816DF793B6CEB0AE25
SHA-512:	6DA1B9C262F5320D0CCBA9AD4F75297AD8E192A673DF34E131801A1DD43C53E9ACEF430050D484632AF79E2D177EB44376E010C8925F25494D5C62B9FB3A8F8C
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0732719776631799
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiim:DLhesh7Owd4+jiJ
MD5:	CB6A5DA1CB9489BC406B4471BEF0BAB7
SHA1:	423E4A475525B63B604A11A271C071F88E0194B7
SHA-256:	55F58FA0D63E27B8760591A5927DF549459A70EB8B7E027D0C3C3F81E294CDFF
SHA-512:	B592ABF2E91F7318BC74F72DD3A6BF8C0352A8EB935A9B7E80EA8D1462BC24078C79B664A3E3427C724A71FD69D0DE3C4841588F1949A910B1BB5D8A85089C50
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035737944707653645
Encrypted:	false
SSDEEP:	3:GtlstFezLevDOc/9HYl3lstFezLevDOc/llXT89//alEl:GtWtc8D+Wtc8D389XuM
MD5:	C1A0529A928241C2F4F0AC6EAD334A66
SHA1:	0C6C5C8B369C8B660749DE75ECEF24FA2566CEF7
SHA-256:	CD111912E6A7AB5B4ABE5C829578426D70BFEE3761CC7DC68C4438D7E3AA9CDD
SHA-512:	BD65AA150E8AA6E81DA910AEA7F6C0EBA4788FA935C7ADBE1BC886963E19EC6D2E80A016341E6C3E1FED01A2FA28E1F6F214250B72BF0EAE59142AAECEF54C1F
Malicious:	false
Preview:	..-......................@..,.G..=s..J.fg..N...Z..-......................@..,.G..=s..J.fg..N...Z........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03935530161693917
Encrypted:	false
SSDEEP:	3:Ol1rvvDflya7rKDAByJ9qwl8rEXsxdwhml8XW3R2:K5vDfPKDx2wl8dMhm93w
MD5:	873C84C15F764FA476475B34D2204C93
SHA1:	6D45158735FADC750D81CA347B17E53F6D4B20B2
SHA-256:	E0C753DEDF1CCF84C48E286D890D8CF14CAC82B4E5CAC853953770E36AE2CA6A
SHA-512:	CAA8C9B5979EF2A67FF300F5C50F678CAC016260B58195F02990E9345778ED241F0DA4CF46E88F19D93332D4B39FB0C02E1E6300CE42FC0007F9646100D9DDD4
Malicious:	false
Preview:	7....-...........=s..J.f.:@...bJ.........=s..J.f..@..G.,................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.492992274477336
Encrypted:	false
SSDEEP:	192:PnaRtLYbBp62hj4qyaaXh6KBSNwY5RfGNBw8doSl:6ekqLW+tcwr0
MD5:	F257909759768D36797E517106C0F287
SHA1:	A4D916F3837ECFD9A473EA9037B79E3F23C37690
SHA-256:	F4B79AD5BBE882B3A73AB17039D675CEB320A13926202EBF9270EB50E784C718
SHA-512:	47E4FC6CFDC4F35372B82F3C59ED7870E8683138BC9AF5B90E6A9BA15D2CAD20461CAF6E3820AA7F12A9041FF9C2A8F825D39E7AC5008DE3A6BDCFD99561D223
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730249221);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730249221);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730249221);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173024

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.492992274477336
Encrypted:	false
SSDEEP:	192:PnaRtLYbBp62hj4qyaaXh6KBSNwY5RfGNBw8doSl:6ekqLW+tcwr0
MD5:	F257909759768D36797E517106C0F287
SHA1:	A4D916F3837ECFD9A473EA9037B79E3F23C37690
SHA-256:	F4B79AD5BBE882B3A73AB17039D675CEB320A13926202EBF9270EB50E784C718
SHA-512:	47E4FC6CFDC4F35372B82F3C59ED7870E8683138BC9AF5B90E6A9BA15D2CAD20461CAF6E3820AA7F12A9041FF9C2A8F825D39E7AC5008DE3A6BDCFD99561D223
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730249221);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730249221);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730249221);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173024

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\1243ecd8-d531-4ace-ac19-bec6dfbb926b (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.948903192176635
Encrypted:	false
SSDEEP:	12:YZFgv3pN4IVHlW8cOlZGV1AQIYzvZcyBuLZ2d:Y2N4SlCOlZGV1AQIWZcy6Z2d
MD5:	4E7041F6BA84A555A39DB29B9FDF713C
SHA1:	97DE1E9BF38DB1C624CE02C75650EA62D50CDED6
SHA-256:	CB1361F5B1C26733BEDD2320984724602DCCD56B6A3D373F2459ACB2D214E6F9
SHA-512:	3E9B0ABDF4D9566A9F785A0A0CFF64D392D59C74AF027D6839D54896930C9F89D533786045655C8068A488C3AE5277BE28452C8E2E0B7A149B810E9743F0115B
Malicious:	false
Preview:	{"type":"health","id":"1243ecd8-d531-4ace-ac19-bec6dfbb926b","creationDate":"2024-10-30T00:47:31.107Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\1243ecd8-d531-4ace-ac19-bec6dfbb926b.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.948903192176635
Encrypted:	false
SSDEEP:	12:YZFgv3pN4IVHlW8cOlZGV1AQIYzvZcyBuLZ2d:Y2N4SlCOlZGV1AQIWZcy6Z2d
MD5:	4E7041F6BA84A555A39DB29B9FDF713C
SHA1:	97DE1E9BF38DB1C624CE02C75650EA62D50CDED6
SHA-256:	CB1361F5B1C26733BEDD2320984724602DCCD56B6A3D373F2459ACB2D214E6F9
SHA-512:	3E9B0ABDF4D9566A9F785A0A0CFF64D392D59C74AF027D6839D54896930C9F89D533786045655C8068A488C3AE5277BE28452C8E2E0B7A149B810E9743F0115B
Malicious:	false
Preview:	{"type":"health","id":"1243ecd8-d531-4ace-ac19-bec6dfbb926b","creationDate":"2024-10-30T00:47:31.107Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.331907388291332
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSZfdLXnIgBQf/pnxQwRlszT5sKt07e3eHVQj6TjamhujJlOsIomNVZ:GUpOxodpanR6v3eHTj4JlIpuR4
MD5:	97EC5E79F8EDFE13673D870AD5373A80
SHA1:	D6777CE52D58D94BE4DBC4642D31140A17904DE9
SHA-256:	5FD20AC4F055F8E2C6EC59C2366EA6C746E9A68711261158D13DFF7D5382C965
SHA-512:	C000E799A9A762E1CE627BEDFEBE218272A66DB7FF5EB4FF8A92BAC7A12A3B1EE5E5B4B2C3E80215C566575B7A8F3D4F860C7953516BEB16E8D3B76FA86E13A1
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c5d689df-4669-42e9-8158-5e472f174cde}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730249224683,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....vtartTim..`190456...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....198253,"originA.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.331907388291332
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSZfdLXnIgBQf/pnxQwRlszT5sKt07e3eHVQj6TjamhujJlOsIomNVZ:GUpOxodpanR6v3eHTj4JlIpuR4
MD5:	97EC5E79F8EDFE13673D870AD5373A80
SHA1:	D6777CE52D58D94BE4DBC4642D31140A17904DE9
SHA-256:	5FD20AC4F055F8E2C6EC59C2366EA6C746E9A68711261158D13DFF7D5382C965
SHA-512:	C000E799A9A762E1CE627BEDFEBE218272A66DB7FF5EB4FF8A92BAC7A12A3B1EE5E5B4B2C3E80215C566575B7A8F3D4F860C7953516BEB16E8D3B76FA86E13A1
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c5d689df-4669-42e9-8158-5e472f174cde}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730249224683,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....vtartTim..`190456...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....198253,"originA.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.331907388291332
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSZfdLXnIgBQf/pnxQwRlszT5sKt07e3eHVQj6TjamhujJlOsIomNVZ:GUpOxodpanR6v3eHTj4JlIpuR4
MD5:	97EC5E79F8EDFE13673D870AD5373A80
SHA1:	D6777CE52D58D94BE4DBC4642D31140A17904DE9
SHA-256:	5FD20AC4F055F8E2C6EC59C2366EA6C746E9A68711261158D13DFF7D5382C965
SHA-512:	C000E799A9A762E1CE627BEDFEBE218272A66DB7FF5EB4FF8A92BAC7A12A3B1EE5E5B4B2C3E80215C566575B7A8F3D4F860C7953516BEB16E8D3B76FA86E13A1
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{c5d689df-4669-42e9-8158-5e472f174cde}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730249224683,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....vtartTim..`190456...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....198253,"originA.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0345177124578235
Encrypted:	false
SSDEEP:	48:YrSAYn36UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yc3yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	E770400C2B3B2E6A0C39AB53AC4467F3
SHA1:	A93A3148C827CD195E99A7FA785B6EDF205656D0
SHA-256:	85B3F0E10654AD59DBE42C9465E9A211B7A603CAFBA9D467FD6411DD9CB721AA
SHA-512:	A405F77FC52225A0448ECC157D0483C1730D3D968594F11CFA85F624919D508610BFC1FC6E1199B7456FC001AC2B2AE2136E43044C6DC438839ADDA6BB54006A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T00:46:44.691Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.0345177124578235
Encrypted:	false
SSDEEP:	48:YrSAYn36UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yc3yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	E770400C2B3B2E6A0C39AB53AC4467F3
SHA1:	A93A3148C827CD195E99A7FA785B6EDF205656D0
SHA-256:	85B3F0E10654AD59DBE42C9465E9A211B7A603CAFBA9D467FD6411DD9CB721AA
SHA-512:	A405F77FC52225A0448ECC157D0483C1730D3D968594F11CFA85F624919D508610BFC1FC6E1199B7456FC001AC2B2AE2136E43044C6DC438839ADDA6BB54006A
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T00:46:44.691Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5846812803123385
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	bc172e909f941b88af9d0eb4fb0c16ff
SHA1:	d5d4a9130808b2270b4945d84aef86de47f820ca
SHA256:	d9749480b21a4d4c977133fe24b27a65a18955cda393d243c331e7d30c786b5c
SHA512:	52a31bb0273ce2000708c7a801a3b4f2bae07659f08b8afe8f01e94746e159aca3aaa6381c2f6f57f734c7b97f5da06bd36a548c5be52ae4ced8e9d3bbe17f53
SSDEEP:	12288:6qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tc:6qDEvCTbMWu7rQYlBQcBiT6rprG8abc
TLSH:	79159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67216F22 [Tue Oct 29 23:26:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FBCE1494303h
jmp 00007FBCE1493C0Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBCE1493DEDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBCE1493DBAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FBCE14969ADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FBCE14969F8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FBCE14969E1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	e1203aac7c982742a600361427c11984	False	0.3156398338607595	data	5.3736880615975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 00:45:04.743010998 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:04.743129015 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 00:45:04.747714043 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:04.752523899 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:04.752583981 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 00:45:05.393569946 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 00:45:05.393657923 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:05.402420998 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:05.402470112 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 00:45:05.402635098 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:05.402816057 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 00:45:05.403134108 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:06.500528097 CET	49738	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:06.500577927 CET	443	49738	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:06.501208067 CET	49738	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:06.502801895 CET	49738	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:06.502823114 CET	443	49738	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:06.718523979 CET	49739	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:06.718565941 CET	443	49739	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:06.722145081 CET	49740	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:06.727591038 CET	49739	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:06.729406118 CET	80	49740	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:06.731933117 CET	49739	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:06.731949091 CET	443	49739	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:06.743278980 CET	49740	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:06.746290922 CET	49740	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:06.753729105 CET	80	49740	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:07.265512943 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.265554905 CET	443	49741	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.265753031 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.267050028 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.267065048 CET	443	49741	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.282219887 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.282265902 CET	443	49742	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.282789946 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.284183025 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.284195900 CET	443	49742	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.285341024 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:07.285351038 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:07.285516024 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:07.285656929 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:07.285662889 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:07.334414959 CET	80	49740	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:07.391798973 CET	49740	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:07.408269882 CET	443	49738	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:07.408361912 CET	49738	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:07.409274101 CET	443	49738	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:07.409363985 CET	49738	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:07.413520098 CET	49738	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:07.413530111 CET	443	49738	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:07.413609982 CET	49738	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:07.413868904 CET	443	49738	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:07.416347027 CET	49738	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:07.442035913 CET	49744	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:07.442079067 CET	443	49744	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:07.442236900 CET	49744	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:07.442423105 CET	49744	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:07.442445040 CET	443	49744	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:07.543345928 CET	49745	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:07.548871994 CET	80	49745	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:07.553738117 CET	49745	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:07.553877115 CET	49745	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:07.559298038 CET	80	49745	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:07.584677935 CET	443	49739	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:07.584691048 CET	443	49739	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:07.584748983 CET	49739	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:07.585644960 CET	443	49739	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:07.585882902 CET	49739	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:07.590188026 CET	49739	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:07.590207100 CET	443	49739	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:07.590264082 CET	49739	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:07.590435028 CET	443	49739	172.217.18.14	192.168.2.4
Oct 30, 2024 00:45:07.598062992 CET	49739	443	192.168.2.4	172.217.18.14
Oct 30, 2024 00:45:07.760694027 CET	49740	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:07.767607927 CET	80	49740	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:07.878739119 CET	443	49741	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.878989935 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.884217978 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.884238005 CET	443	49741	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.884321928 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.884437084 CET	443	49741	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.884708881 CET	49746	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.884752035 CET	443	49746	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.885301113 CET	80	49740	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:07.889962912 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.890006065 CET	49746	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.891455889 CET	49746	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.891468048 CET	443	49746	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.907835960 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:07.909684896 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:07.912209988 CET	443	49742	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.912823915 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:07.912842989 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:07.913018942 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.913110018 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:07.917475939 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:07.917690039 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:07.917695045 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:07.917716026 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:07.919183016 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.919194937 CET	443	49742	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.919281960 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.919498920 CET	443	49742	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.919641972 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.919682026 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.919704914 CET	49742	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.919877052 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.921202898 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:07.921214104 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:07.931174994 CET	49740	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:07.985800028 CET	49745	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:07.989604950 CET	49740	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:07.996973991 CET	80	49740	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:07.997102022 CET	49740	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:08.030253887 CET	80	49745	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:08.031409025 CET	49745	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:08.048173904 CET	443	49744	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:08.054347992 CET	49744	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.057586908 CET	49744	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.057607889 CET	443	49744	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:08.057909966 CET	443	49744	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:08.060286045 CET	49744	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.060308933 CET	49744	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.060502052 CET	443	49744	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:08.060667038 CET	49748	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.060709953 CET	49744	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.060756922 CET	443	49748	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:08.060853004 CET	49748	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.060961962 CET	49748	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.060986996 CET	443	49748	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:08.123338938 CET	443	49743	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:08.123406887 CET	49743	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:08.174685001 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:08.182046890 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:08.182125092 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:08.182250977 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:08.189104080 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:08.382261038 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:08.389013052 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:08.391360044 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:08.391850948 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:08.399003983 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:08.519603014 CET	443	49746	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:08.530020952 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:08.530369997 CET	49746	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:08.530370951 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:08.538124084 CET	49746	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:08.538134098 CET	443	49746	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:08.538197041 CET	49746	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:08.538392067 CET	443	49746	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:08.539220095 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:08.539235115 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:08.539298058 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:08.539472103 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:08.554124117 CET	49746	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:08.554133892 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:08.690305948 CET	443	49748	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:08.690665007 CET	49748	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.693397045 CET	49748	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.693422079 CET	443	49748	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:08.693664074 CET	443	49748	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:08.695945024 CET	49748	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.696011066 CET	49748	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.696104050 CET	443	49748	34.160.144.191	192.168.2.4
Oct 30, 2024 00:45:08.696983099 CET	49748	443	192.168.2.4	34.160.144.191
Oct 30, 2024 00:45:08.797519922 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:08.853338957 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:09.010384083 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:09.068469048 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:10.608947039 CET	49754	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:10.608998060 CET	443	49754	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:10.609044075 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:10.614377022 CET	49754	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:10.615731955 CET	49754	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:10.615745068 CET	443	49754	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:10.617381096 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:10.655205011 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:10.663309097 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:10.741267920 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:10.787513018 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:10.789215088 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:10.835879087 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:11.246624947 CET	443	49754	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:11.246709108 CET	49754	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:11.251053095 CET	49754	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:11.251064062 CET	443	49754	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:11.251177073 CET	49754	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:11.251239061 CET	443	49754	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:11.251291037 CET	49754	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:11.251521111 CET	49755	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:11.251562119 CET	443	49755	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:11.251696110 CET	49755	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:11.252973080 CET	49755	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:11.252985954 CET	443	49755	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:11.283776045 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:11.291064024 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:11.317918062 CET	49756	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:11.317958117 CET	443	49756	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:11.318799019 CET	49757	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:11.318857908 CET	443	49757	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:11.321965933 CET	49757	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:11.321968079 CET	49756	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:11.322119951 CET	49756	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:11.322132111 CET	443	49756	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:11.323715925 CET	49757	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:11.323739052 CET	443	49757	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:11.339121103 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:11.339144945 CET	443	49758	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:11.339718103 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:11.341154099 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:11.341167927 CET	443	49758	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:11.342242002 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:11.342291117 CET	443	49759	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:11.344033957 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:11.345415115 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:11.345427036 CET	443	49759	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:11.414020061 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:11.459984064 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:11.861900091 CET	443	49755	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:11.861978054 CET	49755	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:11.866163015 CET	49755	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:11.866174936 CET	443	49755	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:11.866267920 CET	49755	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:11.866519928 CET	443	49755	34.117.188.166	192.168.2.4
Oct 30, 2024 00:45:11.869004965 CET	49755	443	192.168.2.4	34.117.188.166
Oct 30, 2024 00:45:11.870234966 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:11.877496004 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:11.950355053 CET	443	49758	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:11.950423002 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:11.959800005 CET	443	49756	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:11.959892988 CET	49756	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:11.965027094 CET	443	49759	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:11.965120077 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:11.972225904 CET	443	49757	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:11.972311020 CET	49757	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:12.001411915 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:12.056246042 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:12.510992050 CET	49756	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:12.511009932 CET	443	49756	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:12.511358976 CET	443	49756	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:12.515985012 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:12.516000986 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:12.516028881 CET	443	49759	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:12.516052008 CET	443	49758	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:12.516067028 CET	49756	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:12.516134024 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:12.516233921 CET	49756	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:12.516253948 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:12.516288996 CET	443	49759	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:12.516340971 CET	443	49756	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:12.516417980 CET	443	49758	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:12.516625881 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:12.516645908 CET	49756	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:12.516654015 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:12.518388033 CET	49757	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:12.518409967 CET	443	49757	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:12.518440962 CET	49757	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:12.518960953 CET	443	49757	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:12.519013882 CET	49757	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:15.333180904 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:15.346223116 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:15.469388008 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:15.513870001 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:16.848566055 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:16.854175091 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:16.858680964 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:16.858721018 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:16.858869076 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:16.860112906 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:16.860125065 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:16.944665909 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:16.944751978 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:16.945446968 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:16.945635080 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:16.945663929 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:16.947030067 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:16.947077036 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:16.947633028 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:16.947710037 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:16.947725058 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:16.949620008 CET	49765	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:16.949647903 CET	443	49765	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:16.950006008 CET	49765	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:16.978373051 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:17.040338993 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:17.042171001 CET	49765	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:17.042186975 CET	443	49765	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:17.084444046 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:17.091413021 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:17.215333939 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:17.256572008 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:17.506299973 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.511351109 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.518475056 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.550611973 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.550625086 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.550663948 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.551449060 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.551992893 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.553819895 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:17.556633949 CET	49766	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.556679964 CET	443	49766	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.556981087 CET	49766	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.557729006 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.557924032 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.558444977 CET	49766	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.558461905 CET	443	49766	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.561765909 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.561780930 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.562098026 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.562488079 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:17.564619064 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.564714909 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.564779997 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.565099001 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.584673882 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.584826946 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.587496996 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.587508917 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.587842941 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.598248959 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.598331928 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.598442078 CET	443	49764	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:17.598546028 CET	49764	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:17.672023058 CET	443	49765	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:17.672208071 CET	49765	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:17.685759068 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:17.742372990 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:18.194998980 CET	443	49766	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:18.197217941 CET	49766	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:18.279248953 CET	49765	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:18.279273987 CET	443	49765	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:18.279453993 CET	49765	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:18.279536009 CET	443	49765	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:18.279635906 CET	49766	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:18.279671907 CET	443	49766	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:18.279695034 CET	49766	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:18.280280113 CET	49765	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:18.280397892 CET	443	49766	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:18.280757904 CET	49766	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:18.837060928 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:18.844189882 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:18.847842932 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:18.847887039 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:18.848700047 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:18.925915956 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:18.925930977 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:18.927642107 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:18.935029030 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:18.966993093 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:19.027942896 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:19.059242010 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:19.106070042 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:19.466430902 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:19.473412037 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:19.475193024 CET	49771	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:19.475235939 CET	443	49771	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:19.475903988 CET	49771	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:19.476470947 CET	49771	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:19.476484060 CET	443	49771	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:19.505538940 CET	49772	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:19.505580902 CET	443	49772	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:19.505871058 CET	49772	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:19.507190943 CET	49772	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:19.507208109 CET	443	49772	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:19.596108913 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:19.654036999 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:19.660991907 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:19.663341045 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:19.664736986 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:19.667531013 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:19.667545080 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:19.668303013 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:19.669697046 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:19.669783115 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:19.670094013 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:19.670396090 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:19.708637953 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:19.715842009 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:19.839565039 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:19.842376947 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:19.849287033 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:19.880609035 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:19.972130060 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:20.012162924 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:20.109097958 CET	443	49772	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:20.109183073 CET	49772	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.110650063 CET	443	49771	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:20.110800982 CET	49771	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.113504887 CET	49771	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.113512993 CET	443	49771	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:20.113878965 CET	443	49771	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:20.116643906 CET	49772	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.116673946 CET	443	49772	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:20.116744041 CET	49772	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.116914988 CET	443	49772	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:20.116991997 CET	49772	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.159317017 CET	49771	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.923530102 CET	49771	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.923655033 CET	49771	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.923876047 CET	443	49771	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:20.924871922 CET	49771	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.927397966 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:20.929779053 CET	49774	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.929871082 CET	443	49774	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:20.930103064 CET	49774	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.931994915 CET	49774	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:20.932035923 CET	443	49774	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:20.934770107 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:21.059199095 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:21.065999985 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:21.073379993 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:21.073709011 CET	49775	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:21.073777914 CET	443	49775	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:21.074232101 CET	49775	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:21.075488091 CET	49775	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:21.075521946 CET	443	49775	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:21.115174055 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:21.196116924 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:21.246725082 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:21.541788101 CET	443	49774	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:21.541881084 CET	49774	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:21.700906038 CET	443	49775	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:21.701028109 CET	49775	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:21.778001070 CET	49774	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:21.778036118 CET	443	49774	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:21.778142929 CET	49774	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:21.778271914 CET	443	49774	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:21.778295994 CET	49775	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:21.778311968 CET	443	49775	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:21.778383017 CET	49775	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:21.778764009 CET	443	49775	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:21.779503107 CET	49774	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:21.779526949 CET	49775	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:22.018805981 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:22.023370981 CET	49776	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:22.023411989 CET	443	49776	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:22.024214983 CET	49776	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:22.025485039 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:22.025527954 CET	49776	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:22.025547028 CET	443	49776	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:22.149904013 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:22.152529955 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:22.160653114 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:22.196294069 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:22.284749985 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:22.334347010 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:22.659084082 CET	443	49776	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:22.659154892 CET	49776	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:23.162476063 CET	49776	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:23.162513018 CET	443	49776	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:23.162573099 CET	49776	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:23.162908077 CET	443	49776	34.120.208.123	192.168.2.4
Oct 30, 2024 00:45:23.162976027 CET	49776	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:45:23.240514040 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:23.247637033 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:23.371543884 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:23.375288010 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:23.382323980 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:23.421977997 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:23.505966902 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:23.553515911 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:31.449573040 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:31.454979897 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:31.579399109 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:31.582282066 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:31.587801933 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:31.623306990 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:31.711157084 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:31.761389017 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:32.609308004 CET	49778	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:32.609395027 CET	443	49778	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:32.609467983 CET	49778	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:32.610929966 CET	49778	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:32.610959053 CET	443	49778	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:33.158097982 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.158155918 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.165196896 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.165535927 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.165549040 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.191941023 CET	49780	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:33.191977024 CET	443	49780	35.190.72.216	192.168.2.4
Oct 30, 2024 00:45:33.196666956 CET	49780	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:33.197994947 CET	49780	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:33.198008060 CET	443	49780	35.190.72.216	192.168.2.4
Oct 30, 2024 00:45:33.200352907 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.200364113 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:33.203763962 CET	49782	443	192.168.2.4	151.101.193.91
Oct 30, 2024 00:45:33.203824997 CET	443	49782	151.101.193.91	192.168.2.4
Oct 30, 2024 00:45:33.204761028 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.204875946 CET	49782	443	192.168.2.4	151.101.193.91
Oct 30, 2024 00:45:33.205007076 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.205022097 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:33.205157042 CET	49782	443	192.168.2.4	151.101.193.91
Oct 30, 2024 00:45:33.205192089 CET	443	49782	151.101.193.91	192.168.2.4
Oct 30, 2024 00:45:33.206228971 CET	49783	443	192.168.2.4	35.201.103.21
Oct 30, 2024 00:45:33.206249952 CET	443	49783	35.201.103.21	192.168.2.4
Oct 30, 2024 00:45:33.206794024 CET	49783	443	192.168.2.4	35.201.103.21
Oct 30, 2024 00:45:33.208157063 CET	49783	443	192.168.2.4	35.201.103.21
Oct 30, 2024 00:45:33.208184004 CET	443	49783	35.201.103.21	192.168.2.4
Oct 30, 2024 00:45:33.241066933 CET	443	49778	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:33.251338005 CET	443	49778	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:33.252650023 CET	49778	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:33.252854109 CET	49778	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:33.257424116 CET	49778	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:33.257452011 CET	443	49778	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:33.257692099 CET	49778	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:33.257982016 CET	443	49778	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:33.260462999 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:33.264576912 CET	49778	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:33.266462088 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:33.390851021 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:33.393630981 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:33.399017096 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:33.450611115 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:33.521996021 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:33.566428900 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:33.782206059 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.782222986 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.782285929 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.785631895 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.785661936 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.786015034 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.788316011 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.788397074 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.788522959 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.788892984 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.792005062 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:33.797455072 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:33.803534985 CET	443	49780	35.190.72.216	192.168.2.4
Oct 30, 2024 00:45:33.803601980 CET	49780	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:33.807725906 CET	49780	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:33.807737112 CET	443	49780	35.190.72.216	192.168.2.4
Oct 30, 2024 00:45:33.807806015 CET	49780	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:33.807862043 CET	443	49780	35.190.72.216	192.168.2.4
Oct 30, 2024 00:45:33.808020115 CET	49780	443	192.168.2.4	35.190.72.216
Oct 30, 2024 00:45:33.815371990 CET	443	49782	151.101.193.91	192.168.2.4
Oct 30, 2024 00:45:33.819245100 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:33.829499006 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.829521894 CET	49782	443	192.168.2.4	151.101.193.91
Oct 30, 2024 00:45:33.832204103 CET	49782	443	192.168.2.4	151.101.193.91
Oct 30, 2024 00:45:33.832252026 CET	443	49782	151.101.193.91	192.168.2.4
Oct 30, 2024 00:45:33.832456112 CET	443	49782	151.101.193.91	192.168.2.4
Oct 30, 2024 00:45:33.834409952 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.834414005 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:33.835249901 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:33.836680889 CET	49782	443	192.168.2.4	151.101.193.91
Oct 30, 2024 00:45:33.836747885 CET	49782	443	192.168.2.4	151.101.193.91
Oct 30, 2024 00:45:33.836827993 CET	443	49782	151.101.193.91	192.168.2.4
Oct 30, 2024 00:45:33.836942911 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.837033987 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.837325096 CET	443	49781	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:33.837445974 CET	49784	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.837502956 CET	443	49784	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:33.842283010 CET	49782	443	192.168.2.4	151.101.193.91
Oct 30, 2024 00:45:33.842288017 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.842300892 CET	49781	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.842315912 CET	49782	443	192.168.2.4	151.101.193.91
Oct 30, 2024 00:45:33.842334032 CET	49784	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.842508078 CET	49784	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.842538118 CET	443	49784	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:33.842730045 CET	443	49783	35.201.103.21	192.168.2.4
Oct 30, 2024 00:45:33.843712091 CET	49785	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.843755960 CET	443	49785	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.844042063 CET	49783	443	192.168.2.4	35.201.103.21
Oct 30, 2024 00:45:33.844050884 CET	49785	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.845954895 CET	49785	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.845969915 CET	443	49785	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.847542048 CET	49783	443	192.168.2.4	35.201.103.21
Oct 30, 2024 00:45:33.847553968 CET	443	49783	35.201.103.21	192.168.2.4
Oct 30, 2024 00:45:33.847615004 CET	49783	443	192.168.2.4	35.201.103.21
Oct 30, 2024 00:45:33.847824097 CET	443	49783	35.201.103.21	192.168.2.4
Oct 30, 2024 00:45:33.851655006 CET	49783	443	192.168.2.4	35.201.103.21
Oct 30, 2024 00:45:33.855501890 CET	49786	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.855537891 CET	443	49786	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.855891943 CET	49786	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.855984926 CET	49786	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.855998993 CET	443	49786	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.860172987 CET	49787	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.860183954 CET	443	49787	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.860493898 CET	49787	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.860610008 CET	49787	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:33.860620022 CET	443	49787	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:33.862413883 CET	49788	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.862442017 CET	443	49788	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:33.862536907 CET	49788	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.862715006 CET	49788	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:33.862730980 CET	443	49788	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:33.921318054 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:33.924305916 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:33.929749012 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:33.967530966 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:34.053170919 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:34.099090099 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:34.454057932 CET	443	49785	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.454144955 CET	49785	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.456671953 CET	49785	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.456681967 CET	443	49785	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.457078934 CET	443	49785	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.458775997 CET	49785	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.458872080 CET	49785	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.458971024 CET	443	49785	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.462171078 CET	443	49784	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:34.463037968 CET	443	49786	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.463588953 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:34.464446068 CET	49785	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.464462996 CET	49785	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.464487076 CET	49784	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:34.464541912 CET	49786	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.467267036 CET	49784	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:34.467295885 CET	443	49784	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:34.467689991 CET	443	49784	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:34.469603062 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:34.469803095 CET	49786	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.469809055 CET	443	49786	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.469989061 CET	443	49787	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.470031023 CET	443	49786	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.470344067 CET	49787	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.473079920 CET	49787	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.473084927 CET	443	49787	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.473738909 CET	443	49787	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.474354982 CET	443	49788	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:34.474795103 CET	49788	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:34.477207899 CET	49788	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:34.477217913 CET	443	49788	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:34.477873087 CET	443	49788	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:34.478183985 CET	49784	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:34.478456020 CET	49784	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:34.478533983 CET	49786	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.478621006 CET	49786	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.478678942 CET	443	49784	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:34.478708029 CET	443	49786	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.480675936 CET	49787	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.480746984 CET	49787	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.480886936 CET	443	49787	35.244.181.201	192.168.2.4
Oct 30, 2024 00:45:34.482305050 CET	49788	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:34.482389927 CET	49788	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:34.482516050 CET	443	49788	34.149.100.209	192.168.2.4
Oct 30, 2024 00:45:34.483056068 CET	49788	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:34.483088017 CET	49784	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:34.483092070 CET	49786	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.483108997 CET	49787	443	192.168.2.4	35.244.181.201
Oct 30, 2024 00:45:34.483730078 CET	49788	443	192.168.2.4	34.149.100.209
Oct 30, 2024 00:45:34.593383074 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:34.595910072 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:34.601321936 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:34.653903961 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:34.724551916 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:34.769831896 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:44.598254919 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:44.605839968 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:44.729871035 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:44.737521887 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:53.359455109 CET	49790	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:53.359569073 CET	443	49790	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:53.360723972 CET	49790	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:53.362096071 CET	49790	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:53.362149000 CET	443	49790	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:54.000840902 CET	443	49790	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:54.000971079 CET	49790	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:54.007040024 CET	49790	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:54.007072926 CET	443	49790	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:54.007134914 CET	49790	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:54.007493019 CET	443	49790	34.107.243.93	192.168.2.4
Oct 30, 2024 00:45:54.007556915 CET	49790	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:45:54.014231920 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:54.021193027 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:54.145232916 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:54.149213076 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:54.156112909 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:54.187884092 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:45:54.279751062 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:45:54.325916052 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:02.858036041 CET	49827	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:02.858100891 CET	443	49827	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:02.858630896 CET	49827	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:02.858773947 CET	49827	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:02.858805895 CET	443	49827	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:02.861663103 CET	49828	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:02.861704111 CET	443	49828	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:02.862627029 CET	49828	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:02.862709999 CET	49828	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:02.862721920 CET	443	49828	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:02.865758896 CET	49829	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:02.865772963 CET	443	49829	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:02.867063046 CET	49829	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:02.867162943 CET	49829	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:02.867167950 CET	443	49829	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.471687078 CET	443	49827	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.471863031 CET	49827	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.475049019 CET	49827	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.475065947 CET	443	49827	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.475416899 CET	443	49827	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.477643013 CET	49827	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.477737904 CET	49827	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.477837086 CET	443	49827	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.478240013 CET	443	49829	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.478780985 CET	49827	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.478780985 CET	49827	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.478801012 CET	49829	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.480995893 CET	443	49828	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.481714010 CET	49829	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.481719971 CET	443	49829	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.481935978 CET	443	49829	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.482851982 CET	49828	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.485178947 CET	49828	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.485196114 CET	443	49828	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.485433102 CET	443	49828	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.486820936 CET	49829	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.486896992 CET	49829	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.486960888 CET	443	49829	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.488120079 CET	49828	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.488183022 CET	49828	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.488271952 CET	443	49828	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.488343954 CET	49828	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.488359928 CET	49829	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.488360882 CET	49828	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.507028103 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:03.514000893 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:03.544621944 CET	49835	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.544680119 CET	443	49835	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.544768095 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.544826984 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.544879913 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.544955969 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.545069933 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.545089960 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.546688080 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.546691895 CET	49835	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.546714067 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.546747923 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.546863079 CET	49835	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.546894073 CET	443	49835	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.546933889 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.546964884 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.546999931 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.547034025 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.547054052 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:03.547077894 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:03.637758970 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:03.674356937 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:03.681279898 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:03.699090958 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:03.803890944 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:03.852406979 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:04.157916069 CET	443	49835	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.158122063 CET	49835	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.158868074 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.159473896 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.161335945 CET	49835	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.161362886 CET	443	49835	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.161607027 CET	443	49835	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.163769007 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.163784027 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.164048910 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.166620970 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.166785002 CET	49835	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.166888952 CET	49835	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.166933060 CET	443	49835	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.167376995 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.167525053 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.167623997 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.167639017 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.167773962 CET	49835	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.167793989 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.167809010 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.170574903 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.170589924 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.170953035 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.171015978 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.172188044 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.174154043 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.174165010 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.174524069 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.174801111 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:04.174902916 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.175160885 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.175206900 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.175220966 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.175606966 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.177885056 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.177967072 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.178088903 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 00:46:04.178580999 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 00:46:04.181658983 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:04.305665970 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:04.308404922 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:04.315458059 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:04.360799074 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:04.438292980 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:04.492330074 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:14.315963030 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:14.323196888 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:14.438395023 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:14.443737984 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:24.329293966 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:24.334635973 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:24.445235014 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:24.450665951 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:34.023534060 CET	50006	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:46:34.023552895 CET	443	50006	34.107.243.93	192.168.2.4
Oct 30, 2024 00:46:34.023749113 CET	50006	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:46:34.025034904 CET	50006	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:46:34.025048971 CET	443	50006	34.107.243.93	192.168.2.4
Oct 30, 2024 00:46:34.342621088 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:34.349775076 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:34.458550930 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:34.464006901 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:34.636666059 CET	443	50006	34.107.243.93	192.168.2.4
Oct 30, 2024 00:46:34.636873007 CET	50006	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:46:34.643081903 CET	50006	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:46:34.643090010 CET	443	50006	34.107.243.93	192.168.2.4
Oct 30, 2024 00:46:34.643177032 CET	50006	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:46:34.643269062 CET	443	50006	34.107.243.93	192.168.2.4
Oct 30, 2024 00:46:34.643552065 CET	50006	443	192.168.2.4	34.107.243.93
Oct 30, 2024 00:46:34.646620035 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:34.653407097 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:34.778238058 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:34.781632900 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:34.788532972 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:34.828505993 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:34.913508892 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:34.960053921 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:44.788391113 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:44.793736935 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:44.926665068 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:44.932018042 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:54.801513910 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:54.808599949 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:46:54.955270052 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:46:54.960675955 CET	80	49750	34.107.221.82	192.168.2.4
Oct 30, 2024 00:47:04.826219082 CET	49751	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:47:04.831784010 CET	80	49751	34.107.221.82	192.168.2.4
Oct 30, 2024 00:47:04.973364115 CET	49750	80	192.168.2.4	34.107.221.82
Oct 30, 2024 00:47:04.978796959 CET	80	49750	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 00:45:04.744183064 CET	64098	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:04.757633924 CET	53	64098	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:04.770539045 CET	49674	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:04.780908108 CET	53	49674	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:06.486124992 CET	64996	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:06.486443996 CET	55689	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:06.495541096 CET	53	55689	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:06.500834942 CET	54694	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:06.502048016 CET	61074	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:06.509670019 CET	53	54694	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:06.510258913 CET	52778	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:06.511275053 CET	53	61074	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:06.511915922 CET	55379	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:06.519371033 CET	53	52778	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:06.522217035 CET	53	55379	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.257262945 CET	55129	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.264729023 CET	53	55129	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.265678883 CET	63268	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.273425102 CET	53	63268	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.273720026 CET	57515	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.274384022 CET	61242	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.281567097 CET	53	57515	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.281904936 CET	53	61242	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.282653093 CET	54559	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.285715103 CET	60495	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.290335894 CET	53	54559	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.293124914 CET	56370	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.293288946 CET	53	60495	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.293873072 CET	51271	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.301204920 CET	53	56370	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.302148104 CET	53	51271	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.432810068 CET	64926	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.441183090 CET	53	64926	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.442182064 CET	54222	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.450006962 CET	53	54222	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.451359987 CET	49592	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.459022045 CET	53	49592	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.512609959 CET	52961	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.516172886 CET	51450	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:07.520947933 CET	53	52961	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.523987055 CET	53	51450	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:07.527220011 CET	54766	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:09.019243956 CET	56924	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:09.057571888 CET	53	50492	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:10.645606995 CET	49990	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:10.655981064 CET	53	49990	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:10.674226046 CET	65366	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:10.776866913 CET	53	65366	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:10.790395021 CET	57441	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:10.815546989 CET	53	57441	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:10.856894970 CET	60910	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:10.866282940 CET	53	60910	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:11.152004957 CET	54307	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:11.161597013 CET	53	54307	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:11.176239967 CET	61998	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:11.185097933 CET	53	61998	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:11.318933964 CET	56812	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:11.327886105 CET	53	56812	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:11.339653969 CET	54846	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:11.342819929 CET	63754	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:11.348867893 CET	53	54846	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:11.352263927 CET	53	63754	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:11.360474110 CET	60689	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:11.365670919 CET	60690	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:11.369399071 CET	53	60689	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:11.375241995 CET	53	60690	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:16.850022078 CET	50991	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:16.857394934 CET	53	50991	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.453993082 CET	64468	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.454266071 CET	65371	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.454608917 CET	51108	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.462851048 CET	53	65371	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.463433027 CET	57781	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.463515997 CET	53	64468	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.464813948 CET	53	51108	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.465313911 CET	64163	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.472172976 CET	53	57781	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.472615004 CET	65290	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.474304914 CET	53	64163	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.474870920 CET	64006	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.478257895 CET	56053	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.482134104 CET	53	65290	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.482666969 CET	62825	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.483692884 CET	53	64006	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.484148026 CET	59237	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.486985922 CET	53	56053	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.490612030 CET	49982	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.491736889 CET	53	62825	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.492830992 CET	53	59237	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.499650002 CET	53	49982	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.521589041 CET	57828	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.531117916 CET	53	57828	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.548255920 CET	54580	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.548484087 CET	62368	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.557569027 CET	53	54580	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.557594061 CET	53	62368	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:17.558271885 CET	59745	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:17.567358017 CET	53	59745	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:21.074059010 CET	49539	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:21.082986116 CET	53	49539	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:22.025876999 CET	50949	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:22.037709951 CET	53	50949	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:32.598107100 CET	50644	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:32.606308937 CET	53	50644	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:32.608845949 CET	63058	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:32.616063118 CET	53	63058	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:33.158525944 CET	49898	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:33.166702032 CET	53	49898	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:33.177890062 CET	59279	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:33.185380936 CET	53	59279	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:33.192780018 CET	62079	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:33.192953110 CET	57354	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:33.200210094 CET	53	57354	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:33.201019049 CET	53	62079	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:33.204498053 CET	59868	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:33.206723928 CET	56717	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:33.212229967 CET	53	59868	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:33.215550900 CET	53	56717	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:33.221112967 CET	55516	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:33.221831083 CET	59006	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:33.228395939 CET	53	55516	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:33.229237080 CET	53	59006	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:53.360224009 CET	52937	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:45:53.369245052 CET	53	52937	1.1.1.1	192.168.2.4
Oct 30, 2024 00:45:54.014780045 CET	60542	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:46:02.858357906 CET	58536	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:46:02.866961956 CET	53	58536	1.1.1.1	192.168.2.4
Oct 30, 2024 00:46:34.012814999 CET	49662	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:46:34.022691965 CET	53	49662	1.1.1.1	192.168.2.4
Oct 30, 2024 00:46:34.023504972 CET	53014	53	192.168.2.4	1.1.1.1
Oct 30, 2024 00:46:34.032540083 CET	53	53014	1.1.1.1	192.168.2.4
Oct 30, 2024 00:46:34.646800041 CET	62278	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 00:45:04.744183064 CET	192.168.2.4	1.1.1.1	0x7a37	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:04.770539045 CET	192.168.2.4	1.1.1.1	0x6c66	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 00:45:06.486124992 CET	192.168.2.4	1.1.1.1	0xfdac	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:06.486443996 CET	192.168.2.4	1.1.1.1	0x101	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:06.500834942 CET	192.168.2.4	1.1.1.1	0xdc38	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:06.502048016 CET	192.168.2.4	1.1.1.1	0x8b43	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:06.510258913 CET	192.168.2.4	1.1.1.1	0x1dee	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 00:45:06.511915922 CET	192.168.2.4	1.1.1.1	0x7a4e	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:07.257262945 CET	192.168.2.4	1.1.1.1	0x8ac9	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.265678883 CET	192.168.2.4	1.1.1.1	0xd057	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.273720026 CET	192.168.2.4	1.1.1.1	0xc3c6	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.274384022 CET	192.168.2.4	1.1.1.1	0x276	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:07.282653093 CET	192.168.2.4	1.1.1.1	0x2d25	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.285715103 CET	192.168.2.4	1.1.1.1	0x9402	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.293124914 CET	192.168.2.4	1.1.1.1	0x40dd	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 00:45:07.293873072 CET	192.168.2.4	1.1.1.1	0x14b3	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 00:45:07.432810068 CET	192.168.2.4	1.1.1.1	0x7c05	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.442182064 CET	192.168.2.4	1.1.1.1	0x6e1c	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.451359987 CET	192.168.2.4	1.1.1.1	0xe677	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 00:45:07.512609959 CET	192.168.2.4	1.1.1.1	0xeae5	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.516172886 CET	192.168.2.4	1.1.1.1	0x3681	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.527220011 CET	192.168.2.4	1.1.1.1	0x60b0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:09.019243956 CET	192.168.2.4	1.1.1.1	0x8de3	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:10.645606995 CET	192.168.2.4	1.1.1.1	0xd321	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:10.674226046 CET	192.168.2.4	1.1.1.1	0xf390	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:10.790395021 CET	192.168.2.4	1.1.1.1	0x31a9	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 00:45:10.856894970 CET	192.168.2.4	1.1.1.1	0x9862	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:11.152004957 CET	192.168.2.4	1.1.1.1	0xb47b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:11.176239967 CET	192.168.2.4	1.1.1.1	0x78ba	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:11.318933964 CET	192.168.2.4	1.1.1.1	0xfba	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:11.339653969 CET	192.168.2.4	1.1.1.1	0x5930	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:11.342819929 CET	192.168.2.4	1.1.1.1	0xa829	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:11.360474110 CET	192.168.2.4	1.1.1.1	0xacd9	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 00:45:11.365670919 CET	192.168.2.4	1.1.1.1	0x7abe	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:16.850022078 CET	192.168.2.4	1.1.1.1	0xa96c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:17.453993082 CET	192.168.2.4	1.1.1.1	0x853a	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.454266071 CET	192.168.2.4	1.1.1.1	0xaf60	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.454608917 CET	192.168.2.4	1.1.1.1	0xc279	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463433027 CET	192.168.2.4	1.1.1.1	0xc787	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.465313911 CET	192.168.2.4	1.1.1.1	0x2c22	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.472615004 CET	192.168.2.4	1.1.1.1	0x9c31	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:17.474870920 CET	192.168.2.4	1.1.1.1	0x734e	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 30, 2024 00:45:17.478257895 CET	192.168.2.4	1.1.1.1	0x241	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.482666969 CET	192.168.2.4	1.1.1.1	0x4689	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.484148026 CET	192.168.2.4	1.1.1.1	0x26a1	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.490612030 CET	192.168.2.4	1.1.1.1	0x3d5c	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:17.521589041 CET	192.168.2.4	1.1.1.1	0xb68b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.548255920 CET	192.168.2.4	1.1.1.1	0x1e12	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:17.548484087 CET	192.168.2.4	1.1.1.1	0x128c	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.558271885 CET	192.168.2.4	1.1.1.1	0xb4db	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 30, 2024 00:45:21.074059010 CET	192.168.2.4	1.1.1.1	0xbf13	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:22.025876999 CET	192.168.2.4	1.1.1.1	0xba66	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:32.598107100 CET	192.168.2.4	1.1.1.1	0xc976	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:32.608845949 CET	192.168.2.4	1.1.1.1	0x3c36	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:33.158525944 CET	192.168.2.4	1.1.1.1	0xacaf	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.177890062 CET	192.168.2.4	1.1.1.1	0x36c6	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.192780018 CET	192.168.2.4	1.1.1.1	0xf1b0	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.192953110 CET	192.168.2.4	1.1.1.1	0x9f3d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 00:45:33.204498053 CET	192.168.2.4	1.1.1.1	0xb7e7	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.206723928 CET	192.168.2.4	1.1.1.1	0x5b6	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.221112967 CET	192.168.2.4	1.1.1.1	0x109	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:33.221831083 CET	192.168.2.4	1.1.1.1	0x9bdb	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 30, 2024 00:45:53.360224009 CET	192.168.2.4	1.1.1.1	0xecf4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 00:45:54.014780045 CET	192.168.2.4	1.1.1.1	0x3b2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:46:02.858357906 CET	192.168.2.4	1.1.1.1	0xc1a5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 00:46:34.012814999 CET	192.168.2.4	1.1.1.1	0xab5e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:46:34.023504972 CET	192.168.2.4	1.1.1.1	0xef9b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 00:46:34.646800041 CET	192.168.2.4	1.1.1.1	0xcd58	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 00:45:04.665436029 CET	1.1.1.1	192.168.2.4	0xa5d1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:04.757633924 CET	1.1.1.1	192.168.2.4	0x7a37	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:06.495541096 CET	1.1.1.1	192.168.2.4	0x101	No error (0)	youtube.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:06.495594978 CET	1.1.1.1	192.168.2.4	0xfdac	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:06.495594978 CET	1.1.1.1	192.168.2.4	0xfdac	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:06.509670019 CET	1.1.1.1	192.168.2.4	0xdc38	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:06.511275053 CET	1.1.1.1	192.168.2.4	0x8b43	No error (0)	youtube.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:06.519371033 CET	1.1.1.1	192.168.2.4	0x1dee	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 00:45:06.522217035 CET	1.1.1.1	192.168.2.4	0x7a4e	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 30, 2024 00:45:07.264729023 CET	1.1.1.1	192.168.2.4	0x8ac9	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.273425102 CET	1.1.1.1	192.168.2.4	0xd057	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.281567097 CET	1.1.1.1	192.168.2.4	0xc3c6	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:07.281567097 CET	1.1.1.1	192.168.2.4	0xc3c6	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.283711910 CET	1.1.1.1	192.168.2.4	0x6b34	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:07.283711910 CET	1.1.1.1	192.168.2.4	0x6b34	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.290335894 CET	1.1.1.1	192.168.2.4	0x2d25	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.293288946 CET	1.1.1.1	192.168.2.4	0x9402	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.441183090 CET	1.1.1.1	192.168.2.4	0x7c05	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:07.441183090 CET	1.1.1.1	192.168.2.4	0x7c05	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:07.441183090 CET	1.1.1.1	192.168.2.4	0x7c05	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.450006962 CET	1.1.1.1	192.168.2.4	0x6e1c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.459022045 CET	1.1.1.1	192.168.2.4	0xe677	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 00:45:07.520947933 CET	1.1.1.1	192.168.2.4	0xeae5	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.523987055 CET	1.1.1.1	192.168.2.4	0x3681	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.523987055 CET	1.1.1.1	192.168.2.4	0x3681	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:07.534822941 CET	1.1.1.1	192.168.2.4	0x60b0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:07.534822941 CET	1.1.1.1	192.168.2.4	0x60b0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:09.028146982 CET	1.1.1.1	192.168.2.4	0x8de3	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:10.655981064 CET	1.1.1.1	192.168.2.4	0xd321	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:10.655981064 CET	1.1.1.1	192.168.2.4	0xd321	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:10.655981064 CET	1.1.1.1	192.168.2.4	0xd321	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:10.776866913 CET	1.1.1.1	192.168.2.4	0xf390	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:10.866282940 CET	1.1.1.1	192.168.2.4	0x9862	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:11.161597013 CET	1.1.1.1	192.168.2.4	0xb47b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:11.295191050 CET	1.1.1.1	192.168.2.4	0x1dd0	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:11.295191050 CET	1.1.1.1	192.168.2.4	0x1dd0	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:11.327759981 CET	1.1.1.1	192.168.2.4	0x301b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:11.327886105 CET	1.1.1.1	192.168.2.4	0xfba	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:11.327886105 CET	1.1.1.1	192.168.2.4	0xfba	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:11.348867893 CET	1.1.1.1	192.168.2.4	0x5930	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:11.352263927 CET	1.1.1.1	192.168.2.4	0xa829	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:16.857744932 CET	1.1.1.1	192.168.2.4	0xcae3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.462851048 CET	1.1.1.1	192.168.2.4	0xaf60	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:17.462851048 CET	1.1.1.1	192.168.2.4	0xaf60	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.463515997 CET	1.1.1.1	192.168.2.4	0x853a	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.464813948 CET	1.1.1.1	192.168.2.4	0xc279	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:17.464813948 CET	1.1.1.1	192.168.2.4	0xc279	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.472172976 CET	1.1.1.1	192.168.2.4	0xc787	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.474304914 CET	1.1.1.1	192.168.2.4	0x2c22	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.482134104 CET	1.1.1.1	192.168.2.4	0x9c31	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 30, 2024 00:45:17.483692884 CET	1.1.1.1	192.168.2.4	0x734e	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.486985922 CET	1.1.1.1	192.168.2.4	0x241	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.491736889 CET	1.1.1.1	192.168.2.4	0x4689	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:17.491736889 CET	1.1.1.1	192.168.2.4	0x4689	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.491736889 CET	1.1.1.1	192.168.2.4	0x4689	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.491736889 CET	1.1.1.1	192.168.2.4	0x4689	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.491736889 CET	1.1.1.1	192.168.2.4	0x4689	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.492830992 CET	1.1.1.1	192.168.2.4	0x26a1	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.499650002 CET	1.1.1.1	192.168.2.4	0x3d5c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 00:45:17.499650002 CET	1.1.1.1	192.168.2.4	0x3d5c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 00:45:17.499650002 CET	1.1.1.1	192.168.2.4	0x3d5c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 00:45:17.499650002 CET	1.1.1.1	192.168.2.4	0x3d5c	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 00:45:17.531117916 CET	1.1.1.1	192.168.2.4	0xb68b	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.557594061 CET	1.1.1.1	192.168.2.4	0x128c	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.557594061 CET	1.1.1.1	192.168.2.4	0x128c	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.557594061 CET	1.1.1.1	192.168.2.4	0x128c	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:17.557594061 CET	1.1.1.1	192.168.2.4	0x128c	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:32.606308937 CET	1.1.1.1	192.168.2.4	0xc976	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.166702032 CET	1.1.1.1	192.168.2.4	0xacaf	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.185380936 CET	1.1.1.1	192.168.2.4	0x36c6	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.185380936 CET	1.1.1.1	192.168.2.4	0x36c6	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.185380936 CET	1.1.1.1	192.168.2.4	0x36c6	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.185380936 CET	1.1.1.1	192.168.2.4	0x36c6	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.201019049 CET	1.1.1.1	192.168.2.4	0xf1b0	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:33.201019049 CET	1.1.1.1	192.168.2.4	0xf1b0	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.212229967 CET	1.1.1.1	192.168.2.4	0xb7e7	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.212229967 CET	1.1.1.1	192.168.2.4	0xb7e7	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.212229967 CET	1.1.1.1	192.168.2.4	0xb7e7	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.212229967 CET	1.1.1.1	192.168.2.4	0xb7e7	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.215550900 CET	1.1.1.1	192.168.2.4	0x5b6	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:45:33.229237080 CET	1.1.1.1	192.168.2.4	0x9bdb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 00:45:33.229237080 CET	1.1.1.1	192.168.2.4	0x9bdb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 00:45:33.229237080 CET	1.1.1.1	192.168.2.4	0x9bdb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 00:45:33.229237080 CET	1.1.1.1	192.168.2.4	0x9bdb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 00:45:34.514528990 CET	1.1.1.1	192.168.2.4	0xe544	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:34.514528990 CET	1.1.1.1	192.168.2.4	0xe544	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:54.025734901 CET	1.1.1.1	192.168.2.4	0x3b2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:45:54.025734901 CET	1.1.1.1	192.168.2.4	0x3b2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:46:34.022691965 CET	1.1.1.1	192.168.2.4	0xab5e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 00:46:34.657176018 CET	1.1.1.1	192.168.2.4	0xcd58	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 00:46:34.657176018 CET	1.1.1.1	192.168.2.4	0xcd58	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	7836	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 00:45:06.746290922 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:07.334414959 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36050 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:07.760694027 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:07.885301113 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36050 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49745	34.107.221.82	80	7836	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 00:45:07.553877115 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49750	34.107.221.82	80	7836	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 00:45:08.182250977 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:08.797519922 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 26977 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:10.609044075 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:10.741267920 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 26979 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:11.283776045 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:11.414020061 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 26980 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:15.333180904 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:15.469388008 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 26984 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:17.084444046 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:17.215333939 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 26986 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:18.837060928 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:18.966993093 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 26987 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:19.466430902 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:19.596108913 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 26988 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:19.842376947 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:19.972130060 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 26988 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:21.065999985 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:21.196116924 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 26990 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:22.152529955 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:22.284749985 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 26991 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:23.375288010 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:23.505966902 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 26992 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:31.582282066 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:31.711157084 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 27000 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:33.393630981 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:33.521996021 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 27002 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:33.924305916 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:34.053170919 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 27002 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:34.595910072 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:34.724551916 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 27003 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:45:44.729871035 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:45:54.149213076 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:45:54.279751062 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 27023 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:46:03.674356937 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:46:03.803890944 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 27032 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:46:04.308404922 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:46:04.438292980 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 27033 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:46:14.438395023 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:46:24.445235014 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:46:34.458550930 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:46:34.781632900 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 00:46:34.913508892 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 27063 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 00:46:44.926665068 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:46:54.955270052 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:47:04.973364115 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49751	34.107.221.82	80	7836	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 00:45:08.391850948 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:09.010384083 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36051 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:10.655205011 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:10.787513018 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36053 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:11.870234966 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:12.001411915 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36054 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:16.848566055 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:16.978373051 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36059 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:17.553819895 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:17.685759068 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36060 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:18.927642107 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:19.059242010 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36061 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:19.708637953 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:19.839565039 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36062 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:20.927397966 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:21.059199095 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36063 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:22.018805981 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:22.149904013 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36065 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:23.240514040 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:23.371543884 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36066 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:31.449573040 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:31.579399109 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36074 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:33.260462999 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:33.390851021 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36076 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:33.792005062 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:33.921318054 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36076 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:34.463588953 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:34.593383074 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36077 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:45:44.598254919 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:45:54.014231920 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:45:54.145232916 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36097 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:46:03.507028103 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:46:03.637758970 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36106 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:46:04.174801111 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:46:04.305665970 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36107 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:46:14.315963030 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:46:24.329293966 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:46:34.342621088 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:46:34.646620035 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 00:46:34.778238058 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 36137 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 00:46:44.788391113 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:46:54.801513910 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 00:47:04.826219082 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	19:44:57
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x2d0000
File size:	919'552 bytes
MD5 hash:	BC172E909F941B88AF9D0EB4FB0C16FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:44:57
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xcb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:44:57
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:44:59
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xcb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:44:59
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:44:59
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xcb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:44:59
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:44:59
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xcb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:44:59
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:45:00
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xcb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:45:00
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:45:00
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:45:00
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:45:00
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	19:45:01
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2208 -prefMapHandle 2200 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8102d085-471f-4a36-be62-010be7f63302} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b91c66ff10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	19:45:03
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -parentBuildID 20230927232528 -prefsHandle 4024 -prefMapHandle 3984 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7decf7cf-7d92-40f7-929e-0a4f03d2d61b} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b92e7ace10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	19:45:09
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5348 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b6a0efd-c338-4d1a-9e37-77649038c4f6} 7836 "\\.\pipe\gecko-crash-server-pipe.7836" 1b93631f710 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	1550
Total number of Limit Nodes:	65

Executed Functions

Function 002D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002D430D

Part of subcall function 002D6B57: _wcslen.LIBCMT ref: 002D6B6A

GetCurrentProcess.KERNEL32(?,0036CB64,00000000,?,?), ref: 002D4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 002D4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 002D4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002D4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 002D4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 002D447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002D44A0

Strings

GetNativeSystemInfo, xrefs: 002D4460
|O, xrefs: 003136F8
kernel32.dll, xrefs: 002D444F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f69dd6793aa49c0f20f993645f9ae82d4cfcc481d41e2a0a2e474809aa8f18d9
Instruction ID: 9149ee49faca4148e1e803ba3dcea915fd059e7c63db830d76415b5e07e6204f
Opcode Fuzzy Hash: f69dd6793aa49c0f20f993645f9ae82d4cfcc481d41e2a0a2e474809aa8f18d9
Instruction Fuzzy Hash: 54A1A26DA2A2C0DFCF17DF697C841E57FAC6B27340F08599AD081A7BE1D6704988CB21

Function 002D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,002D50AA,?,?,00000000,00000000), ref: 002D42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002D50AA,?,?,00000000,00000000), ref: 002D42C9
LoadResource.KERNEL32(?,00000000,?,?,002D50AA,?,?,00000000,00000000,?,?,?,?,?,?,002D4F20), ref: 003135BE
SizeofResource.KERNEL32(?,00000000,?,?,002D50AA,?,?,00000000,00000000,?,?,?,?,?,?,002D4F20), ref: 003135D3
LockResource.KERNEL32(002D50AA,?,?,002D50AA,?,?,00000000,00000000,?,?,?,?,?,?,002D4F20,?), ref: 003135E6

Strings

SCRIPT, xrefs: 002D42BF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 00466b2c82b71115b7520b5344a733f0b6e3a73a02198b2f037cc90678e416cf
Instruction ID: 88082ac71282f108ba9d26391b68186035a2bbeb9b4841a22e88dbfa0ea96ec8
Opcode Fuzzy Hash: 00466b2c82b71115b7520b5344a733f0b6e3a73a02198b2f037cc90678e416cf
Instruction Fuzzy Hash: DC117C70210701BFEB229B65DC48F677BBEEBC5B51F10856AF846D6250DBB1DC10C660

Function 00312BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 002D2B6B

Part of subcall function 002D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003A1418,?,002D2E7F,?,?,?,00000000), ref: 002D3A78

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00392224), ref: 00312C10
ShellExecuteW.SHELL32(00000000,?,?,00392224), ref: 00312C17

Strings

runas, xrefs: 00312C0B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c2fc6e86680adfc54a1088b4381b54306c5097314c5f26101483d0a512f2895a
Instruction ID: 3b63e5d917fb42e5ebdf259e385185a375f0b85d0c8c252365e1e8ada4f9622e
Opcode Fuzzy Hash: c2fc6e86680adfc54a1088b4381b54306c5097314c5f26101483d0a512f2895a
Instruction Fuzzy Hash: 9911EC312283419AC706FF64D8519BEB7A89FA5744F44541FF082522A2CF608DADDF53

Function 0033D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0033D501
Process32FirstW.KERNEL32(00000000,?), ref: 0033D50F
Process32NextW.KERNEL32(00000000,?), ref: 0033D52F
CloseHandle.KERNELBASE(00000000), ref: 0033D5DC

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 1fe489b00f4a48979bdaa40a722274cb08588c9a863d0a1af96322973e6d93b0
Instruction ID: ffa754313d2afa7af0a9ef4dc0b566f3fb012ec094af0947f13cd2d7c073f75e
Opcode Fuzzy Hash: 1fe489b00f4a48979bdaa40a722274cb08588c9a863d0a1af96322973e6d93b0
Instruction Fuzzy Hash: 5831B3711083409FD301EF54D885AAFBBE8EF9A344F14052DF581872A2EB719958CB92

Function 0033DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00315222), ref: 0033DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0033DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0033DBEE
FindClose.KERNEL32(00000000), ref: 0033DBFA

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: e191c74e7a3c2fa691f96852f99349e1f1adc80bde7dcc781ac9d0e66e434839
Instruction ID: 720f12c5f4aa1b882d17a5f15fcd18838b4f26357a33de0f12bd3f8a49562e0f
Opcode Fuzzy Hash: e191c74e7a3c2fa691f96852f99349e1f1adc80bde7dcc781ac9d0e66e434839
Instruction Fuzzy Hash: C3F0A07083091057C2226B78BC4D8BA776C9E02334F10AB02F8B6C20E0EBF499548695

Function 002F4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(003028E9,?,002F4CBE,003028E9,003988B8,0000000C,002F4E15,003028E9,00000002,00000000,?,003028E9), ref: 002F4D09
TerminateProcess.KERNEL32(00000000,?,002F4CBE,003028E9,003988B8,0000000C,002F4E15,003028E9,00000002,00000000,?,003028E9), ref: 002F4D10
ExitProcess.KERNEL32 ref: 002F4D22

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 73aaf543cbbe8b8314ab1bd5b7264478bf1c75d6c9e537d5de40980dbd0f0f84
Instruction ID: 6c748ff459c5efe41251bc03aeb5a567af0d011e7c50009e4c8df5bcaab58bb1
Opcode Fuzzy Hash: 73aaf543cbbe8b8314ab1bd5b7264478bf1c75d6c9e537d5de40980dbd0f0f84
Instruction Fuzzy Hash: 32E0B63102014CABDF12BF54DD09A6A7F6DEB85781F108024FD558A222DBB9DD62CA80

Function 002DBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#:, xrefs: 003207CE

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#:
API String ID: 3964851224-3541376913
Opcode ID: aa24059b63ad9fe48398f31a330d8f31b71886cff2b28ee03c770ab633224dec
Instruction ID: 5a8eb198b72c00bee9880003578d32a405cbb83306894029db447a3d2c8a6ffd
Opcode Fuzzy Hash: aa24059b63ad9fe48398f31a330d8f31b71886cff2b28ee03c770ab633224dec
Instruction Fuzzy Hash: F7A28B706183428FD715CF18C480B2ABBE1BF89304F64896EE88A9B352D771EC55CF92

Function 0035AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0035B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0035B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0035B1D4
_wcslen.LIBCMT ref: 0035B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0035B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0035B236
_wcslen.LIBCMT ref: 0035B332

Part of subcall function 003405A7: GetStdHandle.KERNEL32(000000F6), ref: 003405C6

_wcslen.LIBCMT ref: 0035B34B
_wcslen.LIBCMT ref: 0035B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0035B3B6
GetLastError.KERNEL32(00000000), ref: 0035B407
CloseHandle.KERNEL32(?), ref: 0035B439
CloseHandle.KERNEL32(00000000), ref: 0035B44A
CloseHandle.KERNEL32(00000000), ref: 0035B45C
CloseHandle.KERNEL32(00000000), ref: 0035B46E
CloseHandle.KERNEL32(?), ref: 0035B4E3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 7cf858ab49b2187dc54ef89d6487d809e84dca7cb887cc0e63e22612b9e8787e
Instruction ID: 183d362724f0b378d8c43117d64e665a60a608bd529f6e0910b07626106cd8bb
Opcode Fuzzy Hash: 7cf858ab49b2187dc54ef89d6487d809e84dca7cb887cc0e63e22612b9e8787e
Instruction Fuzzy Hash: 73F19C316183409FC726EF24C891B6EBBE5AF85310F15895EF8859B2A2DB31EC44CF52

Function 002DD730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002DD807
timeGetTime.WINMM ref: 002DDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002DDB28
TranslateMessage.USER32(?), ref: 002DDB7B
DispatchMessageW.USER32(?), ref: 002DDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002DDB9F
Sleep.KERNELBASE(0000000A), ref: 002DDBB1

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: dae378ba3da816a60270afad4ea458175583a80e494e1b6a33391963fe2160b0
Instruction ID: 0cfad78e6fcc20287d8c0aa68ba8603f20e25aa7623f40b4ffa693ddf012e618
Opcode Fuzzy Hash: dae378ba3da816a60270afad4ea458175583a80e494e1b6a33391963fe2160b0
Instruction Fuzzy Hash: 69420330628B52EFD726CF24D894BAAB7E4BF46304F15851AE49587391C7B1EC64CF82

Function 002D2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002D2D07
RegisterClassExW.USER32(00000030), ref: 002D2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D2D42
InitCommonControlsEx.COMCTL32(?), ref: 002D2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002D2D6F
LoadIconW.USER32(000000A9), ref: 002D2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002D2D94

Strings

TaskbarCreated, xrefs: 002D2D37
0, xrefs: 002D2CE9
AutoIt v3 GUI, xrefs: 002D2D23
+, xrefs: 002D2CF0

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 84e5cb79e68109e1f2d521589930781faba9a7a0f5dab1db918a65c45b28aea0
Instruction ID: cb87ae041e4eb2f6fa318cfbc2d564bf921cffba82cf1abf7528a77467d26a98
Opcode Fuzzy Hash: 84e5cb79e68109e1f2d521589930781faba9a7a0f5dab1db918a65c45b28aea0
Instruction Fuzzy Hash: 4521F2B5921318AFDB02DFA4EC89BEEBBB8FB09700F00911AF551A62A0D7B54544CF91

Function 0031065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0031039A: CreateFileW.KERNELBASE(00000000,00000000,?,00310704,?,?,00000000,?,00310704,00000000,0000000C), ref: 003103B7

GetLastError.KERNEL32 ref: 0031076F
__dosmaperr.LIBCMT ref: 00310776
GetFileType.KERNELBASE(00000000), ref: 00310782
GetLastError.KERNEL32 ref: 0031078C
__dosmaperr.LIBCMT ref: 00310795
CloseHandle.KERNEL32(00000000), ref: 003107B5
CloseHandle.KERNEL32(?), ref: 003108FF
GetLastError.KERNEL32 ref: 00310931
__dosmaperr.LIBCMT ref: 00310938

Strings

H, xrefs: 003108BD

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: dd92779522d0ada024267dfcb6a4c76a89101f9f59fcf1577a3d4751c4151c3d
Instruction ID: 44051fc8615168875ca65ddca57d0d11c53857f796b9e8d7a52bcd1756030c50
Opcode Fuzzy Hash: dd92779522d0ada024267dfcb6a4c76a89101f9f59fcf1577a3d4751c4151c3d
Instruction Fuzzy Hash: AAA12536A141088FDF1EAF68D891BEE7BA4EB0A320F144159F815AF3D1C7759C92CB91

Function 002D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003A1418,?,002D2E7F,?,?,?,00000000), ref: 002D3A78

Part of subcall function 002D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002D3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002D356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0031318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003131CE
RegCloseKey.ADVAPI32(?), ref: 00313210
_wcslen.LIBCMT ref: 00313277
_wcslen.LIBCMT ref: 00313286

Strings

Software\AutoIt v3\AutoIt, xrefs: 002D3560
\Include\, xrefs: 002D3527
\, xrefs: 0031328C
Include, xrefs: 00313184, 003131C5

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 9abe808bb16e1969e7b717831258c53c6d2e19ea15a5cbf2aad7266c561f43cd
Instruction ID: 880e7dfa6f7e121b1cbac92c5953b344702fce50d40c692ae5036c47ea74c548
Opcode Fuzzy Hash: 9abe808bb16e1969e7b717831258c53c6d2e19ea15a5cbf2aad7266c561f43cd
Instruction Fuzzy Hash: EA71C4755143009EC716EF69DC818ABBBECFF8A740F40482EF545832A0EB749A48CF52

Function 002D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002D2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 002D2B9D
LoadIconW.USER32(00000063), ref: 002D2BB3
LoadIconW.USER32(000000A4), ref: 002D2BC5
LoadIconW.USER32(000000A2), ref: 002D2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002D2BEF
RegisterClassExW.USER32(?), ref: 002D2C40

Part of subcall function 002D2CD4: GetSysColorBrush.USER32(0000000F), ref: 002D2D07
Part of subcall function 002D2CD4: RegisterClassExW.USER32(00000030), ref: 002D2D31
Part of subcall function 002D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D2D42
Part of subcall function 002D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 002D2D5F
Part of subcall function 002D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002D2D6F
Part of subcall function 002D2CD4: LoadIconW.USER32(000000A9), ref: 002D2D85
Part of subcall function 002D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002D2D94

Strings

0, xrefs: 002D2C0F
AutoIt v3, xrefs: 002D2C2F
#, xrefs: 002D2C16

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e2ed0c7e2aa33b73f720d640781c5314f6a3f75d1b218b0e10b43ec9a31a8c1c
Instruction ID: 0d9dadbe271bafda791a1708cb019dd885ddfa1e520e434035ff20550890c6c2
Opcode Fuzzy Hash: e2ed0c7e2aa33b73f720d640781c5314f6a3f75d1b218b0e10b43ec9a31a8c1c
Instruction Fuzzy Hash: EA212C79E10314AFDF129FA5EC55AA97FF8FB49B50F00401AE504A66E0D7F14940CF90

Function 002D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,002D316A,?,?), ref: 002D31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,002D316A,?,?), ref: 002D3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002D3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,002D316A,?,?), ref: 002D3232
CreatePopupMenu.USER32 ref: 002D3246
PostQuitMessage.USER32(00000000), ref: 002D3267

Strings

TaskbarCreated, xrefs: 002D322D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e2493bf30b872eb4e2d6ca8174f10336723e98c7c1abc2bb5488a06ca458ab61
Instruction ID: 7696b498f34d92f0cd9df0f8574c1679acf7505b2cd000b4aea7376e874dfbb3
Opcode Fuzzy Hash: e2493bf30b872eb4e2d6ca8174f10336723e98c7c1abc2bb5488a06ca458ab61
Instruction Fuzzy Hash: D8411639630202AADB1B9F68DC1DBBA3A1DE706340F044127F955853E1C7E1CE6097A2

Function 002D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002D1459
CoUninitialize.COMBASE ref: 002D14F8
UnregisterHotKey.USER32(?), ref: 002D16DD
DestroyWindow.USER32(?), ref: 003124B9
FreeLibrary.KERNEL32(?), ref: 0031251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0031254B

Strings

close all, xrefs: 002D1454

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2613792a265a97e8800080f827998e8aa0c1fde4cee0b0c7d300a02913c77858
Instruction ID: 3a2a2566bc2b71ded4629e51f36fcd1ecca6cf98beb6bc4f7aed252a6419a765
Opcode Fuzzy Hash: 2613792a265a97e8800080f827998e8aa0c1fde4cee0b0c7d300a02913c77858
Instruction Fuzzy Hash: 55D18B307212129FDB1AEF15C895A69F7A5BF09700F1581AEE44AAB761CB70EC72CF50

Function 002D2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002D2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002D2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,002D1CAD,?), ref: 002D2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,002D1CAD,?), ref: 002D2CCF

Strings

AutoIt v3, xrefs: 002D2C89, 002D2C8E, 002D2C8F
edit, xrefs: 002D2CAC

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 09ffb0353b425ada4a5abd30b10afbb5eac2e7466fbb5c08fcc2a932770821e9
Instruction ID: b1b79f5f3a3c2725d30fd81cd4d915ec965f2760834236f16ddb0d783c9099f9
Opcode Fuzzy Hash: 09ffb0353b425ada4a5abd30b10afbb5eac2e7466fbb5c08fcc2a932770821e9
Instruction Fuzzy Hash: E6F0DA7A5502A07EEB331B17AC08E772EBDD7C7F60F00505AF900A25A4C6E51850DAB4

Function 002D3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002D3B0F,SwapMouseButtons,00000004,?), ref: 002D3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002D3B0F,SwapMouseButtons,00000004,?), ref: 002D3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,002D3B0F,SwapMouseButtons,00000004,?), ref: 002D3B83

Strings

Control Panel\Mouse, xrefs: 002D3B3E

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5a409a977f42051549c3393e0ecd7498979f5f07195a1a020eaa78a7543a3c36
Instruction ID: b018ef4b6ae9d7efc5ae39c5112b01b09c8d8af8dad080d0f3089f7b2d174fa9
Opcode Fuzzy Hash: 5a409a977f42051549c3393e0ecd7498979f5f07195a1a020eaa78a7543a3c36
Instruction Fuzzy Hash: A4112AB5520209FFDB21CFA5DC44AAEBBBCEF04748B10846BE845D7210D271DE509761

Function 002D3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003133A2

Part of subcall function 002D6B57: _wcslen.LIBCMT ref: 002D6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 002D3A04

Strings

Line: , xrefs: 003133EB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ecd1e8cc295eb51d4120b8937365dd5f0a605e538149394504a760115b6e8d26
Instruction ID: c578f96965e1d920b132d617666523e81f7482f050e3d99528650b727a590b8a
Opcode Fuzzy Hash: ecd1e8cc295eb51d4120b8937365dd5f0a605e538149394504a760115b6e8d26
Instruction Fuzzy Hash: 6531A071528304AAC726EF20DC45BEBB7DCAB45710F00592BF599922D1DBB09E68CBD3

Function 002D2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00312C8C

Part of subcall function 002D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D3A97,?,?,002D2E7F,?,?,?,00000000), ref: 002D3AC2

Part of subcall function 002D2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002D2DC4

Strings

X, xrefs: 00312C5A
`e9, xrefs: 00312C85

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e9
API String ID: 779396738-3997800372
Opcode ID: b06bd5e301765547e5ccb79fd1c4235c9c7bda6602ab476a41fb8d5e8239104c
Instruction ID: 1f4cd13d0a2c1d1e044b875335acd8b20e7107cab193c810d87370acc23896a5
Opcode Fuzzy Hash: b06bd5e301765547e5ccb79fd1c4235c9c7bda6602ab476a41fb8d5e8239104c
Instruction Fuzzy Hash: 94219371A202589BCF46EF94C845BEE7BFCAF49304F00805AE545A7341DBB45A998FA1

Function 002EFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 002F0668

Part of subcall function 002F32A4: RaiseException.KERNEL32(?,?,?,002F068A,?,003A1444,?,?,?,?,?,?,002F068A,002D1129,00398738,002D1129), ref: 002F3304

__CxxThrowException@8.LIBVCRUNTIME ref: 002F0685

Strings

Unknown exception, xrefs: 002F0692

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: dc4ccda34c9a03715409c9382eb1a41c9df68ab67749c2f8afb3714c2ea8b310
Instruction ID: 6bc02255f4262dd1316dcb7cfd4a150ecd1c5b03b3b534490ec25eff0d53a00d
Opcode Fuzzy Hash: dc4ccda34c9a03715409c9382eb1a41c9df68ab67749c2f8afb3714c2ea8b310
Instruction Fuzzy Hash: 5DF0A42492020D67CF00BAA5DC86CBEBB6C5E40390BA04171FB14D5596EFB1DA358980

Function 002D10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 002D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002D1BF4
Part of subcall function 002D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 002D1BFC
Part of subcall function 002D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002D1C07
Part of subcall function 002D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002D1C12
Part of subcall function 002D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 002D1C1A
Part of subcall function 002D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 002D1C22

Part of subcall function 002D1B4A: RegisterWindowMessageW.USER32(00000004,?,002D12C4), ref: 002D1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002D136A
OleInitialize.OLE32 ref: 002D1388
CloseHandle.KERNEL32(00000000,00000000), ref: 003124AB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: efe318adb43e220f364f07f44886a25e829359d42e6cb4c93f4224c85f046c4d
Instruction ID: d21269c8b3a74aa606d390bfc0596cef162efd22a77c65232e857c6e3df58b89
Opcode Fuzzy Hash: efe318adb43e220f364f07f44886a25e829359d42e6cb4c93f4224c85f046c4d
Instruction Fuzzy Hash: C371AEB9D212508FC38BDF7AA8556A53AECFB8B384F54822AD44AC7371EB344850CF50

Function 0033C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 002D3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0033C259
KillTimer.USER32(?,00000001,?,?), ref: 0033C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0033C270

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 90309798ab4f8f2d4021908929dcd8c68f1dbe8c2a45766228227c3756d214fb
Instruction ID: 6dd251ed975933c2e241d7af618a4cbf82d15749fdbbcaff74d51d2514776d60
Opcode Fuzzy Hash: 90309798ab4f8f2d4021908929dcd8c68f1dbe8c2a45766228227c3756d214fb
Instruction Fuzzy Hash: 9B31C370914344AFEF23DF648895BE7BBECAB06304F00549AD2DAA7242C7745A84CB51

Function 003086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,003085CC,?,00398CC8,0000000C), ref: 00308704
GetLastError.KERNEL32(?,003085CC,?,00398CC8,0000000C), ref: 0030870E
__dosmaperr.LIBCMT ref: 00308739

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: c9c256626e5fa2a97522949ae1a6122edbf99efe07653d743479c6f61df35ae6
Instruction ID: 259cc122587c2d68c29499f3dc655015e72b031fffe4a8118d11117f1933ccb4
Opcode Fuzzy Hash: c9c256626e5fa2a97522949ae1a6122edbf99efe07653d743479c6f61df35ae6
Instruction Fuzzy Hash: 4401CE36B032241AC6276334A87573F2B4C4B92B74F3B0159F9849F1D3CEA2CC808640

Function 002DDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 002DDB7B
DispatchMessageW.USER32(?), ref: 002DDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002DDB9F
Sleep.KERNELBASE(0000000A), ref: 002DDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00321CC9

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 19e46ae7ee3995fa055e71aa205fac7b2e544f7a8032c28ef1ed5951782c1664
Instruction ID: 88c67ee6b128c59da653678ff1c202f5d6ad66640a3e9a2d835d4414501852d8
Opcode Fuzzy Hash: 19e46ae7ee3995fa055e71aa205fac7b2e544f7a8032c28ef1ed5951782c1664
Instruction Fuzzy Hash: 2DF082306643519BEB31CB61DC49FEA73ACEB45314F50861AE69AC31C0DB74A858DB26

Function 002E1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002E17F6

Strings

CALL, xrefs: 002E17C6

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 9304c22ff574dae4b2a7098cbcb465555fbd8ac3146a0202faa88407533f2504
Instruction ID: aa31ec93b6aeac242db00ab115a511a3ebc12cc9728eff9bf8f11de27411cc1d
Opcode Fuzzy Hash: 9304c22ff574dae4b2a7098cbcb465555fbd8ac3146a0202faa88407533f2504
Instruction Fuzzy Hash: 9D22AD706182819FC714CF16C481A2ABBF5BF89304FA4896DF4968B3A1D771E861CF92

Function 002D3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D3908

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 9846b5594dc7869a21a9456e1402bd62ab1d908dfc54ababa601954e3f92f255
Instruction ID: 651a0ff9806e8e40945c692de326f0139e798d559adc61a67c1ce4a5e7496dca
Opcode Fuzzy Hash: 9846b5594dc7869a21a9456e1402bd62ab1d908dfc54ababa601954e3f92f255
Instruction Fuzzy Hash: 7E318EB45143019FD722DF24D894797BBE8FB49708F00092EF599D7380E7B1AA54CB52

Function 002EF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 002EF661

Part of subcall function 002DD730: GetInputState.USER32 ref: 002DD807

Sleep.KERNEL32(00000000), ref: 0032F2DE

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: e5c88a754be32e9256bb275abd9c4a46f284dca2efb8600fc2f4eb59eda40427
Instruction ID: a651f94fef1552ef718eae473a1951e5a80418db957b65f9ad9d40eee7a2e00f
Opcode Fuzzy Hash: e5c88a754be32e9256bb275abd9c4a46f284dca2efb8600fc2f4eb59eda40427
Instruction Fuzzy Hash: 07F08C352A06059FD354EF79E459B6AB7E8EF46760F00402AE859C7360DBB0AC10CF90

Function 002D4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002D4EDD,?,003A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002D4E9C
Part of subcall function 002D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002D4EAE
Part of subcall function 002D4E90: FreeLibrary.KERNEL32(00000000,?,?,002D4EDD,?,003A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002D4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002D4EFD

Part of subcall function 002D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00313CDE,?,003A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002D4E62
Part of subcall function 002D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002D4E74
Part of subcall function 002D4E59: FreeLibrary.KERNEL32(00000000,?,?,00313CDE,?,003A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002D4E87

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: a71639f08923fd0366ac78fe9f195216c5d942b7868b6143af9f40adc5985a08
Instruction ID: 1c05de791df26c3c82d5bed6c68b44f89f261705ce66dedb5d29b74b284bbb25
Opcode Fuzzy Hash: a71639f08923fd0366ac78fe9f195216c5d942b7868b6143af9f40adc5985a08
Instruction Fuzzy Hash: 6611E731620205AFCF15BF60DC06FAD77A59F44714F10842FF582AA2E1DEB49E659B50

Function 00308402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00308440

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 43b62da7978c283fcc23f29907f6b36e539fe480c037d02486ebf20fe38f9440
Instruction ID: 8fa0308d4026deff98decd04580bfdf2b72dc67dc3b15ea205d8598490552734
Opcode Fuzzy Hash: 43b62da7978c283fcc23f29907f6b36e539fe480c037d02486ebf20fe38f9440
Instruction Fuzzy Hash: 7311487190410AAFCB0ADF58E9409DE7BF8EF48300F114059F808AB352DB30DA11CBA4

Function 00305000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00304C7D: RtlAllocateHeap.NTDLL(00000008,002D1129,00000000,?,00302E29,00000001,00000364,?,?,?,002FF2DE,00303863,003A1444,?,002EFDF5,?), ref: 00304CBE

_free.LIBCMT ref: 0030506C

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: fcac7726eaf64b35c6bd244622b2ab3baa3985101e9a6a79ce8395d6c8bf722f
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 54012B722057046BE3228E55985595BFBECFB85370F25051DE184872C0E6306905CB74

Function 002FE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 9b87a5efad34d44daae910fa11d709f7b284376e35748d65adee7772bfedc216
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: DAF0D632531A1C96DA332E658C15B6BB39C9F523B0F110735F621DA2E2DB7494118AA5

Function 00304C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,002D1129,00000000,?,00302E29,00000001,00000364,?,?,?,002FF2DE,00303863,003A1444,?,002EFDF5,?), ref: 00304CBE

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cebcf81c095ace453ee53a0b47dae3284f3e7c194ee1324e561df08c9d0229cf
Instruction ID: 4d54501dd6b235229535021f23e1484ea871609913c6dc439596504250f873a3
Opcode Fuzzy Hash: cebcf81c095ace453ee53a0b47dae3284f3e7c194ee1324e561df08c9d0229cf
Instruction Fuzzy Hash: EAF0BB7151312877FB239F619C19B6B774CAF417A0F158122FA15965D0CA70D91046E0

Function 00303820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,003A1444,?,002EFDF5,?,?,002DA976,00000010,003A1440,002D13FC,?,002D13C6,?,002D1129), ref: 00303852

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6a12bf136ae47ca4f2cef63c982fd4fcd8998a4c4ffb0188405cb3b899dc6cb5
Instruction ID: 2c3b6e69a6761a895d0e75b8635bb075e59b31a6d570279f6ce38e0e83df9c10
Opcode Fuzzy Hash: 6a12bf136ae47ca4f2cef63c982fd4fcd8998a4c4ffb0188405cb3b899dc6cb5
Instruction Fuzzy Hash: 0BE0E53111222856D7232A669C14BAB764CAF427F0F0681B1FD45928D0CB51DE0585E1

Function 002D4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,003A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002D4F6D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f03979b5992c5b7234eba11a0c5b1baa521aec8209c9687434f4a63dba3e4dd4
Instruction ID: a2641bf388153e9c1cce3833abb20f97bc747415972fd2b3b3e38c1ea8e34f1a
Opcode Fuzzy Hash: f03979b5992c5b7234eba11a0c5b1baa521aec8209c9687434f4a63dba3e4dd4
Instruction Fuzzy Hash: C3F01571125752CFDB34AF64D490822BBE4AF14329320897FE2EA82A21CB719C64DF10

Function 00362A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00362A66

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1ef0454a554f914aa3274bf214908d1c0c68ef2e539d854ca717ff01fcb97f80
Instruction ID: d9a0525cb9417ae3c085fc45e34be670bf3a5fcb87e1b4960f0292c3f7ab137c
Opcode Fuzzy Hash: 1ef0454a554f914aa3274bf214908d1c0c68ef2e539d854ca717ff01fcb97f80
Instruction Fuzzy Hash: 26E0DF36750916AAC712EB70DC809FB734CEB10390B018436FC26CA100DF70999182A0

Function 002D30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 002D314E

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 333d58df3ff9956be13d94414dec7b0f2375321fb2eab0b39abc15c6681aede5
Instruction ID: 833991a115ea5467354d03dc88d012a84d4b03a2f7c89734990241ef946d3280
Opcode Fuzzy Hash: 333d58df3ff9956be13d94414dec7b0f2375321fb2eab0b39abc15c6681aede5
Instruction Fuzzy Hash: B2F037759243589FEB53DF24DC457D67BBCA702708F0000E5A68896291DBB45B88CF51

Function 002D2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002D2DC4

Part of subcall function 002D6B57: _wcslen.LIBCMT ref: 002D6B6A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1105c6c8830a127d4ad34a6d9dad5867d86c3d8877d7784ea3917872d0343e43
Instruction ID: 783303a8ca6ed20a6eab6458cacbf74e176054662c6bc829ffe883b09a87b46d
Opcode Fuzzy Hash: 1105c6c8830a127d4ad34a6d9dad5867d86c3d8877d7784ea3917872d0343e43
Instruction Fuzzy Hash: BDE0CD726041245BCB11A2589C05FEA77DDDFC8790F044172FD09E7248D960AD808550

Function 002D2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D3908

Part of subcall function 002DD730: GetInputState.USER32 ref: 002DD807

SetCurrentDirectoryW.KERNEL32(?), ref: 002D2B6B

Part of subcall function 002D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 002D314E

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 0cf7d6aa349c2b2ecae5fda0d005bd6fbce6349ac430f6ca28f556cfcb3a060c
Instruction ID: a7876aa975d6090c864276ab4befc5826e937f12c4f92560a5a4f6327a345a35
Opcode Fuzzy Hash: 0cf7d6aa349c2b2ecae5fda0d005bd6fbce6349ac430f6ca28f556cfcb3a060c
Instruction Fuzzy Hash: 8CE0262532024402C604FB35E81257DA75D8BD6351F40143FF082C33A2CE644D694A12

Function 0031039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00310704,?,?,00000000,?,00310704,00000000,0000000C), ref: 003103B7

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 53deef50b19559025cdfbd44ed6fbf0b802974e0b3acc53ba419ad6e72cb6476
Instruction ID: a4ed12d0a523e36c411745d80a76352ce1df502471aea19b5cf2ecec8202ae3e
Opcode Fuzzy Hash: 53deef50b19559025cdfbd44ed6fbf0b802974e0b3acc53ba419ad6e72cb6476
Instruction Fuzzy Hash: 4BD06C3205010DBBDF028F84DD06EDA3BAAFB48714F018000FE5856020C772E821AB90

Function 002D1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 002D1CBC

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: d8af2644c661959f9bbf5a797e2242c0d849040a47fff19ec570c0233a791587
Instruction ID: 713d5982ec703a051fd754a109d8ea036f3fe5bbaba8d2e4f577cdbfba6c1c0c
Opcode Fuzzy Hash: d8af2644c661959f9bbf5a797e2242c0d849040a47fff19ec570c0233a791587
Instruction Fuzzy Hash: 3AC09B352803049FF6174B85BC4AF11775CB34AB10F048001F749555E3C3E11410DA50

Non-executed Functions

Function 00369576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002E9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0036961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0036965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0036969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003696C9
SendMessageW.USER32 ref: 003696F2
GetKeyState.USER32(00000011), ref: 0036978B
GetKeyState.USER32(00000009), ref: 00369798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003697AE
GetKeyState.USER32(00000010), ref: 003697B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003697E9
SendMessageW.USER32 ref: 00369810
SendMessageW.USER32(?,00001030,?,00367E95), ref: 00369918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0036992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00369941
SetCapture.USER32(?), ref: 0036994A
ClientToScreen.USER32(?,?), ref: 003699AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003699BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003699D6
ReleaseCapture.USER32 ref: 003699E1
GetCursorPos.USER32(?), ref: 00369A19
ScreenToClient.USER32(?,?), ref: 00369A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00369A80
SendMessageW.USER32 ref: 00369AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00369AEB
SendMessageW.USER32 ref: 00369B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00369B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00369B4A
GetCursorPos.USER32(?), ref: 00369B68
ScreenToClient.USER32(?,?), ref: 00369B75
GetParent.USER32(?), ref: 00369B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00369BFA
SendMessageW.USER32 ref: 00369C2B
ClientToScreen.USER32(?,?), ref: 00369C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00369CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00369CDE
SendMessageW.USER32 ref: 00369D01
ClientToScreen.USER32(?,?), ref: 00369D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00369D82

Part of subcall function 002E9944: GetWindowLongW.USER32(?,000000EB), ref: 002E9952

GetWindowLongW.USER32(?,000000F0), ref: 00369E05

Strings

p#:, xrefs: 00369990
@GUI_DRAGID, xrefs: 0036997D
F, xrefs: 00369D07

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#:
API String ID: 3429851547-755326015
Opcode ID: 9bbe6623d014aa171fa8df7e8d842f835e60b923a4d2094ff90bbc32b09815fd
Instruction ID: 0560fa1c34e79e738a00435329024b45f226b0629ff3489b6f020d6d58bfe9ef
Opcode Fuzzy Hash: 9bbe6623d014aa171fa8df7e8d842f835e60b923a4d2094ff90bbc32b09815fd
Instruction Fuzzy Hash: 50426C34204341AFDB26CF28CC44BAABBEDFF49320F15861AF699872A5D7719864CF51

Function 00364873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003648F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00364908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00364927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0036494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0036495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0036497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003649AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003649D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00364A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00364A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00364A7E
IsMenu.USER32(?), ref: 00364A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00364AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00364B20
GetWindowLongW.USER32(?,000000F0), ref: 00364B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00364BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00364C82
wsprintfW.USER32 ref: 00364CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00364CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00364CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00364D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00364D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00364D5A

Strings

%d/%02d/%02d, xrefs: 00364CA8

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 057fac1f7284617a7f47642f27516270ac70af3039e99b83117120ff1ff8b378
Instruction ID: 6adc10c8371cf96cb3d754c5f5b845bd8668930d997278495216f85a14b585f3
Opcode Fuzzy Hash: 057fac1f7284617a7f47642f27516270ac70af3039e99b83117120ff1ff8b378
Instruction Fuzzy Hash: 75121231A00244ABEB269F24DD49FBEBBF8EF45710F148129F916DB2E5DBB49940CB50

Function 002EF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 002EF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0032F474
IsIconic.USER32(00000000), ref: 0032F47D
ShowWindow.USER32(00000000,00000009), ref: 0032F48A
SetForegroundWindow.USER32(00000000), ref: 0032F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0032F4AA
GetCurrentThreadId.KERNEL32 ref: 0032F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0032F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0032F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0032F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0032F4DE
SetForegroundWindow.USER32(00000000), ref: 0032F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0032F4F6
keybd_event.USER32(00000012,00000000), ref: 0032F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0032F50B
keybd_event.USER32(00000012,00000000), ref: 0032F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0032F519
keybd_event.USER32(00000012,00000000), ref: 0032F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0032F528
keybd_event.USER32(00000012,00000000), ref: 0032F52D
SetForegroundWindow.USER32(00000000), ref: 0032F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0032F557

Strings

Shell_TrayWnd, xrefs: 0032F46F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 326dd06eda083d93c758e19b37dff2a90c705caef1930ac99545e31b1105cb75
Instruction ID: 8edcc04c3eac85a68fa61dc0631511f8ef55eced00da2e4efd76d28febd3a7a7
Opcode Fuzzy Hash: 326dd06eda083d93c758e19b37dff2a90c705caef1930ac99545e31b1105cb75
Instruction Fuzzy Hash: A831B471A50228BFEB226FB69C4AFBF7E7CEB45B50F105026F601E61D1C6F05D00AA64

Function 00331201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0033170D
Part of subcall function 003316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0033173A
Part of subcall function 003316C3: GetLastError.KERNEL32 ref: 0033174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00331286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003312A8
CloseHandle.KERNEL32(?), ref: 003312B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003312D1
GetProcessWindowStation.USER32 ref: 003312EA
SetProcessWindowStation.USER32(00000000), ref: 003312F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00331310

Part of subcall function 003310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003311FC), ref: 003310D4
Part of subcall function 003310BF: CloseHandle.KERNEL32(?,?,003311FC), ref: 003310E9

Strings

default, xrefs: 0033130B
, xrefs: 0033125A
Z9, xrefs: 00331392
winsta0, xrefs: 003312CC

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z9
API String ID: 22674027-2899287956
Opcode ID: 85946a7aaba0bd6eaca6c3227dfc161c1af81fceafb0b39111c16d002b1fdef7
Instruction ID: 702412e8fbe042d0fdbf85d0d042d46a83aeae46d6085ca3fc8cce11250a1c66
Opcode Fuzzy Hash: 85946a7aaba0bd6eaca6c3227dfc161c1af81fceafb0b39111c16d002b1fdef7
Instruction Fuzzy Hash: E8817C71910349AFDF229FA5DC89BFE7BBDEF04704F188129F911A61A0DBB58954CB20

Function 00330B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00331114
Part of subcall function 003310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00330B9B,?,?,?), ref: 00331120
Part of subcall function 003310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00330B9B,?,?,?), ref: 0033112F
Part of subcall function 003310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00330B9B,?,?,?), ref: 00331136
Part of subcall function 003310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0033114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00330BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00330C00
GetLengthSid.ADVAPI32(?), ref: 00330C17
GetAce.ADVAPI32(?,00000000,?), ref: 00330C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00330C6D
GetLengthSid.ADVAPI32(?), ref: 00330C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00330C8C
HeapAlloc.KERNEL32(00000000), ref: 00330C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00330CB4
CopySid.ADVAPI32(00000000), ref: 00330CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00330CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00330D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00330D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00330D45
HeapFree.KERNEL32(00000000), ref: 00330D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00330D55
HeapFree.KERNEL32(00000000), ref: 00330D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00330D65
HeapFree.KERNEL32(00000000), ref: 00330D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00330D78
HeapFree.KERNEL32(00000000), ref: 00330D7F

Part of subcall function 00331193: GetProcessHeap.KERNEL32(00000008,00330BB1,?,00000000,?,00330BB1,?), ref: 003311A1
Part of subcall function 00331193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00330BB1,?), ref: 003311A8
Part of subcall function 00331193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00330BB1,?), ref: 003311B7

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bf1f134e4a388d62961b7d8861382fb0da15e65361540089cd070b6f9cee2510
Instruction ID: 13cbb34f10c543f2d366d38e774a24df8abf43be9f50dd4261049230fa6c2077
Opcode Fuzzy Hash: bf1f134e4a388d62961b7d8861382fb0da15e65361540089cd070b6f9cee2510
Instruction Fuzzy Hash: 6B715B7290020AABDF16DFA4DC88BEEBBBCBF05300F058555E955A6191D7B1E905CB60

Function 0034EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0036CC08), ref: 0034EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0034EB37
GetClipboardData.USER32(0000000D), ref: 0034EB43
CloseClipboard.USER32 ref: 0034EB4F
GlobalLock.KERNEL32(00000000), ref: 0034EB87
CloseClipboard.USER32 ref: 0034EB91
GlobalUnlock.KERNEL32(00000000), ref: 0034EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0034EBC9
GetClipboardData.USER32(00000001), ref: 0034EBD1
GlobalLock.KERNEL32(00000000), ref: 0034EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0034EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0034EC38
GetClipboardData.USER32(0000000F), ref: 0034EC44
GlobalLock.KERNEL32(00000000), ref: 0034EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0034EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0034EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0034ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0034ECF3
CountClipboardFormats.USER32 ref: 0034ED14
CloseClipboard.USER32 ref: 0034ED59

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: a1a79c1fb562e37ee8fb740c72a4322d7d87e1f8d59ecf1ff4f00df03991c77f
Instruction ID: 41b71de87f4bee6e6b2f2fb8342fa01648b375d16216397701caecf80ddc43b3
Opcode Fuzzy Hash: a1a79c1fb562e37ee8fb740c72a4322d7d87e1f8d59ecf1ff4f00df03991c77f
Instruction Fuzzy Hash: 8861E1352042019FD302EF24D899F7A77E8FF88704F08955AF8969B2A1CB71ED45CB62

Function 0034698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003469BE
FindClose.KERNEL32(00000000), ref: 00346A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00346A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00346A75

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00346AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00346ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00346B32
%03d, xrefs: 00346DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00346B6A
%02d, xrefs: 00346C00, 00346C0A, 00346C5A, 00346CAA, 00346CFA, 00346D4A
%4d, xrefs: 00346BB1

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 6a580204153975d93faa6e5cb5eff4285ab15f69c3a359ad3b14fe3331a23bc3
Instruction ID: 9df7ea5ee2b7d15c095206a0c9dc384bfeec47fd93cbb183ab2f953bea9ab77b
Opcode Fuzzy Hash: 6a580204153975d93faa6e5cb5eff4285ab15f69c3a359ad3b14fe3331a23bc3
Instruction Fuzzy Hash: 57D160B1518340AEC710EFA0C996EABB7ECAF88704F44491EF585C6291EB74DE54CB62

Function 00349642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00349663
GetFileAttributesW.KERNEL32(?), ref: 003496A1
SetFileAttributesW.KERNEL32(?,?), ref: 003496BB
FindNextFileW.KERNEL32(00000000,?), ref: 003496D3
FindClose.KERNEL32(00000000), ref: 003496DE
FindFirstFileW.KERNEL32(*.*,?), ref: 003496FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0034974A
SetCurrentDirectoryW.KERNEL32(00396B7C), ref: 00349768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00349772
FindClose.KERNEL32(00000000), ref: 0034977F
FindClose.KERNEL32(00000000), ref: 0034978F

Strings

*.*, xrefs: 003496F5

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 3f5b0d5c36e623c5bdd204585f23e28c68d4629229bf91f6657a8252beb6d25a
Instruction ID: 18cdd8c553998ab01ac40c3edb5891d9fef8b3504f625a66dd3ec7284ae11088
Opcode Fuzzy Hash: 3f5b0d5c36e623c5bdd204585f23e28c68d4629229bf91f6657a8252beb6d25a
Instruction Fuzzy Hash: 2831B2326112196ADF12EFB5DC09AEF7BEC9F09320F118166E955E61A0EB74ED408B14

Function 0034979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 003497BE
FindNextFileW.KERNEL32(00000000,?), ref: 00349819
FindClose.KERNEL32(00000000), ref: 00349824
FindFirstFileW.KERNEL32(*.*,?), ref: 00349840
SetCurrentDirectoryW.KERNEL32(?), ref: 00349890
SetCurrentDirectoryW.KERNEL32(00396B7C), ref: 003498AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003498B8
FindClose.KERNEL32(00000000), ref: 003498C5
FindClose.KERNEL32(00000000), ref: 003498D5

Part of subcall function 0033DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0033DB00

Strings

*.*, xrefs: 0034983B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: f66ef477b163bae8a803829823e53871e769415a77ae3f70f6e3e32ffe2e9056
Instruction ID: 304dacf1e696a6f9f52273b3b4e54aade1c8e36a547494e621bc9bb1f5447ccf
Opcode Fuzzy Hash: f66ef477b163bae8a803829823e53871e769415a77ae3f70f6e3e32ffe2e9056
Instruction Fuzzy Hash: 9331C1325012196ADF12EFB8EC49BEF77EC9F06320F118166E950A61A0DB70EA458A20

Function 0035BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0035C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035B6AE,?,?), ref: 0035C9B5
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035C9F1
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035CA68
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0035BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0035BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0035C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0035C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0035C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0035C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0035C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0035C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0035C382
RegCloseKey.ADVAPI32(00000000), ref: 0035C38F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: f4c2389245e9ff957edaa55bb90a387fde5c63908d112fb0a18e02d8060e19b1
Instruction ID: f85a026ae8ab82d46ee4bcd14e2f376e668e18037d462bcd6f97c707f6635a82
Opcode Fuzzy Hash: f4c2389245e9ff957edaa55bb90a387fde5c63908d112fb0a18e02d8060e19b1
Instruction Fuzzy Hash: 88025A71614200AFC715DF28C895E2ABBE5EF89308F19C49DF84ACB2A2D735ED45CB52

Function 00348195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00348257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00348267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00348273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00348310
SetCurrentDirectoryW.KERNEL32(?), ref: 00348324
SetCurrentDirectoryW.KERNEL32(?), ref: 00348356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0034838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00348395

Strings

*.*, xrefs: 0034839B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e588a4ebcd673890d62c81f0cb6b5180f154b80ee50f8ab46d42f4234905ed26
Instruction ID: 1c721282585194047abb6e0c6cbeaffb5a95c17288a53e3f3f3b04ab5f4094a3
Opcode Fuzzy Hash: e588a4ebcd673890d62c81f0cb6b5180f154b80ee50f8ab46d42f4234905ed26
Instruction Fuzzy Hash: D16158765183459FCB11EF60D8409AEB3E8FF89310F04892EF9898B251EB35E955CF92

Function 0033D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D3A97,?,?,002D2E7F,?,?,?,00000000), ref: 002D3AC2

Part of subcall function 0033E199: GetFileAttributesW.KERNEL32(?,0033CF95), ref: 0033E19A

FindFirstFileW.KERNEL32(?,?), ref: 0033D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0033D1DD
MoveFileW.KERNEL32(?,?), ref: 0033D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0033D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0033D237

Part of subcall function 0033D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0033D21C,?,?), ref: 0033D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0033D253
FindClose.KERNEL32(00000000), ref: 0033D264

Strings

\*.*, xrefs: 0033D0CD, 0033D0D6, 0033D0EB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 9f9c24b0f355ff094d04648cbc5581bba38ac0b95bbd3b0fe9407b26ed3a9c85
Instruction ID: 6924d90dc520c8ffd4072f3642e41e6c207a985640d95bf03b1bd93a0d4ba3dc
Opcode Fuzzy Hash: 9f9c24b0f355ff094d04648cbc5581bba38ac0b95bbd3b0fe9407b26ed3a9c85
Instruction Fuzzy Hash: 03616D31D0114D9BCF06EBE0EA929EEB779AF15300F244566E402B7292EB309F59DF61

Function 0034ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0034ED91
EmptyClipboard.USER32 ref: 0034ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0034EDAC
CloseClipboard.USER32 ref: 0034EEA3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 51665444eb6c7f80c1f051d9aaf848165f0989973c4e6c1d452ddf3a987bdc11
Instruction ID: c5a252477721fd6069da96095bb7297b9790f7cf05af9fc9953aef23a5fc4a1b
Opcode Fuzzy Hash: 51665444eb6c7f80c1f051d9aaf848165f0989973c4e6c1d452ddf3a987bdc11
Instruction Fuzzy Hash: A141DD35604211AFD712CF15D888B29BBE9FF04318F15C099E8558FA62C7B1FC41CB80

Function 0033E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0033170D
Part of subcall function 003316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0033173A
Part of subcall function 003316C3: GetLastError.KERNEL32 ref: 0033174A

ExitWindowsEx.USER32(?,00000000), ref: 0033E932

Strings

@, xrefs: 0033E925
, xrefs: 0033E95C
, xrefs: 0033E920
SeShutdownPrivilege, xrefs: 0033E902

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 303ac0f7d6fdf214ac6e6686ca17ba20148b9a4874a94313df5235fe997ad2e0
Instruction ID: 27e37e6c61a0459dde808a9335f5c40c981cf5cac99cbae72fe3caa17d6a40b1
Opcode Fuzzy Hash: 303ac0f7d6fdf214ac6e6686ca17ba20148b9a4874a94313df5235fe997ad2e0
Instruction Fuzzy Hash: 8E01F972620215ABEB5626B49CC6FBF725CA714751F164822FD13F61D1D7A89C408394

Function 00351204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00351276
WSAGetLastError.WSOCK32 ref: 00351283
bind.WSOCK32(00000000,?,00000010), ref: 003512BA
WSAGetLastError.WSOCK32 ref: 003512C5
closesocket.WSOCK32(00000000), ref: 003512F4
listen.WSOCK32(00000000,00000005), ref: 00351303
WSAGetLastError.WSOCK32 ref: 0035130D
closesocket.WSOCK32(00000000), ref: 0035133C

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 4d828cffd1bc9e201ee5dc672376d08f7d58f7d39538ea218bbc7996e516371b
Instruction ID: 1bc8a168b7f63737a90dc38491b0731ee20885cd5cd3a5033b292f25296c69ff
Opcode Fuzzy Hash: 4d828cffd1bc9e201ee5dc672376d08f7d58f7d39538ea218bbc7996e516371b
Instruction Fuzzy Hash: 8041CF35A001009FD721DF24C488F2ABBE5AF86319F198589EC568F3A2C771EC85CBE1

Function 0033D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D3A97,?,?,002D2E7F,?,?,?,00000000), ref: 002D3AC2

Part of subcall function 0033E199: GetFileAttributesW.KERNEL32(?,0033CF95), ref: 0033E19A

FindFirstFileW.KERNEL32(?,?), ref: 0033D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0033D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0033D481
FindClose.KERNEL32(00000000), ref: 0033D498
FindClose.KERNEL32(00000000), ref: 0033D4A1

Strings

\*.*, xrefs: 0033D3F2

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 5e8c27b681d9e748667372a4bfe198b51f8b089bfcae626fd70e38826597f5d9
Instruction ID: 71a3df86fc810882b86bdb564ecd749d5803f9125e86cf67b0325441861bab98
Opcode Fuzzy Hash: 5e8c27b681d9e748667372a4bfe198b51f8b089bfcae626fd70e38826597f5d9
Instruction Fuzzy Hash: 6C3164710183859BC706EF64D8958AF77A8AE91314F444D1EF4D193291EB30AE19DB63

Function 0030E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0030E645

Strings

1#SNAN, xrefs: 0030F844
1#INF, xrefs: 0030F852
1#QNAN, xrefs: 0030F84B
1#IND, xrefs: 0030F83D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 96e2d31dca232e55a0076cc7e13401f7fd369b0065dd27118c2017776e170b90
Instruction ID: fc94e2035675a1e6f707d191a7c061648760879b138828a7b81c6536d39c65bc
Opcode Fuzzy Hash: 96e2d31dca232e55a0076cc7e13401f7fd369b0065dd27118c2017776e170b90
Instruction Fuzzy Hash: 0EC25D71E096288FDB36CE28DD507EAB7B9EB48304F1545EAD44DE7680E774AE818F40

Function 0034648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003464DC
CoInitialize.OLE32(00000000), ref: 00346639
CoCreateInstance.OLE32(0036FCF8,00000000,00000001,0036FB68,?), ref: 00346650
CoUninitialize.OLE32 ref: 003468D4

Strings

.lnk, xrefs: 003464BA, 00346524, 003465E0

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 3d919db08e7446c695083467e3e1421e2eb099fe64ac273134fbcc7295d7871c
Instruction ID: 3e473ef1be9e0f01367547dc67c20c061ab97bc4d87ed6d3370c0de0d8c60800
Opcode Fuzzy Hash: 3d919db08e7446c695083467e3e1421e2eb099fe64ac273134fbcc7295d7871c
Instruction Fuzzy Hash: ABD15971518301AFC305EF24C88196BB7E8FF99704F50896EF5958B2A1EB70ED45CB92

Function 003522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 003522E8

Part of subcall function 0034E4EC: GetWindowRect.USER32(?,?), ref: 0034E504

GetDesktopWindow.USER32 ref: 00352312
GetWindowRect.USER32(00000000), ref: 00352319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00352355
GetCursorPos.USER32(?), ref: 00352381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003523DF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: bd4453ebf1ef29f8f4784494feabf63026a55c3c87bc41498493e9cc51ecc0a9
Instruction ID: 0e4273ea69c3fdb4c2f1839a3ef259d52336acbd093955cc394cbfffd9af1072
Opcode Fuzzy Hash: bd4453ebf1ef29f8f4784494feabf63026a55c3c87bc41498493e9cc51ecc0a9
Instruction Fuzzy Hash: 6E31FE72104305AFC722DF54C848FABBBADFF85310F000919F9859B191DB74EA08CB92

Function 00349B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00349B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00349C8B

Part of subcall function 00343874: GetInputState.USER32 ref: 003438CB
Part of subcall function 00343874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00343966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00349BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00349C75

Strings

*.*, xrefs: 00349B5D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 2a57f9931d160c67c4551e40ce6054b6bac374440a784d0cad20f4a4eab43c05
Instruction ID: e452885cdbba142ee6bd0481cd95c687ae10230532a88016f94e20faf5397acf
Opcode Fuzzy Hash: 2a57f9931d160c67c4551e40ce6054b6bac374440a784d0cad20f4a4eab43c05
Instruction Fuzzy Hash: 8A41517195420A9FCF16DF64C985BEEBBF8EF05310F244157E805A6291EB30AE94CF61

Function 002E997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 002E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002E9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 002E9A4E
GetSysColor.USER32(0000000F), ref: 002E9B23
SetBkColor.GDI32(?,00000000), ref: 002E9B36

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 16812244498672c1699764471f689121673823d1c66b82fdf0a6dac4bd5d82d0
Instruction ID: df2fa384afde67539d80df07e0f2de8fc79638d1a71f776c30a2e31ba98beb76
Opcode Fuzzy Hash: 16812244498672c1699764471f689121673823d1c66b82fdf0a6dac4bd5d82d0
Instruction Fuzzy Hash: 67A159701781A0BEE7279E2E9C58E7B265DEF43304F51411FF402CA795CB659DA1C272

Function 00351806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0035304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0035307A
Part of subcall function 0035304E: _wcslen.LIBCMT ref: 0035309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0035185D
WSAGetLastError.WSOCK32 ref: 00351884
bind.WSOCK32(00000000,?,00000010), ref: 003518DB
WSAGetLastError.WSOCK32 ref: 003518E6
closesocket.WSOCK32(00000000), ref: 00351915

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 1e5e5996c2cf9fe2db9536cd88da5bf5463e15b1908ec88c28dfcdd7a8f5d7f1
Instruction ID: 13a4175e8295767e72e030e00c68ffc80e294f55b5aefd56dbff72f598f31ccd
Opcode Fuzzy Hash: 1e5e5996c2cf9fe2db9536cd88da5bf5463e15b1908ec88c28dfcdd7a8f5d7f1
Instruction Fuzzy Hash: 1751E171A10200AFDB21AF24C886F6A77E5AB44718F588099FD469F3D3C775AD42CBE1

Function 00361C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00361CC0
IsWindowEnabled.USER32 ref: 00361CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00361CDB
IsIconic.USER32 ref: 00361CE9
IsZoomed.USER32 ref: 00361CF7

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: aa25beaa1482779a1b26c7b19970ecace3909fc1554597a3b489188a8f2ed099
Instruction ID: 72d6be8ef65e8d96a265d840ae6f4c7719e61df4ec7ae29521af988f8e113989
Opcode Fuzzy Hash: aa25beaa1482779a1b26c7b19970ecace3909fc1554597a3b489188a8f2ed099
Instruction Fuzzy Hash: 2121D3317406015FD7228F1AC844B6A7BA9EF95314F1EC069E886CB355CBB1DC42CB90

Function 002D8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 002D843C
ERCP, xrefs: 002D813C
VUUU, xrefs: 00315DF0
VUUU, xrefs: 002D83E8
VUUU, xrefs: 002D83FA

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 95fea641a7d8d8a79898e0bed93a9949356a6695c9d19fe2e12296eeb4658099
Instruction ID: 3b0b7db87ffe3abe2787230fbd9e0ed3bf20cc33847946e743ebc9042479f5c3
Opcode Fuzzy Hash: 95fea641a7d8d8a79898e0bed93a9949356a6695c9d19fe2e12296eeb4658099
Instruction Fuzzy Hash: 77A29D75E1061ACBDF29CF58C8417EEB7B1BB48310F2585AAE815A7384EB709DD1CB90

Function 00338298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003382AA

Strings

tb9, xrefs: 003384F4
(, xrefs: 003382F0
|, xrefs: 003382DA

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb9$|
API String ID: 1659193697-3818886284
Opcode ID: 181d29e51929f832be32394f54a0481c4ee48e647db0c346f44830cc6f2689eb
Instruction ID: e9e6a7edbe740a2c4d177e9c173977e834781500a712b1af5df6d879e819dcd8
Opcode Fuzzy Hash: 181d29e51929f832be32394f54a0481c4ee48e647db0c346f44830cc6f2689eb
Instruction Fuzzy Hash: 7D322579A007059FCB29CF19C481A6AB7F0FF48720B15856EE59ADB7A1EB70E941CB40

Function 0033AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0033AAAC
SetKeyboardState.USER32(00000080), ref: 0033AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0033AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0033AB88

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 34b6939e8d9844028c36e5638319371b8a36ed2eb8f2deb8cc8711a5548b0168
Instruction ID: 3bf96a4cbb40601c6ef6b3afddbfaf3b997d9a0b7ef7cac0c4cbd8144059ae6f
Opcode Fuzzy Hash: 34b6939e8d9844028c36e5638319371b8a36ed2eb8f2deb8cc8711a5548b0168
Instruction Fuzzy Hash: A3313D31A40A48AEFF37CB65CC85BFAF7AAAB44310F08421AF1C1561D1D3B48981D763

Function 0030BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0030BB7F

Part of subcall function 003029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000), ref: 003029DE
Part of subcall function 003029C8: GetLastError.KERNEL32(00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000,00000000), ref: 003029F0

GetTimeZoneInformation.KERNEL32 ref: 0030BB91
WideCharToMultiByte.KERNEL32(00000000,?,003A121C,000000FF,?,0000003F,?,?), ref: 0030BC09
WideCharToMultiByte.KERNEL32(00000000,?,003A1270,000000FF,?,0000003F,?,?,?,003A121C,000000FF,?,0000003F,?,?), ref: 0030BC36

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 03ffcf0e9ea2061347c591d2d259378649c8af86d2fe87138fa28c8babb08294
Instruction ID: 57b5263a825b0e6b4e0434c579ccf43652fc53796aee11ac502e46fcb2a8202d
Opcode Fuzzy Hash: 03ffcf0e9ea2061347c591d2d259378649c8af86d2fe87138fa28c8babb08294
Instruction Fuzzy Hash: 1931AB70905245DFCB13DF688CA0A6AFBBCFF46350B154AAAE061DB2E1D7309940CB50

Function 0034CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0034CE89
GetLastError.KERNEL32(?,00000000), ref: 0034CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0034CEFE

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: efc2ed9e987833364f668fa58d97d414157d195105e87e66b5605aebdea69989
Instruction ID: b87ba54133a99dbdd2cfb3b54b0f84c49bb40bebbfbe0bb0d05d9576591f052d
Opcode Fuzzy Hash: efc2ed9e987833364f668fa58d97d414157d195105e87e66b5605aebdea69989
Instruction Fuzzy Hash: 5A210DB15213049BDB62DFA1C848BA6B7FCEB00345F10842EE646D6151E774FE488B50

Function 00345C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00345CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00345D17
FindClose.KERNEL32(?), ref: 00345D5F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 179ffa7af88d611e02a5fb07edcff4efc122046df554c25a47d2d6556e5b6eb9
Instruction ID: 3045704aeca5395f410c6c72a9dc74670d4b7c109148cded579fcc792fe753b3
Opcode Fuzzy Hash: 179ffa7af88d611e02a5fb07edcff4efc122046df554c25a47d2d6556e5b6eb9
Instruction Fuzzy Hash: 86517834A04A019FC715DF28C494A9AB7E4FF4A314F15855EE99A8B3A2DB30FD14CF91

Function 00302622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0030271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00302724
UnhandledExceptionFilter.KERNEL32(?), ref: 00302731

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 01289c2b8419ab0b0077e87d37c2b90f6512ae3771ee63117bc3d58437df0b94
Instruction ID: 0be93ed84f6ab13da9560cff1c12afd1883a3759acdaf83e20c79aa87fd0565b
Opcode Fuzzy Hash: 01289c2b8419ab0b0077e87d37c2b90f6512ae3771ee63117bc3d58437df0b94
Instruction Fuzzy Hash: D631D57491121C9BCB22DF64DD8879DBBB8BF08710F5041EAE90CA7261E7749F858F44

Function 003451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003451DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00345238
SetErrorMode.KERNEL32(00000000), ref: 003452A1

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4c7af63481d5b00fd3f01cb1605da6a79047858f22825efde4ce30dd635296a3
Instruction ID: 418d199ff919c7bb2dda75bf3de34e8d2483f75cf3cebebde763942db41e509f
Opcode Fuzzy Hash: 4c7af63481d5b00fd3f01cb1605da6a79047858f22825efde4ce30dd635296a3
Instruction Fuzzy Hash: A4316B35A105089FDB01DF94D884EADBBF4FF49314F04849AE805AB362DB71EC56CB90

Function 003316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002F0668
Part of subcall function 002EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 002F0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0033170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0033173A
GetLastError.KERNEL32 ref: 0033174A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 87c376ad4bd4cd3d24eb65c844af68340f3c467b8f3d5f5c71ebddf5524849a8
Instruction ID: ef2d3fd7c1ce8ab301db92234d9eac19629d3f75b17524bc3ccf210b1e1d562e
Opcode Fuzzy Hash: 87c376ad4bd4cd3d24eb65c844af68340f3c467b8f3d5f5c71ebddf5524849a8
Instruction Fuzzy Hash: F611CEB2424305AFD719AF54DCC6E6ABBBDFB04754F24852EE09653241EB70FC42CA20

Function 0033D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0033D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0033D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0033D650

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 72f7f8f7084d8ef78530ef158c6e587ac5a1b1e06088a37c51e5511c7d8ee3f3
Instruction ID: b18b03be5582763ec1b0e4e14f3a2759e79b588a5429d9a62ac4b61e1b010b61
Opcode Fuzzy Hash: 72f7f8f7084d8ef78530ef158c6e587ac5a1b1e06088a37c51e5511c7d8ee3f3
Instruction Fuzzy Hash: 7A11A175E01228BFDB118F95EC85FAFBFBCEB45B50F108111F914E7290C2B04A058BA1

Function 00331663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0033168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003316A1
FreeSid.ADVAPI32(?), ref: 003316B1

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c5149c18df702ee429f205c4bd971fbca4933b40df2aa12cf22632b7681e427e
Instruction ID: 76d12a758f924bf65775d169f9c1a7f935084d2f131531890818e8b4cd2cc460
Opcode Fuzzy Hash: c5149c18df702ee429f205c4bd971fbca4933b40df2aa12cf22632b7681e427e
Instruction Fuzzy Hash: 47F0F471960309FBDB01DFE49D89AAEBBBCEB08704F509565E901E2181E774EA448A50

Function 0032D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0032D28C

Strings

X64, xrefs: 0032D2A8

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5b6e2cdca3efcc73a9c09da9b042ecbb5391af09f44c55456f913e4a6f7fa126
Instruction ID: 74209317df3ef7909504f403b5152f3e27438f1b39dc65704670b4c44ab23a5c
Opcode Fuzzy Hash: 5b6e2cdca3efcc73a9c09da9b042ecbb5391af09f44c55456f913e4a6f7fa126
Instruction Fuzzy Hash: 15D0CAB482522DEBCB91CBA0EC88DEAB3BCBB04305F104692F106A2000DBB096488F20

Function 002FCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: bcf948d577d3902231c170a49cc96641f4e3eca0e40aa70d723b1e5e550bb3f0
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 4B023D71E1011D9BDF14CFA9C9806ADFBF1EF48354F25426AD919EB380D731A951CB80

Function 002DCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00320C40
p#:, xrefs: 002DCF7F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#:
API String ID: 0-2548002463
Opcode ID: 0d360957cb6dfd2925aa6f557ff6fb3c9a9799768f909fdc74148aa0f0ebde3d
Instruction ID: e885b44dea59eaa2e8bbac049e6d1564f7e25a956114f2df104d3e9813c73b31
Opcode Fuzzy Hash: 0d360957cb6dfd2925aa6f557ff6fb3c9a9799768f909fdc74148aa0f0ebde3d
Instruction Fuzzy Hash: F0329C7092422ADFCF19DF90D980AEDB7B9FF05304F21405AE806AB392D771AE59CB50

Function 003468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00346918
FindClose.KERNEL32(00000000), ref: 00346961

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5cc7a98f81b8a1d281a512dfddeb2bafe27c71e2893ff24bd7a43c727fb738ce
Instruction ID: cf45a960efe3bad3e940bce984c9deb87143e9e4ce59ad8c279d2de23bbe593e
Opcode Fuzzy Hash: 5cc7a98f81b8a1d281a512dfddeb2bafe27c71e2893ff24bd7a43c727fb738ce
Instruction Fuzzy Hash: 8E1190316142019FC710DF29D485A26BBE5FF85328F15C69AE8698F7A2C770EC05CB91

Function 003437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00354891,?,?,00000035,?), ref: 003437E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00354891,?,?,00000035,?), ref: 003437F4

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 2f48470928a4030e0a531a0926b492a3202e92462e890eee5f8e5b86a47d405d
Instruction ID: 979ebcdc85327f720510d268b9ef9dd2115a89038f4aae2d29dfef980102326e
Opcode Fuzzy Hash: 2f48470928a4030e0a531a0926b492a3202e92462e890eee5f8e5b86a47d405d
Instruction Fuzzy Hash: E6F0E5B06152282AEB2117668C4DFEB3AAEEFC8761F004266F509D3281D9A09D44C6B0

Function 0033B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0033B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0033B270

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 783ab5c1786fe7f711f617a46f016da7a70a37e978bb9ed1a72cf0ad3231d754
Instruction ID: 2d172f493eb34f553604227b2fdf11c00b69b65a708021311c184c51f0691982
Opcode Fuzzy Hash: 783ab5c1786fe7f711f617a46f016da7a70a37e978bb9ed1a72cf0ad3231d754
Instruction Fuzzy Hash: 7CF01D7181428DAFDB069FA1C806BBEBBB4FF04309F00940AFA65A5192C7B986119F94

Function 003310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003311FC), ref: 003310D4
CloseHandle.KERNEL32(?,?,003311FC), ref: 003310E9

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5ec98c94961ee5f612046637c5f69e640c9093e10d987bf7ba437e71b2fcbb41
Instruction ID: ec0298b976f0e2e21feef35a43e978d94b1c41cd55684970082656dfae2d9625
Opcode Fuzzy Hash: 5ec98c94961ee5f612046637c5f69e640c9093e10d987bf7ba437e71b2fcbb41
Instruction Fuzzy Hash: 8DE0B871054651AEE7661B51FD05E7777ADEB04310F14C42DF59580471DB626CA0DB50

Function 0030676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00306766,?,?,00000008,?,?,0030FEFE,00000000), ref: 00306998

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d0042aa662579ed1b05efb8e5ddda292ae0d99a3f817115f2fd3850dde6f2f8a
Instruction ID: 404ad0be7322e2d2e91c631f0cdcedf551b0066a8656a23a8f9714fc727f83ac
Opcode Fuzzy Hash: d0042aa662579ed1b05efb8e5ddda292ae0d99a3f817115f2fd3850dde6f2f8a
Instruction Fuzzy Hash: 2CB16A716116088FD716CF28C4AAB657BE0FF45364F26C658E899CF2E6C335E9A1CB40

Function 002EB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0032851F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 98fa720ebc0e385a335d5da03e338763b994296f911876b10f44111af08b7e0b
Instruction ID: 4d2068704dd1b7404deec14d3c14798c5e4e783901edd2a474b402eab2bd9d2c
Opcode Fuzzy Hash: 98fa720ebc0e385a335d5da03e338763b994296f911876b10f44111af08b7e0b
Instruction Fuzzy Hash: A0128E75D102299BCB26CF59D8916EEB7F5FF48310F50819AE809EB245DB309E81CF90

Function 0034EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0034EABD

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c2dfb800f062c9b8a8d4fc7c8cbdd36a33bc1716a0ab8caee31917cf5258ba94
Instruction ID: 39e64766894159687b5b46d89e683c138f1e4942cc7185b5875102f50aa24806
Opcode Fuzzy Hash: c2dfb800f062c9b8a8d4fc7c8cbdd36a33bc1716a0ab8caee31917cf5258ba94
Instruction Fuzzy Hash: 3DE01A312242059FC711EF69D804E9AB7EDBF98760F018417FD49CB361DAB0AC408B90

Function 002F09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002F03EE), ref: 002F09DA

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 56ad727ca0e16f9e9f8c9bd6523fec1fbadfd76d1c64e1828c0cccc283b182e5
Instruction ID: 7553beb7d43cd37d80e48ed1328da4e931c630b8db090f84289bb9677aba654b
Opcode Fuzzy Hash: 56ad727ca0e16f9e9f8c9bd6523fec1fbadfd76d1c64e1828c0cccc283b182e5
Instruction Fuzzy Hash:

Function 002F781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 002F798B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 318bef52c65b25194b6a5de2d1daa717cf285c82d31991382e0aa9385f795fb7
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 16516A6163C60F57DB384D68895DBBEE3999B123C0F180539DB82C7282C691DE36E752

Function 00342046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&:, xrefs: 00342053

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID: 0&:
API String ID: 0-3740821012
Opcode ID: 0e449a38d6be646f23bedb3945a413c81626321b03313f4f6c530def2b7a4c74
Instruction ID: ba0dbaf652ddb160f8355a0cc5abdd4c74f03301c26056b54261c391ba858651
Opcode Fuzzy Hash: 0e449a38d6be646f23bedb3945a413c81626321b03313f4f6c530def2b7a4c74
Instruction Fuzzy Hash: F921D5322216118BDB28CF79C82267B73E9A754310F15862EE4A7D77D0DE35A904CB80

Function 00306DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015e8047add98e49ac607b017f1cb7ad51569058df3c85f4e6f50123c305b7ce
Instruction ID: c6f4ddd9263fbf50493a74023a56abffe8ce42645d7d8605cccc384806a4834a
Opcode Fuzzy Hash: 015e8047add98e49ac607b017f1cb7ad51569058df3c85f4e6f50123c305b7ce
Instruction Fuzzy Hash: B732F022D2AF414DD7239635CC32326A64DAFB73C5F15D727E82AB5DA6EB29D4C34100

Function 002ECC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1568e78e4a22588b6063c2adf8134ca6e23dcac28a5143862c2a431e78ffba
Instruction ID: c7ac998e9977213bc5f67ba3a53aa656fed26995c3f2207c28f692e201fdd7fb
Opcode Fuzzy Hash: fd1568e78e4a22588b6063c2adf8134ca6e23dcac28a5143862c2a431e78ffba
Instruction Fuzzy Hash: FC324B32A201A58FCF26CF69E490ABD77A1EF45300F79A167E849CB691D330DD82DB40

Function 002D7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076224a38535499919a4231450d8f129a440ec7d39ede8e1abc8a54577836c18
Instruction ID: d2f8a9bbe2913146f1570bf3602eb0decfa9c0e5b59ce756cd1ef080aeef78d1
Opcode Fuzzy Hash: 076224a38535499919a4231450d8f129a440ec7d39ede8e1abc8a54577836c18
Instruction Fuzzy Hash: 9522B270A1060ADFDF14CF65C981AEEB3B5FF48304F14452AE816A7391EB3AAD61CB50

Function 002D91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34faaf33ff390e2681c81a26f86ea10b9a65aad48b0c84e864d6da62ed560c93
Instruction ID: fe9f8fb21edb33c0174f8f33d21507fc50741811d633fd2bf1530558e1d30443
Opcode Fuzzy Hash: 34faaf33ff390e2681c81a26f86ea10b9a65aad48b0c84e864d6da62ed560c93
Instruction Fuzzy Hash: 0302A4B1E10209EBDB05DF54D981AADB7B5FF48300F518169F8169B391EB32AE60CF91

Function 00309EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea64c76319db3c9ea9e0f666c30c52b8b9a51d91f7fdf2a7872c6b416749669f
Instruction ID: 1275b201cd32d7de3067136184d2552562c38deb9170cc32b5575921760aa0ba
Opcode Fuzzy Hash: ea64c76319db3c9ea9e0f666c30c52b8b9a51d91f7fdf2a7872c6b416749669f
Instruction Fuzzy Hash: 8AB10124E2AF414DD23396398831336B65CAFBB2C5F91D31BFC1A78D62EB2286C35141

Function 002F1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 6fa22bc3436f92f6872503c7116a9ba3947cc8ab3d6709614f3bdfda50f78149
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6E9187325280A78ADB2D4A3A857403EFFF15A923E135A07BED5F2CA1C5EE50C974D620

Function 002F1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 993f5f69518fb0fa89a83a96f2d51ae0ace772428c9b86cb424f984dfd3494a3
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: F19188732280A789D72D463A853403EFFE15A933E131A07BDD5F6CB1C5EE248578D620

Function 002F19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 562d56c7912ec1b0d5911caa650b004d908fd9c34117ba9c20870ec7e7b95e59
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D19192322290A7CADB2D4A7A857403DFFE15A923E235A07BED5F2CA1C1FD14C574D620

Function 002F7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e008c58cfcb5d3a8615ca2d9afba550341cbec530a0790e57fbc297fa84ea9b
Instruction ID: 6e43d4abba595072db39715cd44855d0d0b26cf4e14bd200e2f776dba6cf2961
Opcode Fuzzy Hash: 7e008c58cfcb5d3a8615ca2d9afba550341cbec530a0790e57fbc297fa84ea9b
Instruction Fuzzy Hash: 2061596123870F96EA345D28CCA5BBEE394DF427C8F10093AEB43DB281D9919E72C755

Function 002F7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61e2c60dcc00112f9cf3c550250f4d6fe296061b28b0bc097f376a044c2d949
Instruction ID: 45783a350d34c36552bc592652898c5b0bf54000f47f2c5ec17c7024a350e556
Opcode Fuzzy Hash: a61e2c60dcc00112f9cf3c550250f4d6fe296061b28b0bc097f376a044c2d949
Instruction Fuzzy Hash: 8C61672163870E52DE384E285855BBEE389DF42BC4F90097AEB42CB281DB929D72C715

Function 002F1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 93f67abe42ee003a22ba105be0afc14c146519b55a5bda4d0cbd9058daea5749
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7E81B8325280E789EB2D4A3A853443EFFE15A923E135A07BDD5F2CB1C1EE54C574E660

Function 002ED064 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8310a42e857c21a3c939942f85b89c39f37c43e9016041433d5321d5fb1e5421
Instruction ID: 4dc915ff784bbfa9357298e6513811570cc4c53286abf4aca048962695121a39
Opcode Fuzzy Hash: 8310a42e857c21a3c939942f85b89c39f37c43e9016041433d5321d5fb1e5421
Instruction Fuzzy Hash: F96113A258EBC2AFCB135F344C79195BFB09D2724030D5AEBC1C20F093D698549AEF86

Function 002D90BC Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0bd83fb2a9f51642866fe5a52f83669d2784c78bc33783d7a8d0ae7e1fc415
Instruction ID: 8ead59bd877701b3d02046c999b8b47eaf15e1313ff85737ef526b822763f65f
Opcode Fuzzy Hash: 2a0bd83fb2a9f51642866fe5a52f83669d2784c78bc33783d7a8d0ae7e1fc415
Instruction Fuzzy Hash: 4331457A55D2D44EC7070B789C6A3E23FB5EE1720874906DBD0C29E0A3D2158A87CB12

Function 00352ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00352B30
DeleteObject.GDI32(00000000), ref: 00352B43
DestroyWindow.USER32 ref: 00352B52
GetDesktopWindow.USER32 ref: 00352B6D
GetWindowRect.USER32(00000000), ref: 00352B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00352CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00352CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00352CF8
GetClientRect.USER32(00000000,?), ref: 00352D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00352D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00352D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00352D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00352D80
GlobalLock.KERNEL32(00000000), ref: 00352D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00352D98
GlobalUnlock.KERNEL32(00000000), ref: 00352DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00352DA8
GlobalFree.KERNEL32(00000000), ref: 00352DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00352DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0036FC38,00000000), ref: 00352DDB
GlobalFree.KERNEL32(00000000), ref: 00352DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00352E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00352E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00352E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035303F

Strings

AutoIt v3, xrefs: 00352CF2
, xrefs: 00352FC5
static, xrefs: 00352D3A, 00352E91
DISPLAY, xrefs: 00352EA2

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a93df51daba6fff86024d652fbb3954ab1a11da5b289b34e18e60acdbb6e9965
Instruction ID: cdef965ba452928ce5ee8e7fde4fd6b5c4c698f6db72026a26dfe26cd66ba9dd
Opcode Fuzzy Hash: a93df51daba6fff86024d652fbb3954ab1a11da5b289b34e18e60acdbb6e9965
Instruction Fuzzy Hash: 1D029B75A10205EFDB16DF64DC89EAE7BB9EB49311F048119F915AB2A1CBB4ED00CF60

Function 003670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0036712F
GetSysColorBrush.USER32(0000000F), ref: 00367160
GetSysColor.USER32(0000000F), ref: 0036716C
SetBkColor.GDI32(?,000000FF), ref: 00367186
SelectObject.GDI32(?,?), ref: 00367195
InflateRect.USER32(?,000000FF,000000FF), ref: 003671C0
GetSysColor.USER32(00000010), ref: 003671C8
CreateSolidBrush.GDI32(00000000), ref: 003671CF
FrameRect.USER32(?,?,00000000), ref: 003671DE
DeleteObject.GDI32(00000000), ref: 003671E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00367230
FillRect.USER32(?,?,?), ref: 00367262
GetWindowLongW.USER32(?,000000F0), ref: 00367284

Part of subcall function 003673E8: GetSysColor.USER32(00000012), ref: 00367421
Part of subcall function 003673E8: SetTextColor.GDI32(?,?), ref: 00367425
Part of subcall function 003673E8: GetSysColorBrush.USER32(0000000F), ref: 0036743B
Part of subcall function 003673E8: GetSysColor.USER32(0000000F), ref: 00367446
Part of subcall function 003673E8: GetSysColor.USER32(00000011), ref: 00367463
Part of subcall function 003673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00367471
Part of subcall function 003673E8: SelectObject.GDI32(?,00000000), ref: 00367482
Part of subcall function 003673E8: SetBkColor.GDI32(?,00000000), ref: 0036748B
Part of subcall function 003673E8: SelectObject.GDI32(?,?), ref: 00367498
Part of subcall function 003673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003674B7
Part of subcall function 003673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003674CE
Part of subcall function 003673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003674DB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: dc1a6ae6290d591e2e30a2fdaac254f627d1c63276b86722fd60ab752df18755
Instruction ID: 65f83e9742439fd431189fb9808d20725d44fa3e9a0d4c6f1c3cc8d960923da1
Opcode Fuzzy Hash: dc1a6ae6290d591e2e30a2fdaac254f627d1c63276b86722fd60ab752df18755
Instruction Fuzzy Hash: C9A1D472018301BFD7029F60DC48E6B7BADFF4A324F509A19FAA2961E0D7B5E844CB51

Function 002E8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 002E8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00326AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00326AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00326F43

Part of subcall function 002E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002E8BE8,?,00000000,?,?,?,?,002E8BBA,00000000,?), ref: 002E8FC5

SendMessageW.USER32(?,00001053), ref: 00326F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00326F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00326FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00326FB7

Strings

0, xrefs: 00326DCF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: fd6bc2f1805b5bbd2e27f440bfdbbb073a5aa6e702ef9afb188c84d39f1eafd8
Instruction ID: 8bca27865ea0194e79cf508c31ffa844e83d8381fbe61aa54a3c164d327b7649
Opcode Fuzzy Hash: fd6bc2f1805b5bbd2e27f440bfdbbb073a5aa6e702ef9afb188c84d39f1eafd8
Instruction Fuzzy Hash: E412CC30210261EFCB26DF25E945BBAB7A9FF45300F59846DF4898B261CB71EC61CB91

Function 00352711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0035273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0035286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003528A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003528B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00352900
GetClientRect.USER32(00000000,?), ref: 0035290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00352955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00352964
GetStockObject.GDI32(00000011), ref: 00352974
SelectObject.GDI32(00000000,00000000), ref: 00352978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00352988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00352991
DeleteDC.GDI32(00000000), ref: 0035299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003529C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 003529DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00352A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00352A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00352A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00352A77
GetStockObject.GDI32(00000011), ref: 00352A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00352A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00352A97

Strings

msctls_progress32, xrefs: 00352A13
AutoIt v3, xrefs: 003528F8
static, xrefs: 0035294F, 00352A71
DISPLAY, xrefs: 0035295A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 2b27d3ca82073979f2546e77472b53ec52a67819e4ddc3a049183d2c8137eeb2
Instruction ID: 8e0d52c6aaad48f318e2b7a4b7375820d14d9535ce6bf9b39095eda8b1ad7e01
Opcode Fuzzy Hash: 2b27d3ca82073979f2546e77472b53ec52a67819e4ddc3a049183d2c8137eeb2
Instruction Fuzzy Hash: 98B17A75A10215AFEB11DFA8DC49EAF7BA9EB09711F008115F914EB2E0D7B4AD00CFA0

Function 00344ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00344AED
GetDriveTypeW.KERNEL32(?,0036CB68,?,\\.\,0036CC08), ref: 00344BCA
SetErrorMode.KERNEL32(00000000,0036CB68,?,\\.\,0036CC08), ref: 00344D36

Strings

Removable, xrefs: 00344C10, 00344C15
\\.\, xrefs: 00344B3F
USB, xrefs: 00344CB4
SSA, xrefs: 00344CA6
Fixed, xrefs: 00344C09
PhysicalDrive, xrefs: 00344B76
SSD, xrefs: 00344C4A
MMC, xrefs: 00344CDE
Network, xrefs: 00344C02
RAID, xrefs: 00344CBB
Fibre, xrefs: 00344CAD
ATA, xrefs: 00344C98
SAS, xrefs: 00344CC9
ATAPI, xrefs: 00344C91
iSCSI, xrefs: 00344CC2
SCSI, xrefs: 00344C8A
Unknown, xrefs: 00344BED, 00344C83
CDROM, xrefs: 00344BFB
RAMDisk, xrefs: 00344BF4
FileBackedVirtual, xrefs: 00344CEC
Virtual, xrefs: 00344CE5
1394, xrefs: 00344C9F
SATA, xrefs: 00344CD0

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 82731f6ac9776a55f3de9503ce714f103642f21359f6c7b8f689a93389f69395
Instruction ID: 22596e6542c8396084af2a5285b17ad335d1cb9a418323e7ba8ecaedd412c30d
Opcode Fuzzy Hash: 82731f6ac9776a55f3de9503ce714f103642f21359f6c7b8f689a93389f69395
Instruction Fuzzy Hash: 1C61A430606205ABCF07DF24CAC2AA977E4EB05745B288436F806AF695DB75FD41DB41

Function 003673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00367421
SetTextColor.GDI32(?,?), ref: 00367425
GetSysColorBrush.USER32(0000000F), ref: 0036743B
GetSysColor.USER32(0000000F), ref: 00367446
CreateSolidBrush.GDI32(?), ref: 0036744B
GetSysColor.USER32(00000011), ref: 00367463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00367471
SelectObject.GDI32(?,00000000), ref: 00367482
SetBkColor.GDI32(?,00000000), ref: 0036748B
SelectObject.GDI32(?,?), ref: 00367498
InflateRect.USER32(?,000000FF,000000FF), ref: 003674B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003674CE
GetWindowLongW.USER32(00000000,000000F0), ref: 003674DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0036752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00367554
InflateRect.USER32(?,000000FD,000000FD), ref: 00367572
DrawFocusRect.USER32(?,?), ref: 0036757D
GetSysColor.USER32(00000011), ref: 0036758E
SetTextColor.GDI32(?,00000000), ref: 00367596
DrawTextW.USER32(?,003670F5,000000FF,?,00000000), ref: 003675A8
SelectObject.GDI32(?,?), ref: 003675BF
DeleteObject.GDI32(?), ref: 003675CA
SelectObject.GDI32(?,?), ref: 003675D0
DeleteObject.GDI32(?), ref: 003675D5
SetTextColor.GDI32(?,?), ref: 003675DB
SetBkColor.GDI32(?,?), ref: 003675E5

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8257e030374917cf48fca45198003b5c6475a119582bae84cd6367f4e4a38cb0
Instruction ID: 34ebdaf11c6a9ded8151821bc41bf78bce779590a8a5144874de8a254eb43709
Opcode Fuzzy Hash: 8257e030374917cf48fca45198003b5c6475a119582bae84cd6367f4e4a38cb0
Instruction Fuzzy Hash: C9617172910218AFDF029FA4DC49EEE7FB9EF09320F159115FA15AB2A1D7B49940CF90

Function 00360FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00361128
GetDesktopWindow.USER32 ref: 0036113D
GetWindowRect.USER32(00000000), ref: 00361144
GetWindowLongW.USER32(?,000000F0), ref: 00361199
DestroyWindow.USER32(?), ref: 003611B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003611ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0036120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0036121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00361232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00361245
IsWindowVisible.USER32(00000000), ref: 003612A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003612BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003612D0
GetWindowRect.USER32(00000000,?), ref: 003612E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0036130E
GetMonitorInfoW.USER32(00000000,?), ref: 00361328
CopyRect.USER32(?,?), ref: 0036133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 003613AA

Strings

tooltips_class32, xrefs: 003611E6
0, xrefs: 003610D3
(, xrefs: 0036131B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 21ab3072bd17e25bd0ed699ceacfa9c26070d44e820bd8a6fbe341e63094bf8c
Instruction ID: 294f4bf3dea14bbef387f26a5eb12614413f0003d67428c4a7ca01e4632d2c74
Opcode Fuzzy Hash: 21ab3072bd17e25bd0ed699ceacfa9c26070d44e820bd8a6fbe341e63094bf8c
Instruction Fuzzy Hash: B1B19C71614341AFDB01DF64C884B6ABBE8FF89304F048919F99A9B2A1C771EC54CF92

Function 002E8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002E8968
GetSystemMetrics.USER32(00000007), ref: 002E8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002E899B
GetSystemMetrics.USER32(00000008), ref: 002E89A3
GetSystemMetrics.USER32(00000004), ref: 002E89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002E89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002E89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002E8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002E8A3C
GetClientRect.USER32(00000000,000000FF), ref: 002E8A5A
GetStockObject.GDI32(00000011), ref: 002E8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 002E8A81

Part of subcall function 002E912D: GetCursorPos.USER32(?), ref: 002E9141
Part of subcall function 002E912D: ScreenToClient.USER32(00000000,?), ref: 002E915E
Part of subcall function 002E912D: GetAsyncKeyState.USER32(00000001), ref: 002E9183
Part of subcall function 002E912D: GetAsyncKeyState.USER32(00000002), ref: 002E919D

SetTimer.USER32(00000000,00000000,00000028,002E90FC), ref: 002E8AA8

Strings

AutoIt v3 GUI, xrefs: 002E8A20

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: fb49fdc88f238432c96e1bcb951c7ff8b19282fecb4d0482e699e5e2eaaed9b8
Instruction ID: 34dabe3816a007f131a08d4fad6895d4f0dbf3c64f4633258397d495a93d480c
Opcode Fuzzy Hash: fb49fdc88f238432c96e1bcb951c7ff8b19282fecb4d0482e699e5e2eaaed9b8
Instruction Fuzzy Hash: 5EB1BC35A5020A9FDB05DFA9DC45BAE3BB8FF49314F008229FA55A7290DB74E850CF50

Function 00330D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00331114
Part of subcall function 003310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00330B9B,?,?,?), ref: 00331120
Part of subcall function 003310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00330B9B,?,?,?), ref: 0033112F
Part of subcall function 003310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00330B9B,?,?,?), ref: 00331136
Part of subcall function 003310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0033114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00330DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00330E29
GetLengthSid.ADVAPI32(?), ref: 00330E40
GetAce.ADVAPI32(?,00000000,?), ref: 00330E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00330E96
GetLengthSid.ADVAPI32(?), ref: 00330EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00330EB5
HeapAlloc.KERNEL32(00000000), ref: 00330EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00330EDD
CopySid.ADVAPI32(00000000), ref: 00330EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00330F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00330F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00330F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00330F6E
HeapFree.KERNEL32(00000000), ref: 00330F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00330F7E
HeapFree.KERNEL32(00000000), ref: 00330F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00330F8E
HeapFree.KERNEL32(00000000), ref: 00330F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00330FA1
HeapFree.KERNEL32(00000000), ref: 00330FA8

Part of subcall function 00331193: GetProcessHeap.KERNEL32(00000008,00330BB1,?,00000000,?,00330BB1,?), ref: 003311A1
Part of subcall function 00331193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00330BB1,?), ref: 003311A8
Part of subcall function 00331193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00330BB1,?), ref: 003311B7

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 516f18a2c99400483f9b803d7b1f97db6aa733887dae4c0d8ad97ff12f1a6016
Instruction ID: 3e4ec7c5e9d3989b913963f7ce523cf549381b313ed7d85e80b11c2d977bbd6e
Opcode Fuzzy Hash: 516f18a2c99400483f9b803d7b1f97db6aa733887dae4c0d8ad97ff12f1a6016
Instruction Fuzzy Hash: 5E71597290020AEBDF269FA4DC88FEEBBBCBF05700F058215F959E6191D7719A05CB60

Function 0035C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0036CC08,00000000,?,00000000,?,?), ref: 0035C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0035C5A4
_wcslen.LIBCMT ref: 0035C5F4
_wcslen.LIBCMT ref: 0035C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0035C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0035C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0035C84D
RegCloseKey.ADVAPI32(?), ref: 0035C881
RegCloseKey.ADVAPI32(00000000), ref: 0035C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0035C960

Strings

REG_QWORD, xrefs: 0035C8C3
REG_DWORD, xrefs: 0035C804
REG_MULTI_SZ, xrefs: 0035C6F5
REG_SZ, xrefs: 0035C644
REG_EXPAND_SZ, xrefs: 0035C5CD
REG_BINARY, xrefs: 0035C913

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: b4e5c745acfc4aaae80682c93f6701a6748d7dc1c8b1cb0aca00e43e33f128f4
Instruction ID: 468791bc81a8ebb051839c2e072aabb814cf084ca66dc729a107f3b84f435042
Opcode Fuzzy Hash: b4e5c745acfc4aaae80682c93f6701a6748d7dc1c8b1cb0aca00e43e33f128f4
Instruction Fuzzy Hash: 9B1267356242019FCB15DF14C891E2AB7E5EF88718F15889DF88A9B3A2DB31ED45CF81

Function 0036091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003609C6
_wcslen.LIBCMT ref: 00360A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00360A54
_wcslen.LIBCMT ref: 00360A8A
_wcslen.LIBCMT ref: 00360B06
_wcslen.LIBCMT ref: 00360B81

Part of subcall function 002EF9F2: _wcslen.LIBCMT ref: 002EF9FD

Part of subcall function 00332BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00332BFA

Strings

EXPAND, xrefs: 00360BF8
ISCHECKED, xrefs: 00360CE1
GETTOTALCOUNT, xrefs: 003609F2, 00360A17
UNCHECK, xrefs: 00360D3E
CHECK, xrefs: 00360A85, 00360AA0
COLLAPSE, xrefs: 00360B01, 00360B1C
SELECT, xrefs: 00360D11
GETSELECTED, xrefs: 00360C4E
GETITEMCOUNT, xrefs: 00360C1E
GETTEXT, xrefs: 00360C97
EXISTS, xrefs: 00360B7C, 00360B97

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 040e7672b3fda2551d9817c036eb8e54b49e05461920cdb3dc04c307668cf5a7
Instruction ID: 00ea64fc1f52ec8779fa3a218edb44e0af605f591a4c3d88b55b543b58476d04
Opcode Fuzzy Hash: 040e7672b3fda2551d9817c036eb8e54b49e05461920cdb3dc04c307668cf5a7
Instruction Fuzzy Hash: C4E1CC352183018FCB1AEF24C49292BB7E2BF98344F55895DF8969B3A6D730ED45CB81

Function 0035C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035B6AE,?,?), ref: 0035C9B5
_wcslen.LIBCMT ref: 0035C9F1
_wcslen.LIBCMT ref: 0035CA68
_wcslen.LIBCMT ref: 0035CA9E
_wcslen.LIBCMT ref: 0035CAF9
_wcslen.LIBCMT ref: 0035CB2F
_wcslen.LIBCMT ref: 0035CB7F

Strings

HKU, xrefs: 0035CBF0
HKEY_CURRENT_CONFIG, xrefs: 0035CB79, 0035CB7E
HKEY_LOCAL_MACHINE, xrefs: 0035CA62, 0035CA67
HKCC, xrefs: 0035CBAC
HKEY_USERS, xrefs: 0035CBDF
HKCU, xrefs: 0035CBCE
HKCR, xrefs: 0035CB29, 0035CB2E
HKEY_CLASSES_ROOT, xrefs: 0035CAF3, 0035CAF8
HKEY_CURRENT_USER, xrefs: 0035CBBD
HKLM, xrefs: 0035CA98, 0035CA9D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 0f78535d05d134d763e601e0a527e4eccd038f0f77bf0c12d6307b44b49b4b76
Instruction ID: ced530a8dc36701134d764c27871423512fc4441d31072868fabb5628c45e8fe
Opcode Fuzzy Hash: 0f78535d05d134d763e601e0a527e4eccd038f0f77bf0c12d6307b44b49b4b76
Instruction Fuzzy Hash: E571363263026A8FCF22DE7CCD41DBB37A5AB60759F121128FC56972A1E630CD49C7A0

Function 0036833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0036835A
_wcslen.LIBCMT ref: 0036836E
_wcslen.LIBCMT ref: 00368391
_wcslen.LIBCMT ref: 003683B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003683F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0036361A,?), ref: 0036844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00368487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003684CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00368501
FreeLibrary.KERNEL32(?), ref: 0036850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0036851D
DestroyIcon.USER32(?), ref: 0036852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00368549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00368555

Strings

.dll, xrefs: 003683AB
.icl, xrefs: 00368368
.exe, xrefs: 00368388

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8ec32b2234128e0a9306a5b7ec98f796a32027cb49577b11760823c5c1d9e5a1
Instruction ID: 04f3f1ac16ec8bd7a944b90ecd29ea728f1f685fbf6d3c7c850656f06350b1dc
Opcode Fuzzy Hash: 8ec32b2234128e0a9306a5b7ec98f796a32027cb49577b11760823c5c1d9e5a1
Instruction Fuzzy Hash: D261E071510209BAEB16DF64CC81BBF77ACBB08710F10860AF916D61D1DFB4AA90CBA0

Function 002D7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 002D78ED
#comments-end, xrefs: 002D78D9
#requireadmin, xrefs: 002D77FF
Bad directive syntax error, xrefs: 0031519A
#include-once, xrefs: 002D782F
', xrefs: 00315169
Unterminated group of comments, xrefs: 0031528C
", xrefs: 00315153
#pragma compile, xrefs: 002D77D3
#include, xrefs: 002D7847
#comments-start, xrefs: 002D785F, 002D78B1
Cannot parse #include, xrefs: 00315279
#notrayicon, xrefs: 002D77E7
#OnAutoItStartRegister, xrefs: 002D7817
#cs, xrefs: 002D7873, 002D78C5

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d6c5d101c9e84096edaa1a6b1e4fd4c7498f86f1612b5a702e23462c758eb377
Instruction ID: 1d254670737e001e053d43049dcbf7e9e040df538462dc30edd120e1e2bcf435
Opcode Fuzzy Hash: d6c5d101c9e84096edaa1a6b1e4fd4c7498f86f1612b5a702e23462c758eb377
Instruction Fuzzy Hash: 1B814971664205BBDB16AF60DC42FFEB768AF44700F044426F905AB296FB74DD61CBA0

Function 00343E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00343EF8
_wcslen.LIBCMT ref: 00343F03
_wcslen.LIBCMT ref: 00343F5A
_wcslen.LIBCMT ref: 00343F98
GetDriveTypeW.KERNEL32(?), ref: 00343FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0034401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00344059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00344087

Strings

close cd wait, xrefs: 00344072
close, xrefs: 00343EFE, 00343F18
set cd door , xrefs: 00344028
closed, xrefs: 00343F08, 00343F2D, 00343F46, 00343F7E, 00343F97
open, xrefs: 00343F54, 00343F59
wait, xrefs: 00344044
open , xrefs: 00343FE5
type cdaudio alias cd wait, xrefs: 00344001

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 11cb0ed3abcdf3d5325089bd52aefa95b4c730be8fc246f925132478924e4d16
Instruction ID: 332449168f090de66620a2204fc42ae97c0456358f3ed261dffd761714e0a0b0
Opcode Fuzzy Hash: 11cb0ed3abcdf3d5325089bd52aefa95b4c730be8fc246f925132478924e4d16
Instruction Fuzzy Hash: D27101326042029FC711EF24C88196BB7F4EF94758F10492EF8969B261EB30ED59CF91

Function 00335A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00335A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00335A40
SetWindowTextW.USER32(?,?), ref: 00335A57
GetDlgItem.USER32(?,000003EA), ref: 00335A6C
SetWindowTextW.USER32(00000000,?), ref: 00335A72
GetDlgItem.USER32(?,000003E9), ref: 00335A82
SetWindowTextW.USER32(00000000,?), ref: 00335A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00335AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00335AC3
GetWindowRect.USER32(?,?), ref: 00335ACC
_wcslen.LIBCMT ref: 00335B33
SetWindowTextW.USER32(?,?), ref: 00335B6F
GetDesktopWindow.USER32 ref: 00335B75
GetWindowRect.USER32(00000000), ref: 00335B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00335BD3
GetClientRect.USER32(?,?), ref: 00335BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00335C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00335C2F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: e0ab0bee71349f4436244d2d29434dbf9f2bd13fb3576c615ebf46f3baec4efc
Instruction ID: 8b1f38b54f79981b2160cd9237bfac3f4894348613b266922bd4c9eb42a61a14
Opcode Fuzzy Hash: e0ab0bee71349f4436244d2d29434dbf9f2bd13fb3576c615ebf46f3baec4efc
Instruction Fuzzy Hash: 12717031900B05AFDB22DFA8CD85B6EBBF9FF48705F104518E582A35A0D775E940CB54

Function 0034FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0034FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0034FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0034FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0034FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0034FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0034FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0034FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0034FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0034FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0034FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0034FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0034FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0034FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0034FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0034FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0034FECC
GetCursorInfo.USER32(?), ref: 0034FEDC
GetLastError.KERNEL32 ref: 0034FF1E

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: fedb044c44163c236aaf89d00c25125e8a8eb5e89d50e6dc620efb5685df02a9
Instruction ID: 4e04035d4b34b61ca311ca0ba389720253cb2ed3effcdeb396b0f9db8da2eb4c
Opcode Fuzzy Hash: fedb044c44163c236aaf89d00c25125e8a8eb5e89d50e6dc620efb5685df02a9
Instruction Fuzzy Hash: 7C415570D083196FDB109FBA8C8585EBFE8FF04754B54452AE11DEB291DB78A901CE91

Function 003330F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0033318D
_wcslen.LIBCMT ref: 003331F8

Strings

CLASSNN, xrefs: 003331F3, 00333204
INSTANCE, xrefs: 00333453
REGEXPCLASS, xrefs: 00333255, 00333266
TEXT, xrefs: 0033347C
CLASS, xrefs: 00333188, 003331A5
NAME, xrefs: 00333335, 00333346
[9, xrefs: 0033339A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[9
API String ID: 176396367-3208372086
Opcode ID: c23dacb960c6e6ebc94b5545dad0a614fa0e5380bd74311b7988897063b3f63b
Instruction ID: 540b93e1455060b024bf450422fc70c8ee6599bf92599335a7d7669510fe2b25
Opcode Fuzzy Hash: c23dacb960c6e6ebc94b5545dad0a614fa0e5380bd74311b7988897063b3f63b
Instruction Fuzzy Hash: 3DE1E532A00516ABCF169FA8C4D16FEFBB4BF44750F55C22AE456E7240DB30AE958B90

Function 002F00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002F00C6

Part of subcall function 002F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(003A070C,00000FA0,25656FB0,?,?,?,?,003123B3,000000FF), ref: 002F011C
Part of subcall function 002F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003123B3,000000FF), ref: 002F0127
Part of subcall function 002F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003123B3,000000FF), ref: 002F0138
Part of subcall function 002F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002F014E
Part of subcall function 002F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002F015C
Part of subcall function 002F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002F016A
Part of subcall function 002F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002F0195
Part of subcall function 002F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002F01A0

___scrt_fastfail.LIBCMT ref: 002F00E7

Part of subcall function 002F00A3: __onexit.LIBCMT ref: 002F00A9

Strings

kernel32.dll, xrefs: 002F0133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 002F0122
InitializeConditionVariable, xrefs: 002F0148
WakeAllConditionVariable, xrefs: 002F0162
SleepConditionVariableCS, xrefs: 002F0154

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 61c04cdc19abfe4ca77a9e14750c0ff7bad4b6adaddd4b8d8f34a2d8523b591a
Instruction ID: 610feda893808058ab43266b6be93a8855d2e101ef80d8eb811d79598868841e
Opcode Fuzzy Hash: 61c04cdc19abfe4ca77a9e14750c0ff7bad4b6adaddd4b8d8f34a2d8523b591a
Instruction Fuzzy Hash: 72213E326643156FD7176FA4AC45B7BB398DB06B90F004139F90593296DFB0AC108A60

Function 003444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0036CC08), ref: 00344527
_wcslen.LIBCMT ref: 0034453B
_wcslen.LIBCMT ref: 00344599
_wcslen.LIBCMT ref: 003445F4
_wcslen.LIBCMT ref: 0034463F
_wcslen.LIBCMT ref: 003446A7

Part of subcall function 002EF9F2: _wcslen.LIBCMT ref: 002EF9FD

GetDriveTypeW.KERNEL32(?,00396BF0,00000061), ref: 00344743

Strings

cdrom, xrefs: 0034458F, 00344594
ramdisk, xrefs: 003446F1
network, xrefs: 0034469D, 003446A2
removable, xrefs: 003445EA, 003445EF
fixed, xrefs: 00344635, 0034463A
unknown, xrefs: 00344708
all, xrefs: 00344531, 00344536

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3241f37c22db98517a808610709891f5c167ac57e8dcac49f7e6dcd194626288
Instruction ID: e5f72f8d269c7bf2e90e2ac51b424f0206c37060b7381734ac569fa3412dfe1a
Opcode Fuzzy Hash: 3241f37c22db98517a808610709891f5c167ac57e8dcac49f7e6dcd194626288
Instruction Fuzzy Hash: F8B103316083029FC711DF28C891A7AB7E5BFA6760F51492DF4A6CB291E734EC45CB52

Function 0036911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002E9BB2

DragQueryPoint.SHELL32(?,?), ref: 00369147

Part of subcall function 00367674: ClientToScreen.USER32(?,?), ref: 0036769A
Part of subcall function 00367674: GetWindowRect.USER32(?,?), ref: 00367710
Part of subcall function 00367674: PtInRect.USER32(?,?,00368B89), ref: 00367720

SendMessageW.USER32(?,000000B0,?,?), ref: 003691B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003691BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003691DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00369225
SendMessageW.USER32(?,000000B0,?,?), ref: 0036923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00369255
SendMessageW.USER32(?,000000B1,?,?), ref: 00369277
DragFinish.SHELL32(?), ref: 0036927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00369371

Strings

@GUI_DRAGID, xrefs: 003692E9
@GUI_DRAGFILE, xrefs: 00369320
@GUI_DROPID, xrefs: 0036929E
p#:, xrefs: 003692BB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#:
API String ID: 221274066-3058038255
Opcode ID: 43e90e218e1cfaa1998e6a2f30d4e8ebc7e63e389a3cd328281fa9798782e53b
Instruction ID: 56f2b1376b218686727b9e1c8a719277ee8cf9c7c2de3748d200c5e95afa6253
Opcode Fuzzy Hash: 43e90e218e1cfaa1998e6a2f30d4e8ebc7e63e389a3cd328281fa9798782e53b
Instruction Fuzzy Hash: 55617A71118301AFD702DF64DC85EAFBBECEF89750F00492EF596922A0DB709A59CB52

Function 002D326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(003A1990), ref: 00312F8D
GetMenuItemCount.USER32(003A1990), ref: 0031303D
GetCursorPos.USER32(?), ref: 00313081
SetForegroundWindow.USER32(00000000), ref: 0031308A
TrackPopupMenuEx.USER32(003A1990,00000000,?,00000000,00000000,00000000), ref: 0031309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003130A9

Strings

0, xrefs: 002D327D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 8c36675c8568e4d255dcf2f98907d231141b038189dab44772209728b3cc54ae
Instruction ID: fa83a51a9380922d59af89ce7d51304afcc07b5cda3f091c6dc33ebacac34b66
Opcode Fuzzy Hash: 8c36675c8568e4d255dcf2f98907d231141b038189dab44772209728b3cc54ae
Instruction Fuzzy Hash: 1B712B30644205BEEB268F25CC49FEABF68FF09324F204216FA156A1D0C7B1AD60CB51

Function 00366CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00366DEB

Part of subcall function 002D6B57: _wcslen.LIBCMT ref: 002D6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00366E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00366E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00366E94
DestroyWindow.USER32(?), ref: 00366EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002D0000,00000000), ref: 00366EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00366EFD
GetDesktopWindow.USER32 ref: 00366F16
GetWindowRect.USER32(00000000), ref: 00366F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00366F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00366F4D

Part of subcall function 002E9944: GetWindowLongW.USER32(?,000000EB), ref: 002E9952

Strings

tooltips_class32, xrefs: 00366E58, 00366EDD
0, xrefs: 00366D98

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: df18e6da827a83959750723f4ae6998005350634d469c4351480b2a73728ebbc
Instruction ID: 19baa01db716ab08dc1a407ef9ec9ebd6c1a39361e53ff46c8a2cdf289753584
Opcode Fuzzy Hash: df18e6da827a83959750723f4ae6998005350634d469c4351480b2a73728ebbc
Instruction Fuzzy Hash: 7A718874104240AFDB22CF18DC59EBBBBE9FB99344F08841EF99987261C7B1E916CB15

Function 0034C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0034C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0034C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0034C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0034C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0034C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0034C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0034C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0034C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0034C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0034C5F0
InternetCloseHandle.WININET(00000000), ref: 0034C5FB

Strings

, xrefs: 0034C575

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: a1b0e6fa4a7a0b14bf617db6867e5852c2be20b70d5fe6769a9af077c3017158
Instruction ID: b7f27184ebd1d8b5d130df87938afe89c389cf74b6d131ae33fbde89dd35bbee
Opcode Fuzzy Hash: a1b0e6fa4a7a0b14bf617db6867e5852c2be20b70d5fe6769a9af077c3017158
Instruction Fuzzy Hash: AA517DB0511208BFDB629F61C948ABB7BFCFF09344F009419F9859A210DB75F944DB60

Function 0036856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00368592
GetFileSize.KERNEL32(00000000,00000000), ref: 003685A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 003685AD
CloseHandle.KERNEL32(00000000), ref: 003685BA
GlobalLock.KERNEL32(00000000), ref: 003685C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003685D7
GlobalUnlock.KERNEL32(00000000), ref: 003685E0
CloseHandle.KERNEL32(00000000), ref: 003685E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 003685F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0036FC38,?), ref: 00368611
GlobalFree.KERNEL32(00000000), ref: 00368621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00368641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00368671
DeleteObject.GDI32(00000000), ref: 00368699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003686AF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 3cd918aa1564fd454213b7310aebabbf86c47132f50c1e8f73d41edf673fcd0d
Instruction ID: aa62025057d17efcc1bae009857b7c112ed6d60cb7f436ebae85e5cbd99212b0
Opcode Fuzzy Hash: 3cd918aa1564fd454213b7310aebabbf86c47132f50c1e8f73d41edf673fcd0d
Instruction Fuzzy Hash: 5D412975600208AFDB129FA5CC48EAA7BBCFF8EB11F108559F946E7260DB709D01CB20

Function 003414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00341502
VariantCopy.OLEAUT32(?,?), ref: 0034150B
VariantClear.OLEAUT32(?), ref: 00341517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003415FB
VarR8FromDec.OLEAUT32(?,?), ref: 00341657
VariantInit.OLEAUT32(?), ref: 00341708
SysFreeString.OLEAUT32(?), ref: 0034178C
VariantClear.OLEAUT32(?), ref: 003417D8
VariantClear.OLEAUT32(?), ref: 003417E7
VariantInit.OLEAUT32(00000000), ref: 00341823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00341625
Default, xrefs: 003416AF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a2ca6578e756fdd0a411777948df82d8fb2a757fb235a6a3ae9a9bfa08df9f3a
Instruction ID: 623521bd8ea8c9e6eaea84d15e538fac22b1fb01f5d3c99c0564eb744e8fdb69
Opcode Fuzzy Hash: a2ca6578e756fdd0a411777948df82d8fb2a757fb235a6a3ae9a9bfa08df9f3a
Instruction Fuzzy Hash: 9BD1E172A00909DBDB12AF65D885BB9B7F9BF46700F148096F446AF680DB30FC91DB61

Function 0035B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Part of subcall function 0035C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035B6AE,?,?), ref: 0035C9B5
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035C9F1
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035CA68
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0035B80A
RegCloseKey.ADVAPI32(?), ref: 0035B87E
RegCloseKey.ADVAPI32(?), ref: 0035B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0035B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0035B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0035B922
FreeLibrary.KERNEL32(00000000), ref: 0035B983
RegCloseKey.ADVAPI32(00000000), ref: 0035B994

Strings

advapi32.dll, xrefs: 0035B8ED
RegDeleteKeyExW, xrefs: 0035B8FE

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 67095855d071248bb680dbbced217e2a9d18ec504390d4bab33f0a85e599fc44
Instruction ID: 02e19dc383631b5f527d3a1048534ef99ff4ea3e3a0b48ba66a27b82c00fff58
Opcode Fuzzy Hash: 67095855d071248bb680dbbced217e2a9d18ec504390d4bab33f0a85e599fc44
Instruction Fuzzy Hash: 6FC16830218241AFD711DF24C495F2ABBE5BF84309F15859DF89A8B7A2CB71EC49CB91

Function 0035255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003525D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003525E8
CreateCompatibleDC.GDI32(?), ref: 003525F4
SelectObject.GDI32(00000000,?), ref: 00352601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0035266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003526AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003526D0
SelectObject.GDI32(?,?), ref: 003526D8
DeleteObject.GDI32(?), ref: 003526E1
DeleteDC.GDI32(?), ref: 003526E8
ReleaseDC.USER32(00000000,?), ref: 003526F3

Strings

(, xrefs: 0035268D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 914c1c299fa97788699a7051bc15ea0da06aed6ef8c620fe1192ed58d46f973e
Instruction ID: 5a75821f0e4025cbe894709f89015bf0391b5a9e87a2d1604302730329a673ea
Opcode Fuzzy Hash: 914c1c299fa97788699a7051bc15ea0da06aed6ef8c620fe1192ed58d46f973e
Instruction Fuzzy Hash: AB61F275D00219EFCF05CFA8D884EAEBBB9FF48310F24852AE955A7250D770A951CFA0

Function 0030DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0030DAA1

Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D659
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D66B
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D67D
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D68F
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D6A1
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D6B3
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D6C5
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D6D7
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D6E9
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D6FB
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D70D
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D71F
Part of subcall function 0030D63C: _free.LIBCMT ref: 0030D731

_free.LIBCMT ref: 0030DA96

Part of subcall function 003029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000), ref: 003029DE
Part of subcall function 003029C8: GetLastError.KERNEL32(00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000,00000000), ref: 003029F0

_free.LIBCMT ref: 0030DAB8
_free.LIBCMT ref: 0030DACD
_free.LIBCMT ref: 0030DAD8
_free.LIBCMT ref: 0030DAFA
_free.LIBCMT ref: 0030DB0D
_free.LIBCMT ref: 0030DB1B
_free.LIBCMT ref: 0030DB26
_free.LIBCMT ref: 0030DB5E
_free.LIBCMT ref: 0030DB65
_free.LIBCMT ref: 0030DB82
_free.LIBCMT ref: 0030DB9A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ee221aa355121e9a0d7cfbae94235c7c25735bc45ca43184bab7cf5e5379244a
Instruction ID: 256d1cffae506855db7f7e9bb1fed53103babeec2db35d665638cbcd87398dd1
Opcode Fuzzy Hash: ee221aa355121e9a0d7cfbae94235c7c25735bc45ca43184bab7cf5e5379244a
Instruction Fuzzy Hash: C5314A316062059FEB23AAB9E869B5B77E9FF01310F264419E449DB1D1DB35EC50CB24

Function 0033365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0033369C
_wcslen.LIBCMT ref: 003336A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00333797
GetClassNameW.USER32(?,?,00000400), ref: 0033380C
GetDlgCtrlID.USER32(?), ref: 0033385D
GetWindowRect.USER32(?,?), ref: 00333882
GetParent.USER32(?), ref: 003338A0
ScreenToClient.USER32(00000000), ref: 003338A7
GetClassNameW.USER32(?,?,00000100), ref: 00333921
GetWindowTextW.USER32(?,?,00000400), ref: 0033395D

Strings

%s%u, xrefs: 00333734

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: d241a4b391ae0e1241a0e10fe759d42ffe7e20b8d867405c1599da590f74efb8
Instruction ID: e4c4373b40cc4b76e3ad8f66206f37bf2fde0bcb6fea60b7884f0de4d50e3129
Opcode Fuzzy Hash: d241a4b391ae0e1241a0e10fe759d42ffe7e20b8d867405c1599da590f74efb8
Instruction Fuzzy Hash: 25918071204606EFD71ADF24C8C5BBAF7A8FF44350F008629FA99D6190DB70EA59CB91

Function 00334954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00334994
GetWindowTextW.USER32(?,?,00000400), ref: 003349DA
_wcslen.LIBCMT ref: 003349EB
CharUpperBuffW.USER32(?,00000000), ref: 003349F7
_wcsstr.LIBVCRUNTIME ref: 00334A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00334A64
GetWindowTextW.USER32(?,?,00000400), ref: 00334A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00334AE6
GetClassNameW.USER32(?,?,00000400), ref: 00334B20
GetWindowRect.USER32(?,?), ref: 00334B8B

Strings

ThumbnailClass, xrefs: 00334A6F, 00334AF1

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 571ff8964959f9ecb772a51c434569f6c5355be076cd7d7f992432783be89991
Instruction ID: a0e05460c9bacacb17dcfe05293aadbe1f4315c59c34f498c7e8431cbd1ac877
Opcode Fuzzy Hash: 571ff8964959f9ecb772a51c434569f6c5355be076cd7d7f992432783be89991
Instruction Fuzzy Hash: B391BC311082099FDB06CF14C9C5BAABBE8FF84354F04846AFDC59A196EB74ED45CBA1

Function 0033BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(003A1990,000000FF,00000000,00000030), ref: 0033BFAC
SetMenuItemInfoW.USER32(003A1990,00000004,00000000,00000030), ref: 0033BFE1
Sleep.KERNEL32(000001F4), ref: 0033BFF3
GetMenuItemCount.USER32(?), ref: 0033C039
GetMenuItemID.USER32(?,00000000), ref: 0033C056
GetMenuItemID.USER32(?,-00000001), ref: 0033C082
GetMenuItemID.USER32(?,?), ref: 0033C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0033C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0033C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0033C145

Strings

0, xrefs: 0033BF3D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 2da3560fa46d17702315a2bc537f00c17628f9348c7016b391ce04a696024050
Instruction ID: 52ef9d597d1d52ed7b6a11fa3211daf27315d70552f7f973c896d5b8bb09adc7
Opcode Fuzzy Hash: 2da3560fa46d17702315a2bc537f00c17628f9348c7016b391ce04a696024050
Instruction Fuzzy Hash: 2261AEB192028AAFDF16CF64CCC8AFEBBB8EB06344F005115E951A7292C775ED04DB60

Function 0035CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0035CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0035CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0035CD48

Part of subcall function 0035CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0035CCAA
Part of subcall function 0035CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0035CCBD
Part of subcall function 0035CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0035CCCF
Part of subcall function 0035CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0035CD05
Part of subcall function 0035CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0035CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0035CCF3

Strings

advapi32.dll, xrefs: 0035CCB8
RegDeleteKeyExW, xrefs: 0035CCC9

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 793b470e6634d4890d71282c6629a2a8471895f532307c56b262d166d36a9da2
Instruction ID: 91a5188b5b04ef72fe0421cc1e40d2c830c7aab4626d69ce8c3479c5c76d7cbb
Opcode Fuzzy Hash: 793b470e6634d4890d71282c6629a2a8471895f532307c56b262d166d36a9da2
Instruction Fuzzy Hash: 68318171911228BFDB229B90DC88EFFBBBCEF05745F015165F906E2150D7B09A4ADAA0

Function 00343D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00343D40
_wcslen.LIBCMT ref: 00343D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00343D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00343DBE
RemoveDirectoryW.KERNEL32(?), ref: 00343DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00343E55
CloseHandle.KERNEL32(00000000), ref: 00343E60
CloseHandle.KERNEL32(00000000), ref: 00343E6B

Strings

\??\%s, xrefs: 00343D5B
:, xrefs: 00343D82
\, xrefs: 00343D77

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b9327718b91592efc0784c3d436a2d3081b202914ab7b6ef9ed84ab1712a64c0
Instruction ID: 849aa93de0740f420f6495a0e0448b0c64808e44994633b22a37efd02c07d120
Opcode Fuzzy Hash: b9327718b91592efc0784c3d436a2d3081b202914ab7b6ef9ed84ab1712a64c0
Instruction Fuzzy Hash: 4431B276910209ABDB229BA0DC49FFF37BCEF89740F1041B5FA09D6160E7B4A7448B24

Function 0033E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0033E6B4

Part of subcall function 002EE551: timeGetTime.WINMM(?,?,0033E6D4), ref: 002EE555

Sleep.KERNEL32(0000000A), ref: 0033E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0033E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0033E727
SetActiveWindow.USER32 ref: 0033E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0033E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0033E773
Sleep.KERNEL32(000000FA), ref: 0033E77E
IsWindow.USER32 ref: 0033E78A
EndDialog.USER32(00000000), ref: 0033E79B

Strings

BUTTON, xrefs: 0033E719

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 70aed243c56edde486e886e524ce972288862c705fffc05d40b1d2e6f8239444
Instruction ID: 0a4f067cb85e77ca68c3b6e5b61791ba70207f73a1d56a55865847f5f7178709
Opcode Fuzzy Hash: 70aed243c56edde486e886e524ce972288862c705fffc05d40b1d2e6f8239444
Instruction Fuzzy Hash: D821A570250205AFEF135F64ECD9A367B6DFB56348F149425F596826F1DBF1AC008B24

Function 0033E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0033EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0033EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0033EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0033EAA7

Strings

close PlayMe, xrefs: 0033EA6E, 0033EA9B
play PlayMe, xrefs: 0033EAA2
alias PlayMe, xrefs: 0033EA36
play PlayMe wait, xrefs: 0033EA91
status PlayMe mode, xrefs: 0033EA58
open , xrefs: 0033EA0C

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: cca14aadc8af8e295aeaefe113b6d4ebfc57465081f1d50150bd4a3c99ae087a
Instruction ID: 279cf916712732f0b9064a3987e423e22dadf88eefe00c25298f37ff12cf37bc
Opcode Fuzzy Hash: cca14aadc8af8e295aeaefe113b6d4ebfc57465081f1d50150bd4a3c99ae087a
Instruction Fuzzy Hash: 22117331A6126979DB21E7A2DC8AEFF6A7CEBD1B40F00042AF401A21D1EFB05D55C9B0

Function 00339F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0033A012
SetKeyboardState.USER32(?), ref: 0033A07D
GetAsyncKeyState.USER32(000000A0), ref: 0033A09D
GetKeyState.USER32(000000A0), ref: 0033A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0033A0E3
GetKeyState.USER32(000000A1), ref: 0033A0F4
GetAsyncKeyState.USER32(00000011), ref: 0033A120
GetKeyState.USER32(00000011), ref: 0033A12E
GetAsyncKeyState.USER32(00000012), ref: 0033A157
GetKeyState.USER32(00000012), ref: 0033A165
GetAsyncKeyState.USER32(0000005B), ref: 0033A18E
GetKeyState.USER32(0000005B), ref: 0033A19C

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 84f7f18e13959cfb405bbc0dc173fbacc89f496f35feee9baca3fb2ace702676
Instruction ID: 82a8a991d37dc255599aa3fffe5ae78640f14eee7c50e0ff5d27c14d4677f963
Opcode Fuzzy Hash: 84f7f18e13959cfb405bbc0dc173fbacc89f496f35feee9baca3fb2ace702676
Instruction Fuzzy Hash: 0651DB30904B8469FB37DB6088957EAFFF45F12380F09859ED5C25B1C2DA949A4CC762

Function 00335CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00335CE2
GetWindowRect.USER32(00000000,?), ref: 00335CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00335D59
GetDlgItem.USER32(?,00000002), ref: 00335D69
GetWindowRect.USER32(00000000,?), ref: 00335D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00335DCF
GetDlgItem.USER32(?,000003E9), ref: 00335DDD
GetWindowRect.USER32(00000000,?), ref: 00335DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00335E31
GetDlgItem.USER32(?,000003EA), ref: 00335E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00335E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00335E67

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 03bc8d0899e7ca6a1942b452235024ce9ef484fbc57012123e21647bee251251
Instruction ID: 43f4fba08e1d242751c39502c96a87248fd7b8d99ab07c695bc8b69f8ce7d808
Opcode Fuzzy Hash: 03bc8d0899e7ca6a1942b452235024ce9ef484fbc57012123e21647bee251251
Instruction Fuzzy Hash: A9512FB1B10605AFDF19DF68CD89AAEBBB9FB48301F158129F515E7290D7B09E00CB60

Function 002E8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002E8BE8,?,00000000,?,?,?,?,002E8BBA,00000000,?), ref: 002E8FC5

DestroyWindow.USER32(?), ref: 002E8C81
KillTimer.USER32(00000000,?,?,?,?,002E8BBA,00000000,?), ref: 002E8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00326973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,002E8BBA,00000000,?), ref: 003269A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,002E8BBA,00000000,?), ref: 003269B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002E8BBA,00000000), ref: 003269D4
DeleteObject.GDI32(00000000), ref: 003269E6

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 769adf040514e446fe27f578d3a16478a3cea0ed095aa3a751ee580879de0ff4
Instruction ID: 243ad3dd8cb633928ac8a7dbb7c78de2c047d28b3b89b775307d1eb6655bb719
Opcode Fuzzy Hash: 769adf040514e446fe27f578d3a16478a3cea0ed095aa3a751ee580879de0ff4
Instruction Fuzzy Hash: 8261C131062650DFCB279F26D949B2677F5FF42312F64A51EE0C696560CB71ACA0CF90

Function 002E9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002E9944: GetWindowLongW.USER32(?,000000EB), ref: 002E9952

GetSysColor.USER32(0000000F), ref: 002E9862

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 986860f32ac8251e1dcbf549de5e46fd26c68d50f73a0773c4fffc5289617889
Instruction ID: 70a67b92d80488e3e5167865f9549fb738fefb7ace429dd145f5ee8f4dcdf4d5
Opcode Fuzzy Hash: 986860f32ac8251e1dcbf549de5e46fd26c68d50f73a0773c4fffc5289617889
Instruction Fuzzy Hash: 3341D4311606909FDB219F3A9C88BB93B69BB07330F549616F9A2872F1C7709C91DB11

Function 00308D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

./, xrefs: 0030903A, 00308FD0, 00308FF2

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID: ./
API String ID: 0-41378711
Opcode ID: 324a8378c26f7a40b7fce24dfa0c7e3a93f0229e134ce147eae5a33e7ac1e628
Instruction ID: db440013e37b980e0f4400024d31ecc0e61539f038cb3be96fc508b98b200a24
Opcode Fuzzy Hash: 324a8378c26f7a40b7fce24dfa0c7e3a93f0229e134ce147eae5a33e7ac1e628
Instruction Fuzzy Hash: 66C1F374906249AFDB13DFA8DC61BADBBB4BF0A310F15419AF955AB3D2C7308941CB60

Function 003396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0031F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00339717
LoadStringW.USER32(00000000,?,0031F7F8,00000001), ref: 00339720

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0031F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00339742
LoadStringW.USER32(00000000,?,0031F7F8,00000001), ref: 00339745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00339866

Strings

Line %d:, xrefs: 003397A0
Line %d (File "%s"):, xrefs: 0033978F
Error: , xrefs: 0033981D
%s (%d) : ==> %s: %s %s, xrefs: 0033984A
^ ERROR, xrefs: 003397FB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: fa077e652eea956977377cc2f532ed2b37aa2cb83e282606ae5e7fd92074f5ff
Instruction ID: 25e394137ff9450a43f8bb4ba742151db19c6216bd3f892c42ab1b660307d820
Opcode Fuzzy Hash: fa077e652eea956977377cc2f532ed2b37aa2cb83e282606ae5e7fd92074f5ff
Instruction Fuzzy Hash: 1D415D72910209AACF05EBE0DE86EEE777CAF55740F100066F20576192EB756F68CF61

Function 003306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 002D6B57: _wcslen.LIBCMT ref: 002D6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003307A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003307BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003307DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00330804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0033082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00330837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0033083C

Strings

\IPC$, xrefs: 00330784
\CLSID, xrefs: 00330724
SOFTWARE\Classes\, xrefs: 0033070E

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ded2e47dc3bd66552b767a515e39e7bec162467f7d16267cc6f0c98b846f8eaf
Instruction ID: f5cf0117db3a01d0ea8fd452b6599e79df07c4b1fcda1339030f9fef3f0ccc7e
Opcode Fuzzy Hash: ded2e47dc3bd66552b767a515e39e7bec162467f7d16267cc6f0c98b846f8eaf
Instruction Fuzzy Hash: 96411A72C20229ABDF16EBA4DC95DEDB778FF04750F05416AE901A7260EB709E54CF90

Function 00363F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0036403B
CreateCompatibleDC.GDI32(00000000), ref: 00364042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00364055
SelectObject.GDI32(00000000,00000000), ref: 0036405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00364068
DeleteDC.GDI32(00000000), ref: 00364072
GetWindowLongW.USER32(?,000000EC), ref: 0036407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00364092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0036409E

Strings

static, xrefs: 00363FD3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: aaa971d79427c7f2ded0be64767b3849cf115ae1afad739a0a7cb9a9e115cbb3
Instruction ID: 2a552a17fe8ce8704f935a7fc27884c42ade909e4e5e38d4ad1cd2416b82d1a6
Opcode Fuzzy Hash: aaa971d79427c7f2ded0be64767b3849cf115ae1afad739a0a7cb9a9e115cbb3
Instruction Fuzzy Hash: D6316E32511215ABDF239FA4CC09FEA3B6CFF0E720F119211FA65A61A0C7B5D860DB64

Function 00353C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00353C5C
CoInitialize.OLE32(00000000), ref: 00353C8A
CoUninitialize.OLE32 ref: 00353C94
_wcslen.LIBCMT ref: 00353D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00353DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00353ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00353F0E
CoGetObject.OLE32(?,00000000,0036FB98,?), ref: 00353F2D
SetErrorMode.KERNEL32(00000000), ref: 00353F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00353FC4
VariantClear.OLEAUT32(?), ref: 00353FD8

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 1e76173a347606fe1216c6c7b7410cebedd96ff6bdc07182a27be801f309fae9
Instruction ID: 46b77a2c55db118c3c75c8038e8c9cb727aeb7f43f0ca9a8fed73ca141c96696
Opcode Fuzzy Hash: 1e76173a347606fe1216c6c7b7410cebedd96ff6bdc07182a27be801f309fae9
Instruction Fuzzy Hash: DBC114716082059FD702DF68C884D2AB7F9FF89789F10491DF9899B220D771EE49CB52

Function 00347A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00347AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00347B8F
SHGetDesktopFolder.SHELL32(?), ref: 00347BA3
CoCreateInstance.OLE32(0036FD08,00000000,00000001,00396E6C,?), ref: 00347BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00347C74
CoTaskMemFree.OLE32(?,?), ref: 00347CCC
SHBrowseForFolderW.SHELL32(?), ref: 00347D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00347D7A
CoTaskMemFree.OLE32(00000000), ref: 00347D81
CoTaskMemFree.OLE32(00000000), ref: 00347DD6
CoUninitialize.OLE32 ref: 00347DDC

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 1f6ee9bdeee620a17c11ea80318a97d499d7b3177f56f66932fe3d3c47d194de
Instruction ID: f56e6467258a1ef5881966767c1f5169969cdd293ae29bdd61cdbd14067e0aad
Opcode Fuzzy Hash: 1f6ee9bdeee620a17c11ea80318a97d499d7b3177f56f66932fe3d3c47d194de
Instruction Fuzzy Hash: B8C12A75A14109AFCB15DFA4C884DAEBBF9FF48304B158499E8199B361DB30EE45CF90

Function 0036541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00365504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00365515
CharNextW.USER32(00000158), ref: 00365544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00365585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0036559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003655AC

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 76ad30f5a6de824853ab24a1076362f797ee0e1a84434d8900931c9b8c98166d
Instruction ID: e2864183d0211a29da76359515bdb2af085dbd06b0cc6523c84d9b0a586eb7e8
Opcode Fuzzy Hash: 76ad30f5a6de824853ab24a1076362f797ee0e1a84434d8900931c9b8c98166d
Instruction Fuzzy Hash: E361B030904609AFDF138F65CC849FE7BBDEB06721F10C165F666AB294DB748A80DB60

Function 0032FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0032FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0032FB08
VariantInit.OLEAUT32(?), ref: 0032FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0032FB3A
VariantCopy.OLEAUT32(?,?), ref: 0032FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0032FBA1
VariantClear.OLEAUT32(?), ref: 0032FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0032FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0032FBCC
VariantClear.OLEAUT32(?), ref: 0032FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0032FBE9

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 8f4bd6fcc6bc6bf55ad382192916396dd71f9cbd697027a4f095c9e7ce879466
Instruction ID: 7c2f6aefa2dc1b802c2590396513022e5a48e9bfce0989ebe946b682f778a4cd
Opcode Fuzzy Hash: 8f4bd6fcc6bc6bf55ad382192916396dd71f9cbd697027a4f095c9e7ce879466
Instruction Fuzzy Hash: 3A415F35A102199FCB06DF65D8589FEBBB9FF08344F008079E945A7261CB70E945CFA0

Function 00339C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00339CA1
GetAsyncKeyState.USER32(000000A0), ref: 00339D22
GetKeyState.USER32(000000A0), ref: 00339D3D
GetAsyncKeyState.USER32(000000A1), ref: 00339D57
GetKeyState.USER32(000000A1), ref: 00339D6C
GetAsyncKeyState.USER32(00000011), ref: 00339D84
GetKeyState.USER32(00000011), ref: 00339D96
GetAsyncKeyState.USER32(00000012), ref: 00339DAE
GetKeyState.USER32(00000012), ref: 00339DC0
GetAsyncKeyState.USER32(0000005B), ref: 00339DD8
GetKeyState.USER32(0000005B), ref: 00339DEA

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9e5db002f4ba78a92e5b3f043d342daa259f77f81e89dda4a2b4269da85f5f5b
Instruction ID: f1c32e4edd7da580a0f61fcdc202168cf6d1d0a826b1667bae4851088c1b9a08
Opcode Fuzzy Hash: 9e5db002f4ba78a92e5b3f043d342daa259f77f81e89dda4a2b4269da85f5f5b
Instruction Fuzzy Hash: A641F8345047CAEDFF339665C8853B6BEA06F12304F09905BDAC7566C2DBE499C8CB92

Function 0035055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003505BC
inet_addr.WSOCK32(?), ref: 0035061C
gethostbyname.WSOCK32(?), ref: 00350628
IcmpCreateFile.IPHLPAPI ref: 00350636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003506C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003506E5
IcmpCloseHandle.IPHLPAPI(?), ref: 003507B9
WSACleanup.WSOCK32 ref: 003507BF

Strings

Ping, xrefs: 00350676

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d783144ed06c2f28a5619ccbf35f0cd76116a2d8814aef94b44b08a5502e684a
Instruction ID: d3f878e9677b997bd903b25d656edef8ec69dc75c82d2fe4c66bef129719ce32
Opcode Fuzzy Hash: d783144ed06c2f28a5619ccbf35f0cd76116a2d8814aef94b44b08a5502e684a
Instruction Fuzzy Hash: 69919E755082019FD326CF15C488F1ABBE4EF48318F1585A9E8A98B7B2D771ED49CF81

Function 00358CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00358CF3

Part of subcall function 00338E54: _wcslen.LIBCMT ref: 00338E77

_wcslen.LIBCMT ref: 00358D4E
_wcslen.LIBCMT ref: 00358D9C
_wcslen.LIBCMT ref: 00358DDC
_wcslen.LIBCMT ref: 00358E6E

Strings

cdecl, xrefs: 00358D48, 00358D4D
winapi, xrefs: 00358D96, 00358D9B
stdcall, xrefs: 00358DD6, 00358DDB
none, xrefs: 00358E65, 00358E6A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 7254ab05a695c0c21eb261f9112250b3d50ae3499243e31e27a676eb521e65dc
Instruction ID: 712c35ea405f1c3eb6d21d2ae80e7413ac70ba8d9adeb8660bd22ee3a493edf4
Opcode Fuzzy Hash: 7254ab05a695c0c21eb261f9112250b3d50ae3499243e31e27a676eb521e65dc
Instruction Fuzzy Hash: FF51AE31A001169BCF16DF68C8418BEB3F5AF64725B224229E866F72E4DB31DD44CB90

Function 0035372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00353774
CoUninitialize.OLE32 ref: 0035377F
CoCreateInstance.OLE32(?,00000000,00000017,0036FB78,?), ref: 003537D9
IIDFromString.OLE32(?,?), ref: 0035384C
VariantInit.OLEAUT32(?), ref: 003538E4
VariantClear.OLEAUT32(?), ref: 00353936

Strings

Failed to create object, xrefs: 003537E4, 0035389A
Invalid parameter, xrefs: 00353865
NULL Pointer assignment, xrefs: 0035381E

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 228f80d98c23ee1453a403d7c4b9f67bbcd2d6e9a363a073afb0d766059789de
Instruction ID: 632ee484a183ba2091debd0ba803cda97f0d100e5c8d7b20dc42b0279c047430
Opcode Fuzzy Hash: 228f80d98c23ee1453a403d7c4b9f67bbcd2d6e9a363a073afb0d766059789de
Instruction Fuzzy Hash: 4861AE71608301AFD316DF64C889F6ABBE8EF49755F104809F9859B2A1D770EE4CCB92

Function 00343388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003433CF

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003433F0

Strings

Incorrect parameters to object property !, xrefs: 003434AB
^ ERROR , xrefs: 0034349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00343504
"%s" (%d) : ==> %s:, xrefs: 00343522
Line %d (File "%s"):, xrefs: 00343443, 0034345C
Error: , xrefs: 003434D1

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ca200a9cd4776829d0e6563002ecc8d1b72fe503a3ca725b9555038f9bc508e9
Instruction ID: 270839c791e1f3d9b66e200d095b60fa344d9e1b1ac6b295c9512929665d591d
Opcode Fuzzy Hash: ca200a9cd4776829d0e6563002ecc8d1b72fe503a3ca725b9555038f9bc508e9
Instruction Fuzzy Hash: 6051C371910209AADF16EBE0CD42EEEB7B8AF14740F104066F00577192EB712FA8DF61

Function 0033B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0033B5FC
_wcslen.LIBCMT ref: 0033B608
_wcslen.LIBCMT ref: 0033B64D
_wcslen.LIBCMT ref: 0033B68C
_wcslen.LIBCMT ref: 0033B6C7

Strings

APPEND, xrefs: 0033B6C1, 0033B6C6
REMOVE, xrefs: 0033B602, 0033B607
EXISTS, xrefs: 0033B686, 0033B68B
KEYS, xrefs: 0033B647, 0033B64C

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d43b5ec1dc4586f3445b05aa3d6e8f58afe6c0ce4332ee6d7b79b02fa97e6d32
Instruction ID: 8865f355a69d755f0b757306fcb7ea125a7121233a7872356c5cb171b49e1592
Opcode Fuzzy Hash: d43b5ec1dc4586f3445b05aa3d6e8f58afe6c0ce4332ee6d7b79b02fa97e6d32
Instruction Fuzzy Hash: 0B411932B010269BCB116F7DC8D25BEF7A5AFA0794F264229E621D7285E731CD81C790

Function 00345393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003453A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00345416
GetLastError.KERNEL32 ref: 00345420
SetErrorMode.KERNEL32(00000000,READY), ref: 003454A7

Strings

READY, xrefs: 00345460, 00345468
NOTREADY, xrefs: 0034544B
READONLY, xrefs: 00345452
INVALID, xrefs: 00345459
UNKNOWN, xrefs: 00345444

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 071bedd3ae6d0ed8203c0c30ad8657658e735fd362938fd48760339ba255e179
Instruction ID: 6156e7c6820c4b5c1229e3f20d07a8496ab97ceca461d32a0fd98062a0106825
Opcode Fuzzy Hash: 071bedd3ae6d0ed8203c0c30ad8657658e735fd362938fd48760339ba255e179
Instruction Fuzzy Hash: DD318F35E005049FCB12DF69C485AAABBF8EB45345F158066E405CF3A3DB75ED86CB90

Function 00363C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00363C79
SetMenu.USER32(?,00000000), ref: 00363C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00363D10
IsMenu.USER32(?), ref: 00363D24
CreatePopupMenu.USER32 ref: 00363D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00363D5B
DrawMenuBar.USER32 ref: 00363D63

Strings

0, xrefs: 00363C54
F, xrefs: 00363D4E

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 624c7eb959f45bcd4f7368ef996f973e548f2a199950098fb603b3776ede3e88
Instruction ID: 7f579b2fc2ba8c26cce04de9dd0e3b7bfcce2e67d37b0fe4c9c8ecee71931a58
Opcode Fuzzy Hash: 624c7eb959f45bcd4f7368ef996f973e548f2a199950098fb603b3776ede3e88
Instruction Fuzzy Hash: D0419C74A01209EFDB15CF65DC48EAA7BB9FF4A340F148029FA4697360D770AA10CF94

Function 00331EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Part of subcall function 00333CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00333CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00331F64
GetDlgCtrlID.USER32 ref: 00331F6F
GetParent.USER32 ref: 00331F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00331F8E
GetDlgCtrlID.USER32(?), ref: 00331F97
GetParent.USER32(?), ref: 00331FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00331FAE

Strings

ListBox, xrefs: 00331F21
ComboBox, xrefs: 00331EEC

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: a35ee433b70729c0a88a1af056b657c61dc67597add7c08119f7f1e811179aac
Instruction ID: 42613655cdf77e19093e10fbed8a553a39f21e8af1a46fec5b0910ec4a8ab536
Opcode Fuzzy Hash: a35ee433b70729c0a88a1af056b657c61dc67597add7c08119f7f1e811179aac
Instruction Fuzzy Hash: 6421D474A10214BBCF06AFA0DC85DFEFBB8EF05310F009216F961A7291CB745954DB64

Function 00363A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00363A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00363AA0
GetWindowLongW.USER32(?,000000F0), ref: 00363AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00363AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00363B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00363BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00363BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00363BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00363BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00363C13

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 032aa3b4e5d16771b1e0b782dc05724c8e5d9479ccd07def3a92a3ca8e1e32bb
Instruction ID: d597eb76a0ec1a448e10735782b66217d12bf5ce30f1f41645582995f42fef6a
Opcode Fuzzy Hash: 032aa3b4e5d16771b1e0b782dc05724c8e5d9479ccd07def3a92a3ca8e1e32bb
Instruction Fuzzy Hash: FF616B75900248AFDB12DFA8CC81EEEB7F8EF09704F104199FA15AB2A1D774AE45DB50

Function 0033B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0033B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0033A1E1,?,00000001), ref: 0033B165
GetWindowThreadProcessId.USER32(00000000), ref: 0033B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0033A1E1,?,00000001), ref: 0033B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0033B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0033A1E1,?,00000001), ref: 0033B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0033A1E1,?,00000001), ref: 0033B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0033A1E1,?,00000001), ref: 0033B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0033A1E1,?,00000001), ref: 0033B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0033A1E1,?,00000001), ref: 0033B21D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 9c216790c067ed6f9a7f7258083a6d70c05ab8a036cee07d6a0caa8f5fc2256e
Instruction ID: 2108d0e68139b7ae769a94f31ae322665699ff38eb3dc8d8389ebc5fe3348e41
Opcode Fuzzy Hash: 9c216790c067ed6f9a7f7258083a6d70c05ab8a036cee07d6a0caa8f5fc2256e
Instruction Fuzzy Hash: F1319A71510204BFDB13DF24DC89BBEBBADBB52311F158509FA02D6190D7B4DA408F64

Function 00302C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00302C94

Part of subcall function 003029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000), ref: 003029DE
Part of subcall function 003029C8: GetLastError.KERNEL32(00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000,00000000), ref: 003029F0

_free.LIBCMT ref: 00302CA0
_free.LIBCMT ref: 00302CAB
_free.LIBCMT ref: 00302CB6
_free.LIBCMT ref: 00302CC1
_free.LIBCMT ref: 00302CCC
_free.LIBCMT ref: 00302CD7
_free.LIBCMT ref: 00302CE2
_free.LIBCMT ref: 00302CED
_free.LIBCMT ref: 00302CFB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f28ec49ac6ceaa864814bafd8f42fa9b072ab58f39038d65c62ac5140cd0040a
Instruction ID: 3100fba8558f600d5833609d81f12e943ab270eff82352089035b73eaae403d6
Opcode Fuzzy Hash: f28ec49ac6ceaa864814bafd8f42fa9b072ab58f39038d65c62ac5140cd0040a
Instruction Fuzzy Hash: 2011A776101108AFCB03EF54D856CDE3BA9FF06350F5144A5F9485F262D731EE609B90

Function 00347DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00347FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00347FC1
GetFileAttributesW.KERNEL32(?), ref: 00347FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00348005
SetCurrentDirectoryW.KERNEL32(?), ref: 00348017
SetCurrentDirectoryW.KERNEL32(?), ref: 00348060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003480B0

Strings

*.*, xrefs: 00348066

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: da22dd4862ca1aa3e8e4271c9f54013fd17a420164d9035e0ccf66f259f50f1b
Instruction ID: 9199b07d608f218f1618a2d96404b30a25dea8a6582831bf4860466a715070c8
Opcode Fuzzy Hash: da22dd4862ca1aa3e8e4271c9f54013fd17a420164d9035e0ccf66f259f50f1b
Instruction Fuzzy Hash: 7C81C2725182419BCB22EF14C8449BEB3E8BF88350F554D6EF885CB250EB35ED89CB52

Function 002D5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 002D5C7A

Part of subcall function 002D5D0A: GetClientRect.USER32(?,?), ref: 002D5D30
Part of subcall function 002D5D0A: GetWindowRect.USER32(?,?), ref: 002D5D71
Part of subcall function 002D5D0A: ScreenToClient.USER32(?,?), ref: 002D5D99

GetDC.USER32 ref: 003146F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00314708
SelectObject.GDI32(00000000,00000000), ref: 00314716
SelectObject.GDI32(00000000,00000000), ref: 0031472B
ReleaseDC.USER32(?,00000000), ref: 00314733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003147C4

Strings

U, xrefs: 00314693

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 8835db2705c39e0ecfbe0a71a063eb3bc68816c9c74b1215aa73354479d71247
Instruction ID: 86a00d24a1f3c153efce69aabdc453383328d57d90eae1c2723c5c4209e7f042
Opcode Fuzzy Hash: 8835db2705c39e0ecfbe0a71a063eb3bc68816c9c74b1215aa73354479d71247
Instruction Fuzzy Hash: 8971F030500205DFCF2A8F64C984AFA7BB9FF4A325F18426AED655A2A6C3719C91DF50

Function 0034359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003435E4

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

LoadStringW.USER32(003A2390,?,00000FFF,?), ref: 0034360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00343724
"%s" (%d) : ==> %s:, xrefs: 00343742
Line %d (File "%s"):, xrefs: 0034366B
Error: , xrefs: 003436EF
^ ERROR, xrefs: 003436C9

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 7dfc7c736fb17135657e05c30cb800cc3157edbf40b79c7cbaf6a9da3553da9b
Instruction ID: 4813af083c968926e5859fa7df6c93dcd9902f0fc1c53a03d3d5bffd061a0683
Opcode Fuzzy Hash: 7dfc7c736fb17135657e05c30cb800cc3157edbf40b79c7cbaf6a9da3553da9b
Instruction Fuzzy Hash: 21517271910209BADF16EBA0DC82EEEBB78EF04740F144166F105761A1DB712FA9DFA1

Function 0034C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0034C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0034C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0034C2CA
GetLastError.KERNEL32 ref: 0034C322
SetEvent.KERNEL32(?), ref: 0034C336
InternetCloseHandle.WININET(00000000), ref: 0034C341

Strings

, xrefs: 0034C2BB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 44b011a5327ac6daf3013a21a07c839a849c13fd29b0bcb537f96fd079334325
Instruction ID: b08b55e9c93eb09c4d6462ee33fae8c41544bee58fda84b7811306b3c2aa72c5
Opcode Fuzzy Hash: 44b011a5327ac6daf3013a21a07c839a849c13fd29b0bcb537f96fd079334325
Instruction Fuzzy Hash: 6731C275621204AFDB639F648C88ABB7BFCEB09740F14951DF486DB200DB74ED049B60

Function 0033989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00313AAF,?,?,Bad directive syntax error,0036CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003398BC
LoadStringW.USER32(00000000,?,00313AAF,?), ref: 003398C3

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00339987

Strings

Line %d:, xrefs: 00339912
Line %d (File "%s"):, xrefs: 0033992D
Error: , xrefs: 00339955
%s (%d) : ==> %s.: %s %s, xrefs: 003398F1
., xrefs: 0033996D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 085cc39c4cdb1d143fa6308d9f9c0dff38031683cf4b6351b99653f931a7aa6e
Instruction ID: 99214d33840d5c0957d593365fa4e8c0fc673ba3bcc221ccd1d418b56643a827
Opcode Fuzzy Hash: 085cc39c4cdb1d143fa6308d9f9c0dff38031683cf4b6351b99653f931a7aa6e
Instruction Fuzzy Hash: 4221AB3292020AEBCF12EF90CC46EEE7739BF18304F04446AF515661A2EB719A68DF51

Function 0033209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003320AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003320C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0033214D

Strings

largeicons, xrefs: 003320E1
SHELLDLL_DefView, xrefs: 003320CC
details, xrefs: 003320FB
smallicons, xrefs: 00332115
list, xrefs: 0033212F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 1325fcb1d32fe2fc9b444e84e85465767ff49c498dd6f30a2be6ec2cda873105
Instruction ID: b69de013d580d8e81864bf4f95a105041020ee14ca3dcf9c244151c1fb447035
Opcode Fuzzy Hash: 1325fcb1d32fe2fc9b444e84e85465767ff49c498dd6f30a2be6ec2cda873105
Instruction Fuzzy Hash: B0110676A9870AB9FA033620DC16DF7779CDB04364F310166FB04A51E1EAE168925A18

Function 0030CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0030CEB7
_free.LIBCMT ref: 0030CF22
_free.LIBCMT ref: 0030CF48
_free.LIBCMT ref: 0030CF71
_free.LIBCMT ref: 0030CFA9
_free.LIBCMT ref: 0030CFDA
_free.LIBCMT ref: 0030D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0030D09C
_free.LIBCMT ref: 0030D0B5

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: caac52d7de7a76762fe93f2c24471d87ea0e3a58f60aa7273a4c7f14b969c05a
Instruction ID: 0d67099931ca94cc4e057685faecab3562411d189628f8494770c05df2b2315f
Opcode Fuzzy Hash: caac52d7de7a76762fe93f2c24471d87ea0e3a58f60aa7273a4c7f14b969c05a
Instruction Fuzzy Hash: 0C618972906302AFDB27AFB4D8A5A6E7BA9EF02310F15426DF9449B2C2D7319D00C751

Function 003650D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00365186
ShowWindow.USER32(?,00000000), ref: 003651C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 003651CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 003651D1

Part of subcall function 00366FBA: DeleteObject.GDI32(00000000), ref: 00366FE6

GetWindowLongW.USER32(?,000000F0), ref: 0036520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0036521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0036524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00365287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00365296

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: f56ae0c94b3180ebac7a6bc4493d1c8a72578d189f4c78613240e0adc06e04a7
Instruction ID: 25e1447b59c155fb65eb5d30ea2117984e98f5ff6440a5b5ba12c4d8d9218667
Opcode Fuzzy Hash: f56ae0c94b3180ebac7a6bc4493d1c8a72578d189f4c78613240e0adc06e04a7
Instruction Fuzzy Hash: 9151E670A50A08BFEF329F24CC59BD97B69FB06324F14C422F6159A2E4C3B59990DB50

Function 002E8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00326890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003268A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003268B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003268D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003268F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00326901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0032691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002E8874,00000000,00000000,00000000,000000FF,00000000), ref: 0032692D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ee54c6be1606282c01b89394d9cd887e4eacad4f6613f2738f4919c92a7c85b5
Instruction ID: f8b329ad41d09328ecb0a3cab9ab4c361f0b8a36628274ed19b80fea40dec61f
Opcode Fuzzy Hash: ee54c6be1606282c01b89394d9cd887e4eacad4f6613f2738f4919c92a7c85b5
Instruction Fuzzy Hash: B551AC70660205EFDB22CF25CC52BAA77B9EF44354F10451CF996D72A0DBB0E9A0DB50

Function 0034C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0034C182
GetLastError.KERNEL32 ref: 0034C195
SetEvent.KERNEL32(?), ref: 0034C1A9

Part of subcall function 0034C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0034C272
Part of subcall function 0034C253: GetLastError.KERNEL32 ref: 0034C322
Part of subcall function 0034C253: SetEvent.KERNEL32(?), ref: 0034C336
Part of subcall function 0034C253: InternetCloseHandle.WININET(00000000), ref: 0034C341

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 51c5404529bc205c80c7b8cdc1ec95694ab8b28acd4eff8970c97f80b29b37c7
Instruction ID: 5fd4ac4859365e1223e188e91a2e8b8b6c0ca8cddcda5f1c9ad536a4d5e6a2d6
Opcode Fuzzy Hash: 51c5404529bc205c80c7b8cdc1ec95694ab8b28acd4eff8970c97f80b29b37c7
Instruction Fuzzy Hash: 6731A071122645AFDB629FB5DC04A76BBFCFF18300B14A81DF9968A610D7B1F814DB60

Function 003325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00333A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00333A57
Part of subcall function 00333A3D: GetCurrentThreadId.KERNEL32 ref: 00333A5E
Part of subcall function 00333A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003325B3), ref: 00333A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 003325BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003325DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003325DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 003325E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00332601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00332605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0033260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00332623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00332627

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 01fbc21e33f457483d16b9b6f35452f8db11b52a51c6035e077d6b495119f08a
Instruction ID: f8dc34b1a6980d0e2e7b5db0d8c105d9027637f189476bfdf920521e577cf4c5
Opcode Fuzzy Hash: 01fbc21e33f457483d16b9b6f35452f8db11b52a51c6035e077d6b495119f08a
Instruction Fuzzy Hash: 5601B1302A0210BBFB116768DCCEF6A7E5DDB4AB12F105001F398AE0E1C9E224448A6A

Function 00331803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00331449,?,?,00000000), ref: 0033180C
HeapAlloc.KERNEL32(00000000,?,00331449,?,?,00000000), ref: 00331813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00331449,?,?,00000000), ref: 00331828
GetCurrentProcess.KERNEL32(?,00000000,?,00331449,?,?,00000000), ref: 00331830
DuplicateHandle.KERNEL32(00000000,?,00331449,?,?,00000000), ref: 00331833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00331449,?,?,00000000), ref: 00331843
GetCurrentProcess.KERNEL32(00331449,00000000,?,00331449,?,?,00000000), ref: 0033184B
DuplicateHandle.KERNEL32(00000000,?,00331449,?,?,00000000), ref: 0033184E
CreateThread.KERNEL32(00000000,00000000,00331874,00000000,00000000,00000000), ref: 00331868

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 70e97543bfd7e2105b10f7a563a98b90fae8d297daad6f6ee3ce5a01e36fc979
Instruction ID: f1a7e4977b73a825fa26d56f5e957ab901e590ed9aaf0639315c670ac909f12e
Opcode Fuzzy Hash: 70e97543bfd7e2105b10f7a563a98b90fae8d297daad6f6ee3ce5a01e36fc979
Instruction Fuzzy Hash: A601BF75250344BFE711AB65DC4DF673B6CEB8AB11F009411FA45DB191C6B59810CB30

Function 00303E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00303F0B
__alldvrm.LIBCMT ref: 0030410C
__alldvrm.LIBCMT ref: 0030412E

Strings

}}/, xrefs: 00303E96, 00303EF1, 00303F0A, 00304090
}}/, xrefs: 003040CD
}}/, xrefs: 00303E8A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}/$}}/$}}/
API String ID: 1036877536-1180266311
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 8e6b6dfe239afa28f5c182fa78cc1ca3d6248c11d6497c7acd0cff5c10b7bc50
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 77A157B2E123869FDB17CF18C8A17AEFBE8EF65350F15416DE6859B2C1C2349A81C750

Function 0035A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0033D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0033D501
Part of subcall function 0033D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0033D50F
Part of subcall function 0033D4DC: CloseHandle.KERNELBASE(00000000), ref: 0033D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0035A16D
GetLastError.KERNEL32 ref: 0035A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0035A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0035A268
GetLastError.KERNEL32(00000000), ref: 0035A273
CloseHandle.KERNEL32(00000000), ref: 0035A2C4

Strings

SeDebugPrivilege, xrefs: 0035A18F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a961cff71c8202cd5c6087039c12211894290528930ca1ec2eacb8ffb5531c0b
Instruction ID: 8747ff7ce66bf3776c768b0e73c3e52b5c5c3cb05d2679d20cd0f90fc6b5b152
Opcode Fuzzy Hash: a961cff71c8202cd5c6087039c12211894290528930ca1ec2eacb8ffb5531c0b
Instruction Fuzzy Hash: DD61E0302086429FD311DF18C495F25BBE4AF44308F15858CE8668FBA3C776ED49CB92

Function 00363886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00363925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0036393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00363954
_wcslen.LIBCMT ref: 00363999
SendMessageW.USER32(?,00001057,00000000,?), ref: 003639C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003639F4

Strings

SysListView32, xrefs: 003638F7

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 833d497766ab0cc9ec0c5b838b9621d44006be2968fedf3a38df8779df17e66e
Instruction ID: 362010dca572cd26ac5cb6c75af062d62a936d544e5c5df29b48f6be7fa1857e
Opcode Fuzzy Hash: 833d497766ab0cc9ec0c5b838b9621d44006be2968fedf3a38df8779df17e66e
Instruction Fuzzy Hash: 4E41D531A00219ABEF229F64CC49FEA7BA9FF08350F114126F958E7281D7B19D94CF90

Function 0033BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0033BCFD
IsMenu.USER32(00000000), ref: 0033BD1D
CreatePopupMenu.USER32 ref: 0033BD53
GetMenuItemCount.USER32(01706A68), ref: 0033BDA4
InsertMenuItemW.USER32(01706A68,?,00000001,00000030), ref: 0033BDCC

Strings

2, xrefs: 0033BD37
0, xrefs: 0033BCA8

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: e922e0595002b96c23fbca2cdcdd365528b70f030f47c190e435e9ee3a4b7275
Instruction ID: 4d60d0c3603e2dfd237d9fc1a427849817bf3e88b0391bed5a1d48b9206f54a5
Opcode Fuzzy Hash: e922e0595002b96c23fbca2cdcdd365528b70f030f47c190e435e9ee3a4b7275
Instruction Fuzzy Hash: BB51C170A00209DBDF22DFA9D8C4BAEFBF8BF45314F148259E641EB2A1D7709945CB51

Function 002F2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002F2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 002F2D53
_ValidateLocalCookies.LIBCMT ref: 002F2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 002F2E0C
_ValidateLocalCookies.LIBCMT ref: 002F2E61

Strings

&H/, xrefs: 002F2DFE, 002F2E07, 002F2E18
csm, xrefs: 002F2DF6

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H/$csm
API String ID: 1170836740-1380644197
Opcode ID: 2b0f3a68d9141ad741cd027b87c0b8a61dfb66b2697e6e8041b5ace02cad8158
Instruction ID: f73bb56a6db9f8e761f0c09a2de1c9e2b4a55e31d1f8dcbe1f9c570b9ad3f6f1
Opcode Fuzzy Hash: 2b0f3a68d9141ad741cd027b87c0b8a61dfb66b2697e6e8041b5ace02cad8158
Instruction Fuzzy Hash: FD41E934A2020DDBCF14DF68C8459AEFBB4BF46394F148065EA14AB352D7359A25CF90

Function 0033C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0033C913

Strings

question, xrefs: 0033C8CC
warning, xrefs: 0033C8FC
stop, xrefs: 0033C8E4
blank, xrefs: 0033C895
info, xrefs: 0033C8B4

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 83f001911d77f4556f183e0beebd77a8cc167c2aa63edf172fac8a4b48e82525
Instruction ID: 706200f78a70ad5d98fc1c4c144760431db49917dfa4f4f0c6328797178877f8
Opcode Fuzzy Hash: 83f001911d77f4556f183e0beebd77a8cc167c2aa63edf172fac8a4b48e82525
Instruction Fuzzy Hash: 8E11EB326A930ABAAB03AB549CC3DEB779CDF15354F21107AF900BA182D7B16F005764

Function 0033DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0033DE42
gethostname.WSOCK32(?,00000100), ref: 0033DE5C
gethostbyname.WSOCK32(?), ref: 0033DE69
inet_ntoa.WSOCK32(?), ref: 0033DEAB
_strcat.LIBCMT ref: 0033DEB9
WSACleanup.WSOCK32 ref: 0033DEDE

Strings

0.0.0.0, xrefs: 0033DE87

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: fc874a8f47356f9fdd996c914ca320fc797a1c24ec407883a148aab8adbc1337
Instruction ID: 9f51ad9588078acaeac07e521d492298e7175a2f72b3006ebfd3e785ff4f8fcb
Opcode Fuzzy Hash: fc874a8f47356f9fdd996c914ca320fc797a1c24ec407883a148aab8adbc1337
Instruction Fuzzy Hash: 4F112931914118AFCB22BB60EC8AEFF7BACDF10751F05017AF5459A091EFF19A818E60

Function 0033ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0033ED2A
_wcslen.LIBCMT ref: 0033ED3B
_wcslen.LIBCMT ref: 0033ED79
_wcslen.LIBCMT ref: 0033EDAF
_wcslen.LIBCMT ref: 0033EDDF
_wcslen.LIBCMT ref: 0033EDEF
_wcslen.LIBCMT ref: 0033EE2B
_wcslen.LIBCMT ref: 0033EE5A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a7b8da11d1592c9f419b8225f58c30831ec97fe2e415edea9530052f39f1cec9
Instruction ID: e7f70e512c859727d219758ab5735976c6ec50de9c2653198b9927f656d273da
Opcode Fuzzy Hash: a7b8da11d1592c9f419b8225f58c30831ec97fe2e415edea9530052f39f1cec9
Instruction Fuzzy Hash: 6141C165D2021C75CB11EBF4888A9DFB3A8AF45740F408476FA18E3162FB74E265CBE5

Function 002EF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0032682C,00000004,00000000,00000000), ref: 002EF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0032682C,00000004,00000000,00000000), ref: 0032F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0032682C,00000004,00000000,00000000), ref: 0032F454

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4dbd7dd66327dda2b316b7cb113ed12299bc274165a286b82fa1f935ebd243ec
Instruction ID: 510a56fbe1dba66b17e9c52e4199fe615148c0666dbb2850933f14b7552ca138
Opcode Fuzzy Hash: 4dbd7dd66327dda2b316b7cb113ed12299bc274165a286b82fa1f935ebd243ec
Instruction Fuzzy Hash: 654190302746C0BEC7B69F3BDA8873A7BA5AF46310F95843DE0C757562C6B19890CB10

Function 00362D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00362D1B
GetDC.USER32(00000000), ref: 00362D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00362D2E
ReleaseDC.USER32(00000000,00000000), ref: 00362D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00362D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00362D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00365A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00362DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00362DE1

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 00828baed5689e63aecfc453a8d80a6adaeac388d32ab027ca2d2e4749afcc8e
Instruction ID: a9ece5f07d3be78e90011f1c16fdc563a188662a8b991eb33bc023a4d61b9e06
Opcode Fuzzy Hash: 00828baed5689e63aecfc453a8d80a6adaeac388d32ab027ca2d2e4749afcc8e
Instruction Fuzzy Hash: 39316B72211614BFEB128F50CC8AFFB3BADEB09715F099055FE489A291C6B59C50CBA4

Function 00335622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00335637
_memcmp.LIBVCRUNTIME ref: 00335659
_memcmp.LIBVCRUNTIME ref: 00335671
_memcmp.LIBVCRUNTIME ref: 00335684
_memcmp.LIBVCRUNTIME ref: 0033569E
_memcmp.LIBVCRUNTIME ref: 003356B1
_memcmp.LIBVCRUNTIME ref: 003356C9
_memcmp.LIBVCRUNTIME ref: 003356E4

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 794c92eb25f25a55799d492df1a300dc0417361e79949bb612c74529ae3b3f78
Instruction ID: 35ee2ff9f462ce3e3c71f898df8ad5b4964aea12e0e52a76e872eada8bcec0f7
Opcode Fuzzy Hash: 794c92eb25f25a55799d492df1a300dc0417361e79949bb612c74529ae3b3f78
Instruction Fuzzy Hash: 7F21A4B1655A09BBD21A56209ED3FFA735DAF203C5F854030FE059AA85F720ED30C6E5

Function 00354FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0035502E, 00355383
Not an Object type, xrefs: 00355007

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: af61a440ad0b05ab195120985d5fbe16e73a69d9b76afc3f367a506cc8cb84d8
Instruction ID: 2314aa4df05494cb39cf0b8a5efa6efe7807f0c3669c3a718a18ba5b7992c205
Opcode Fuzzy Hash: af61a440ad0b05ab195120985d5fbe16e73a69d9b76afc3f367a506cc8cb84d8
Instruction Fuzzy Hash: 11D1F375A0060A9FDF11CF98C890FAEB7B5BF48344F158069ED15AB290E770ED49CB90

Function 00311522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 003115CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00311651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003116E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 003116FB

Part of subcall function 00303820: RtlAllocateHeap.NTDLL(00000000,?,003A1444,?,002EFDF5,?,?,002DA976,00000010,003A1440,002D13FC,?,002D13C6,?,002D1129), ref: 00303852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00311777
__freea.LIBCMT ref: 003117A2
__freea.LIBCMT ref: 003117AE

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 888b6a69034984cdffa0e8cacedb8d5ce06b7cb1d966189bfd7e5d2b11c76040
Instruction ID: a986a4967e1231785c9f378bc3cbf23859ac2bf19c8db75adaaf87cb33e89d1b
Opcode Fuzzy Hash: 888b6a69034984cdffa0e8cacedb8d5ce06b7cb1d966189bfd7e5d2b11c76040
Instruction Fuzzy Hash: B991B672E102169EDF2A8E74CC51AEE7BBAAF4E310F194659EA01E7281D735DCC4C760

Function 00354523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00354648
VariantInit.OLEAUT32(?), ref: 00354749
VariantClear.OLEAUT32(?), ref: 00354753
VariantClear.OLEAUT32(?), ref: 003547B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0035472C
Null Object assignment in FOR..IN loop, xrefs: 003545D8, 00354706, 003547BE

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 63a690e92d978dfb2de01ef4fae09cc2a1ba0cd586547d64c35514be4a09d0f0
Instruction ID: 2ef9d8d617744ff95d7cdc079541b13598e27849561c01748e71b973beb40d4e
Opcode Fuzzy Hash: 63a690e92d978dfb2de01ef4fae09cc2a1ba0cd586547d64c35514be4a09d0f0
Instruction Fuzzy Hash: D291C670A00215EFCF2ACFA5C844FAEB7B8EF46715F108559F915AB290D7709989CFA0

Function 00341187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0034125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00341284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003412A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003412D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0034135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003413C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00341430

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 04bd41b47ac947341fbc1fa41992092fc6338eb5f919e79994eb013c18af52b1
Instruction ID: 9584997c12eea01e1f182e8063148304fc7671b84ab7a66e6d6250c3d3a1ef94
Opcode Fuzzy Hash: 04bd41b47ac947341fbc1fa41992092fc6338eb5f919e79994eb013c18af52b1
Instruction Fuzzy Hash: D091CD75A00608AFDB02DFA5C884BBEB7F9FF45314F158429E940EF291D7B4A981CB90

Function 002E948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 03c98e31838f6627a6dc1b39e34e937a1ed08200ab3c08b69ec115170e63fec2
Instruction ID: b78654949465a1d6176221248792e91f04cb04c2c5fccb0ee98a34478e1bb562
Opcode Fuzzy Hash: 03c98e31838f6627a6dc1b39e34e937a1ed08200ab3c08b69ec115170e63fec2
Instruction Fuzzy Hash: E3914671D50219EFCB11CFAACC84AEEBBB8FF49320F548446E515B7251D374A991CBA0

Function 00353947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0035396B
CharUpperBuffW.USER32(?,?), ref: 00353A7A
_wcslen.LIBCMT ref: 00353A8A
VariantClear.OLEAUT32(?), ref: 00353C1F

Part of subcall function 00340CDF: VariantInit.OLEAUT32(00000000), ref: 00340D1F
Part of subcall function 00340CDF: VariantCopy.OLEAUT32(?,?), ref: 00340D28
Part of subcall function 00340CDF: VariantClear.OLEAUT32(?), ref: 00340D34

Strings

Incorrect Parameter format, xrefs: 003539A6, 00353BA1
AUTOIT.ERROR, xrefs: 00353A80, 00353A85

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 7b455e08aec72ebb1b422e9786b021cd1a645e8c99700363abbaee34002afbf8
Instruction ID: c194fc17c59f100b3ad77827d40f40fe8f69bd228f87db26dc1d11143bf90a11
Opcode Fuzzy Hash: 7b455e08aec72ebb1b422e9786b021cd1a645e8c99700363abbaee34002afbf8
Instruction Fuzzy Hash: 1C9166746183459FCB01DF24C48096AB7E4BF88355F14892EF8899B361DB31EE49CF92

Function 00354BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0033000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0032FF41,80070057,?,?,?,0033035E), ref: 0033002B
Part of subcall function 0033000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0032FF41,80070057,?,?), ref: 00330046
Part of subcall function 0033000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0032FF41,80070057,?,?), ref: 00330054
Part of subcall function 0033000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0032FF41,80070057,?), ref: 00330064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00354C51
_wcslen.LIBCMT ref: 00354D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00354DCF
CoTaskMemFree.OLE32(?), ref: 00354DDA

Strings

NULL Pointer assignment, xrefs: 00354E23, 00354E52

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 5595dfa586ad44e722eca2cae626e61a241dea60c209a82a5283cd0ef2af93ef
Instruction ID: c2ad8798b9124a18e8f88e25cbb70cec99594ae6f00605ade357445a8421e103
Opcode Fuzzy Hash: 5595dfa586ad44e722eca2cae626e61a241dea60c209a82a5283cd0ef2af93ef
Instruction Fuzzy Hash: E7911771D00219AFDF15DFA4D891EEEB7B8BF08304F10816AE915AB251DB709E58CF60

Function 003620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00362183
GetMenuItemCount.USER32(00000000), ref: 003621B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003621DD
_wcslen.LIBCMT ref: 00362213
GetMenuItemID.USER32(?,?), ref: 0036224D
GetSubMenu.USER32(?,?), ref: 0036225B

Part of subcall function 00333A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00333A57
Part of subcall function 00333A3D: GetCurrentThreadId.KERNEL32 ref: 00333A5E
Part of subcall function 00333A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003325B3), ref: 00333A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003622E3

Part of subcall function 0033E97B: Sleep.KERNEL32 ref: 0033E9F3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 5a43f500fe8ff413630f88a04ed8cacd37e723a82f3050ac554b193cc715b4d2
Instruction ID: 274fdffc1801c9c7eff3e359d2687bc0117bf0180907fd4b3e6473186f969bd6
Opcode Fuzzy Hash: 5a43f500fe8ff413630f88a04ed8cacd37e723a82f3050ac554b193cc715b4d2
Instruction Fuzzy Hash: 9E71BD35A00605AFCB02DFA5C881AAEB7F5EF49310F16C859E816EB345DB74AE018F90

Function 00367E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01706A18), ref: 00367F37
IsWindowEnabled.USER32(01706A18), ref: 00367F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0036801E
SendMessageW.USER32(01706A18,000000B0,?,?), ref: 00368051
IsDlgButtonChecked.USER32(?,?), ref: 00368089
GetWindowLongW.USER32(01706A18,000000EC), ref: 003680AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003680C3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 932cbebafb8415b39b8fa5be45bcd4ba2df39f8400db42d07454de8aaf5bca38
Instruction ID: bb7b52f7421651c2217397de815a1a091f7d139e93050f597c64558c15ed04fd
Opcode Fuzzy Hash: 932cbebafb8415b39b8fa5be45bcd4ba2df39f8400db42d07454de8aaf5bca38
Instruction Fuzzy Hash: 6171CF34608204AFEF239F64CC84FBABBB9EF0A304F558459F9459B269CB71AC55CB10

Function 0033AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0033AEF9
GetKeyboardState.USER32(?), ref: 0033AF0E
SetKeyboardState.USER32(?), ref: 0033AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0033AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0033AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0033AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0033B020

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ae448f6cdc819eade57d0fd658dc694e8166799e43e955c65d2872f28a8536ff
Instruction ID: 26f0b992193f480abd72aef3fc9d99bc70465e6debad3b6b82fbd00b873f9090
Opcode Fuzzy Hash: ae448f6cdc819eade57d0fd658dc694e8166799e43e955c65d2872f28a8536ff
Instruction Fuzzy Hash: 7851D3A0614BD53DFB374234CC85BBBBEE95B06304F098589E2D9998D2C3D9ACC8D751

Function 0033ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0033AD19
GetKeyboardState.USER32(?), ref: 0033AD2E
SetKeyboardState.USER32(?), ref: 0033AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0033ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0033ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0033AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0033AE38

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1a90b435959914704614a44f5aef73145105edabc5a9a47853ba3f5097501736
Instruction ID: 929378adf648b8df00b09953639c43c2c8d9fedbb615a4f54d44dec89b8f6620
Opcode Fuzzy Hash: 1a90b435959914704614a44f5aef73145105edabc5a9a47853ba3f5097501736
Instruction Fuzzy Hash: 6251E7A1604BD53DFB378334CCD5B7ABEA85B46300F098589E1D58A8C2D394EC88E762

Function 0030542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00313CD6,?,?,?,?,?,?,?,?,00305BA3,?,?,00313CD6,?,?), ref: 00305470
__fassign.LIBCMT ref: 003054EB
__fassign.LIBCMT ref: 00305506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00313CD6,00000005,00000000,00000000), ref: 0030552C
WriteFile.KERNEL32(?,00313CD6,00000000,00305BA3,00000000,?,?,?,?,?,?,?,?,?,00305BA3,?), ref: 0030554B
WriteFile.KERNEL32(?,?,00000001,00305BA3,00000000,?,?,?,?,?,?,?,?,?,00305BA3,?), ref: 00305584

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4f6779fbd8247537199ad249f16d542eaa9f9a9bba444cf0fcec3257f159417d
Instruction ID: 3bc398a6662eb221ed60da1da964d40872cce9a9fc9d6b7bd7c93b9fbe3fc2e7
Opcode Fuzzy Hash: 4f6779fbd8247537199ad249f16d542eaa9f9a9bba444cf0fcec3257f159417d
Instruction Fuzzy Hash: 8751D270A016099FDB12CFA8DC95AEEBBF9EF0A300F14411AF556E7291D7309A41CF60

Function 003510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0035304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0035307A
Part of subcall function 0035304E: _wcslen.LIBCMT ref: 0035309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00351112
WSAGetLastError.WSOCK32 ref: 00351121
WSAGetLastError.WSOCK32 ref: 003511C9
closesocket.WSOCK32(00000000), ref: 003511F9

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 76258bb320c32e45bf67122b741243dc860d339f1260427fc3d615810b2218ff
Instruction ID: 7935fe82bb39067a456a4b584879563c79a6b846c84c6e06e95583011ff562b0
Opcode Fuzzy Hash: 76258bb320c32e45bf67122b741243dc860d339f1260427fc3d615810b2218ff
Instruction Fuzzy Hash: 1E412731200604AFDB129F24C885FA9B7E9EF44325F148099FD469B2A1C774EE45CFE0

Function 0033CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0033DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0033CF22,?), ref: 0033DDFD

Part of subcall function 0033DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0033CF22,?), ref: 0033DE16

lstrcmpiW.KERNEL32(?,?), ref: 0033CF45
MoveFileW.KERNEL32(?,?), ref: 0033CF7F
_wcslen.LIBCMT ref: 0033D005
_wcslen.LIBCMT ref: 0033D01B
SHFileOperationW.SHELL32(?), ref: 0033D061

Strings

\*.*, xrefs: 0033CFF3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 8fd4ad6bc24f105c5e95bc269b7184280c768fac11afde8ee5dc08b114c46691
Instruction ID: f3beed521e9952e9da2d5e91433060c0d54776a4833e5e9b30c83e70b463f69c
Opcode Fuzzy Hash: 8fd4ad6bc24f105c5e95bc269b7184280c768fac11afde8ee5dc08b114c46691
Instruction Fuzzy Hash: 33415375D152185FDF13EBA4D9C1AEEB7B8AF08780F1000E6E505EB141EA74AA88CF50

Function 00362DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00362E1C
GetWindowLongW.USER32(?,000000F0), ref: 00362E4F
GetWindowLongW.USER32(?,000000F0), ref: 00362E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00362EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00362EE0
GetWindowLongW.USER32(?,000000F0), ref: 00362EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00362F0B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d9b9c9e615e2d0047237cede8eb1cbccc33377c1798850344c1aa38467aa5baf
Instruction ID: 2d66011ae58642785620ba2beff570186ccd3a9a5083d956d4723c419711c718
Opcode Fuzzy Hash: d9b9c9e615e2d0047237cede8eb1cbccc33377c1798850344c1aa38467aa5baf
Instruction Fuzzy Hash: F7315530644640AFDB22CF58DC84F6677E8FB9A710F1A8064F9508F2B5CBB2AC50DB41

Function 00337726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00337769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0033778F
SysAllocString.OLEAUT32(00000000), ref: 00337792
SysAllocString.OLEAUT32(?), ref: 003377B0
SysFreeString.OLEAUT32(?), ref: 003377B9
StringFromGUID2.OLE32(?,?,00000028), ref: 003377DE
SysAllocString.OLEAUT32(?), ref: 003377EC

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0bc53e0e8c97fd4a42214b0cf56d4766c4e245fa60d0a5f3859e64efdcb41b93
Instruction ID: b088eca0ec942ebbb03c31c664a552a3c5d4ec852d18a0ba723785ff90b1d026
Opcode Fuzzy Hash: 0bc53e0e8c97fd4a42214b0cf56d4766c4e245fa60d0a5f3859e64efdcb41b93
Instruction Fuzzy Hash: F921C4B6608219AFDF22DFA9CC88CBB73ACEB09364F058125F954DB150D670DC41CB60

Function 003377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00337842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00337868
SysAllocString.OLEAUT32(00000000), ref: 0033786B
SysAllocString.OLEAUT32 ref: 0033788C
SysFreeString.OLEAUT32 ref: 00337895
StringFromGUID2.OLE32(?,?,00000028), ref: 003378AF
SysAllocString.OLEAUT32(?), ref: 003378BD

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 92bc286a43e92ebe0b0b56396c4549059f2273035158dd16a7351b03284bdf75
Instruction ID: 653c3fa3507283860145381a7645a3f218e796fb8d8f07fe2c3ebbf3360f0c69
Opcode Fuzzy Hash: 92bc286a43e92ebe0b0b56396c4549059f2273035158dd16a7351b03284bdf75
Instruction Fuzzy Hash: 9821A171608205AFDB229FA9DCCDDBA77ECEB09360B108125F915DB2A1DA70DC41CB64

Function 003404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003404F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0034052E

Strings

nul, xrefs: 00340567

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9f2b7d239fb2ba4df7ac58330d3bf006af93daddd942aa5febf519352fbc2080
Instruction ID: cb2ba8b92615c9d4c4fbb31908be200acd395eeec59e25b2ce370a145496cc85
Opcode Fuzzy Hash: 9f2b7d239fb2ba4df7ac58330d3bf006af93daddd942aa5febf519352fbc2080
Instruction Fuzzy Hash: 8B2182756043059BDF259F29DC04A9A77E8EF46724F204A59F9E1DB2E0D770A950CF20

Function 003405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003405C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00340601

Strings

nul, xrefs: 00340639

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: aec6b842ab0cdbe990446baeec74f5e3efa981098cdd41602c034a4a77209726
Instruction ID: 357990022e4fe89806f04d77ebc00c9137109463cbe469b3f9b025d4fa78b45b
Opcode Fuzzy Hash: aec6b842ab0cdbe990446baeec74f5e3efa981098cdd41602c034a4a77209726
Instruction Fuzzy Hash: EA2197756003059BDF269F69CC04A5A77E8FF95720F214A19FEE2DB2E0D7B4A860CB10

Function 003640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002D604C
Part of subcall function 002D600E: GetStockObject.GDI32(00000011), ref: 002D6060
Part of subcall function 002D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00364112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0036411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0036412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00364139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00364145

Strings

Msctls_Progress32, xrefs: 003640E3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: fa2a814fe83029a4155fc64547a9545c86188202c49a332c9119da5706cd2918
Instruction ID: 618be6638af2f6e74fa7409551da190d13cf01d4989da634b1cbdb0387af1e9a
Opcode Fuzzy Hash: fa2a814fe83029a4155fc64547a9545c86188202c49a332c9119da5706cd2918
Instruction Fuzzy Hash: 3511E2B2150219BEEF128F64CC85EE77F5DEF09398F018111FB18A2190C6729C21DBA4

Function 0030D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0030D7A3: _free.LIBCMT ref: 0030D7CC

_free.LIBCMT ref: 0030D82D

Part of subcall function 003029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000), ref: 003029DE
Part of subcall function 003029C8: GetLastError.KERNEL32(00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000,00000000), ref: 003029F0

_free.LIBCMT ref: 0030D838
_free.LIBCMT ref: 0030D843
_free.LIBCMT ref: 0030D897
_free.LIBCMT ref: 0030D8A2
_free.LIBCMT ref: 0030D8AD
_free.LIBCMT ref: 0030D8B8

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ff803afafc806fb3d4a38982f76f9c013a9581e55c1fdfe36d0d044bfda9ea32
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B8114C71542B04AAD623BFF4CC5BFCB7BDCAF41B00F404825B299AE0D2DB66B5158760

Function 0033DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0033DA74
LoadStringW.USER32(00000000), ref: 0033DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0033DA91
LoadStringW.USER32(00000000), ref: 0033DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0033DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0033DAB9

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9b2feebf3708f97b2e0f515159d543fe23d9ec5f7935a2ba398a0a13fcebb78f
Instruction ID: 4c018f1e86a089a5e73bbb2b546aef8c39bd2e345d3421a018df47822cad9ec7
Opcode Fuzzy Hash: 9b2feebf3708f97b2e0f515159d543fe23d9ec5f7935a2ba398a0a13fcebb78f
Instruction Fuzzy Hash: 120136F6910208BFE7129BA4DD89EF7776CE708701F405496F786E6041E6B49E844F74

Function 0034096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(016FF0D0,016FF0D0), ref: 0034097B
EnterCriticalSection.KERNEL32(016FF0B0,00000000), ref: 0034098D
TerminateThread.KERNEL32(?,000001F6), ref: 0034099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 003409A9
CloseHandle.KERNEL32(?), ref: 003409B8
InterlockedExchange.KERNEL32(016FF0D0,000001F6), ref: 003409C8
LeaveCriticalSection.KERNEL32(016FF0B0), ref: 003409CF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: beb22525cb8b8bd93e1dedd87012206195fad9170d1419784de85c92e8db9712
Instruction ID: e554557d78b9c10d1fee083ba366482de04534190ded8859c7d938edd3602e05
Opcode Fuzzy Hash: beb22525cb8b8bd93e1dedd87012206195fad9170d1419784de85c92e8db9712
Instruction Fuzzy Hash: 22F01D31552502ABDB465BA4EE9CAE67A39BF01702F406415F241548A0C7B5A475CFA0

Function 002D5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 002D5D30
GetWindowRect.USER32(?,?), ref: 002D5D71
ScreenToClient.USER32(?,?), ref: 002D5D99
GetClientRect.USER32(?,?), ref: 002D5ED7
GetWindowRect.USER32(?,?), ref: 002D5EF8

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 40419fd3481f21e0010ee60e2f165ef24d81b3e8758c6abbe11f9a3f5fc307e8
Instruction ID: b4e0d65a467256454f1d9bdf95eff94ac48a38e8411a5b440e955a41bdad822a
Opcode Fuzzy Hash: 40419fd3481f21e0010ee60e2f165ef24d81b3e8758c6abbe11f9a3f5fc307e8
Instruction Fuzzy Hash: 8BB18A34A2078ADBDB14DFA8C4807EEB7F1FF58310F14841AE8A9D7250DB70AA91DB54

Function 003001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003000BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003000D6
__allrem.LIBCMT ref: 003000ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0030010B
__allrem.LIBCMT ref: 00300122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00300140

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 34f55a99239fa747240612172b93074f7db659039ed0498e4f0d1bb0a6527ed4
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 44814B76A01B069BE72A9F28CC51B6BB3E9AF45760F24423AF551DB6C1E770D9008B90

Function 00351D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00353149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0035101C,00000000,?,?,00000000), ref: 00353195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00351DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00351DE1
WSAGetLastError.WSOCK32 ref: 00351DF2
inet_ntoa.WSOCK32(?), ref: 00351E8C
htons.WSOCK32(?,?,?,?,?), ref: 00351EDB
_strlen.LIBCMT ref: 00351F35

Part of subcall function 003339E8: _strlen.LIBCMT ref: 003339F2

Part of subcall function 002D6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,002ECF58,?,?,?), ref: 002D6DBA
Part of subcall function 002D6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,002ECF58,?,?,?), ref: 002D6DED

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: b1d4fb1052e9c0958d6b6accd82518faef92464945a5797bf449b2f5576c6245
Instruction ID: 6e262a23b7387605fbed258bdd15dfb1be632ab5670056e3dca289ec73d41a51
Opcode Fuzzy Hash: b1d4fb1052e9c0958d6b6accd82518faef92464945a5797bf449b2f5576c6245
Instruction Fuzzy Hash: 1CA1B031204340AFC325DF24C895F2ABBE5AF84318F558A5DF8565B2B2CB71ED4ACB91

Function 003061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002F82D9,002F82D9,?,?,?,0030644F,00000001,00000001,8BE85006), ref: 00306258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0030644F,00000001,00000001,8BE85006,?,?,?), ref: 003062DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003063D8
__freea.LIBCMT ref: 003063E5

Part of subcall function 00303820: RtlAllocateHeap.NTDLL(00000000,?,003A1444,?,002EFDF5,?,?,002DA976,00000010,003A1440,002D13FC,?,002D13C6,?,002D1129), ref: 00303852

__freea.LIBCMT ref: 003063EE
__freea.LIBCMT ref: 00306413

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 8bcd5245f55daf0ea4d4acaa558995104958ebb3ceac204a37601b19a5d05a6e
Instruction ID: 465523703181b54da1a40d67efa980d9185e603f8c36173f2fbf1597709e643c
Opcode Fuzzy Hash: 8bcd5245f55daf0ea4d4acaa558995104958ebb3ceac204a37601b19a5d05a6e
Instruction Fuzzy Hash: 3851D072602216ABDB278F64CCA2FAF77ADEF44710F164669F805DA1D4DB34DC60C6A0

Function 0035BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Part of subcall function 0035C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035B6AE,?,?), ref: 0035C9B5
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035C9F1
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035CA68
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035BD25
RegCloseKey.ADVAPI32(00000000), ref: 0035BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0035BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0035BDF3
RegCloseKey.ADVAPI32(?), ref: 0035BDFF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 521fb95c902ebc6207387adc891d3ee411d535a3d4c506a83df978c6a775cab5
Instruction ID: 2fd1d3f7ad3eda6f40855eac73f3a97b7f172cc9fcd106cc68d6b2f58214d149
Opcode Fuzzy Hash: 521fb95c902ebc6207387adc891d3ee411d535a3d4c506a83df978c6a775cab5
Instruction Fuzzy Hash: CB817D30218241AFD715DF24C895E6ABBF9FF84308F14855DF8958B2A2DB31ED49CB92

Function 0032F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0032F7B9
SysAllocString.OLEAUT32(00000001), ref: 0032F860
VariantCopy.OLEAUT32(0032FA64,00000000), ref: 0032F889
VariantClear.OLEAUT32(0032FA64), ref: 0032F8AD
VariantCopy.OLEAUT32(0032FA64,00000000), ref: 0032F8B1
VariantClear.OLEAUT32(?), ref: 0032F8BB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: eef884f8565d02d50ffce685aa61c55d6bd7e960732440fed652e71565f59d88
Instruction ID: b2671e3da949bf31ae783fe6a570cd022fd0498dfd9b163699fbecc1ba8215ad
Opcode Fuzzy Hash: eef884f8565d02d50ffce685aa61c55d6bd7e960732440fed652e71565f59d88
Instruction Fuzzy Hash: 2851B431610320AECF22AB65E895B29B3B8EF45710F249577F806DF291DB708C80CB96

Function 0034910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 002D7620: _wcslen.LIBCMT ref: 002D7625

Part of subcall function 002D6B57: _wcslen.LIBCMT ref: 002D6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 003494E5
_wcslen.LIBCMT ref: 00349506
_wcslen.LIBCMT ref: 0034952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00349585

Strings

X, xrefs: 00349412

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 34d13f3d109e370fec92fc6e84089e04ebd14c8a98535fda82a4dcffb19d253c
Instruction ID: fa1571b4a63701f86c0e448e8b697b0f0622747d6f011ed640c54748ca1c07e1
Opcode Fuzzy Hash: 34d13f3d109e370fec92fc6e84089e04ebd14c8a98535fda82a4dcffb19d253c
Instruction Fuzzy Hash: B8E19D316183408FD725DF24C881B6AB7E4BF85314F15896EF8899B3A2DB31ED45CB92

Function 002E920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 002E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002E9BB2

BeginPaint.USER32(?,?,?), ref: 002E9241
GetWindowRect.USER32(?,?), ref: 002E92A5
ScreenToClient.USER32(?,?), ref: 002E92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002E92D3
EndPaint.USER32(?,?,?,?,?), ref: 002E9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003271EA

Part of subcall function 002E9339: BeginPath.GDI32(00000000), ref: 002E9357

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 279f8aa3d683c18d38a21d67202ef76e7a799f5658b0e9d130ef19f098e63ce9
Instruction ID: 1cec7526d9eac1ec4e4e9aa8f53341d958e8b5daafe5d9aba5e7b01d768ad01f
Opcode Fuzzy Hash: 279f8aa3d683c18d38a21d67202ef76e7a799f5658b0e9d130ef19f098e63ce9
Instruction Fuzzy Hash: 4141CF30114250AFD712DF25DC84FBB7BA8EF46320F14026AF9A4871A1C7709895CB62

Function 003407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0034080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00340847
EnterCriticalSection.KERNEL32(?), ref: 00340863
LeaveCriticalSection.KERNEL32(?), ref: 003408DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003408F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00340921

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 095a6979d0ba97b8386dabec297794f80037ed811a1f4166d4cc22e41d4a28b9
Instruction ID: 2b3c7ee026e791faa420221b812947caa0681d0e8b3e8963370673fbb03494b7
Opcode Fuzzy Hash: 095a6979d0ba97b8386dabec297794f80037ed811a1f4166d4cc22e41d4a28b9
Instruction Fuzzy Hash: 7E417E71A10205EBDF159F54DD85A6A77B8FF04300F1480A5ED009E297DB70EE60DFA0

Function 003681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0032F3AB,00000000,?,?,00000000,?,0032682C,00000004,00000000,00000000), ref: 0036824C
EnableWindow.USER32(?,00000000), ref: 00368272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003682D1
ShowWindow.USER32(?,00000004), ref: 003682E5
EnableWindow.USER32(?,00000001), ref: 0036830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0036832F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 55b715489f076ec9b86bbeb1c7149bb5d1daed6be29f7afc9fecb189a3d4bbb8
Instruction ID: 4c114a79b06d1533830281b9c3b91bdadb862a7354286974192863efd7e77514
Opcode Fuzzy Hash: 55b715489f076ec9b86bbeb1c7149bb5d1daed6be29f7afc9fecb189a3d4bbb8
Instruction Fuzzy Hash: 2141D538601640AFDB27CF15C8A9BE47BF4FB0E714F199369E5484F266CB31A841CB90

Function 00334C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00334C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00334CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00334CEA
_wcslen.LIBCMT ref: 00334D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00334D10
_wcsstr.LIBVCRUNTIME ref: 00334D1A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 8974eacc41b6abf735c323c5e53e84fc09485a34bcf3b1e5e9476676b002a6f2
Instruction ID: ce7240405588bac9a3601b35312476a46a075c936baa73e9d8d77bb5683f2ce3
Opcode Fuzzy Hash: 8974eacc41b6abf735c323c5e53e84fc09485a34bcf3b1e5e9476676b002a6f2
Instruction Fuzzy Hash: F7210872204244BBEB175B39EC89E7BBB9CDF45750F158039F805CA192EEA1EC519AA0

Function 0034581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 002D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D3A97,?,?,002D2E7F,?,?,?,00000000), ref: 002D3AC2

_wcslen.LIBCMT ref: 0034587B
CoInitialize.OLE32(00000000), ref: 00345995
CoCreateInstance.OLE32(0036FCF8,00000000,00000001,0036FB68,?), ref: 003459AE
CoUninitialize.OLE32 ref: 003459CC

Strings

.lnk, xrefs: 00345876, 003458C1, 00345985

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 73f17285821e600798d013aaa974f6fafc282c57c1564f176fed8d552f3efb25
Instruction ID: bfe37a4bde129b537463540fd2b94f66420be245e06a9d0b831e2ea65a131f18
Opcode Fuzzy Hash: 73f17285821e600798d013aaa974f6fafc282c57c1564f176fed8d552f3efb25
Instruction Fuzzy Hash: 88D14071A087019FC715DF24C480A2ABBE5EF89710F15895EF88A9B362DB31EC45CF92

Function 0033175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00330FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00330FCA
Part of subcall function 00330FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00330FD6
Part of subcall function 00330FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00330FE5
Part of subcall function 00330FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00330FEC
Part of subcall function 00330FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00331002

GetLengthSid.ADVAPI32(?,00000000,00331335), ref: 003317AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003317BA
HeapAlloc.KERNEL32(00000000), ref: 003317C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 003317DA
GetProcessHeap.KERNEL32(00000000,00000000,00331335), ref: 003317EE
HeapFree.KERNEL32(00000000), ref: 003317F5

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 841fc5e48a3b2aa2d38a8003777162f43b6deb38cabc3c455a3887857113028c
Instruction ID: 42014427a927f4d5d99c8e7307337844956bb9e49e627b6e12bba9293c6bf4a3
Opcode Fuzzy Hash: 841fc5e48a3b2aa2d38a8003777162f43b6deb38cabc3c455a3887857113028c
Instruction Fuzzy Hash: 0511BE31510205FFDB229FA4CC89BBE7BADEB42355F188018F48197220C776A944CB70

Function 003314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003314FF
OpenProcessToken.ADVAPI32(00000000), ref: 00331506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00331515
CloseHandle.KERNEL32(00000004), ref: 00331520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0033154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00331563

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6558d12d93320ef3cd90e8d25ebeb1dbcaf3187b7a2e68861ac1485a122cf646
Instruction ID: d3d18e52b5a8ff0c98696311cb42a348f3ef47e13c2d39db29c8a83385eb5082
Opcode Fuzzy Hash: 6558d12d93320ef3cd90e8d25ebeb1dbcaf3187b7a2e68861ac1485a122cf646
Instruction Fuzzy Hash: 27115672500209AFDF128FA8DD89BEE7BADEF49744F058025FA05A2160C3B5CE60DB60

Function 002F3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002F3379,002F2FE5), ref: 002F3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002F339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002F33B7
SetLastError.KERNEL32(00000000,?,002F3379,002F2FE5), ref: 002F3409

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 09f0f15d007391ca1ea679a142e7076af60f629f8c95107a59b4c277052a7d5b
Instruction ID: b96d46f9a2a30f173526bac16443035b167b5d05233c4288aa6ae03e8227dd75
Opcode Fuzzy Hash: 09f0f15d007391ca1ea679a142e7076af60f629f8c95107a59b4c277052a7d5b
Instruction Fuzzy Hash: D101F93223931A6ED616AB747C85977AA9CD7057F9B20023AF610803F0EF524D315684

Function 00302D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00305686,00313CD6,?,00000000,?,00305B6A,?,?,?,?,?,002FE6D1,?,00398A48), ref: 00302D78
_free.LIBCMT ref: 00302DAB
_free.LIBCMT ref: 00302DD3
SetLastError.KERNEL32(00000000,?,?,?,?,002FE6D1,?,00398A48,00000010,002D4F4A,?,?,00000000,00313CD6), ref: 00302DE0
SetLastError.KERNEL32(00000000,?,?,?,?,002FE6D1,?,00398A48,00000010,002D4F4A,?,?,00000000,00313CD6), ref: 00302DEC
_abort.LIBCMT ref: 00302DF2

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8ab056473d66bf741f39a51c86ab23c2aa76a829c84c6b4c286b8f485c9f2674
Instruction ID: eb3b2b44b402bf235aa31a2656445d3b0fcfb125186e84eb6f6176ef45fbdd47
Opcode Fuzzy Hash: 8ab056473d66bf741f39a51c86ab23c2aa76a829c84c6b4c286b8f485c9f2674
Instruction Fuzzy Hash: C9F0C236547A0067C6233739BC3EF6B265DAFC27A5F364419F8349A2E2EF658C014360

Function 00368A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002E9693
Part of subcall function 002E9639: SelectObject.GDI32(?,00000000), ref: 002E96A2
Part of subcall function 002E9639: BeginPath.GDI32(?), ref: 002E96B9
Part of subcall function 002E9639: SelectObject.GDI32(?,00000000), ref: 002E96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00368A4E
LineTo.GDI32(?,00000003,00000000), ref: 00368A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00368A70
LineTo.GDI32(?,00000000,00000003), ref: 00368A80
EndPath.GDI32(?), ref: 00368A90
StrokePath.GDI32(?), ref: 00368AA0

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 964a9b49ad0699cbd2903ba0f758835eb6f364beda862dd70def98bbde3c1ef2
Instruction ID: 695543b08b2a6a621a51a0f6f888fe284e1342b5232986f566efad103f17bb92
Opcode Fuzzy Hash: 964a9b49ad0699cbd2903ba0f758835eb6f364beda862dd70def98bbde3c1ef2
Instruction Fuzzy Hash: 7A110576010148FFEF129F94DC88EAA7F6CEB09390F00C022FA599A1A1C7B19D55DFA0

Function 003351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00335218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00335229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00335230
ReleaseDC.USER32(00000000,00000000), ref: 00335238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0033524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00335261

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c3445a48d89154d27aa1361a1378bd5282c1509cb0c384df23f2deeac7d7faff
Instruction ID: fceb3532d270e567f2a16fd1ff7507eb31171798dbf45de233c9037c3f9e6c8a
Opcode Fuzzy Hash: c3445a48d89154d27aa1361a1378bd5282c1509cb0c384df23f2deeac7d7faff
Instruction Fuzzy Hash: 5C018F75A01718BBEB119BA5DC49A5EBFB8EB48351F049066FA04EB280D6B09800CBA0

Function 002D1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002D1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 002D1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002D1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002D1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 002D1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 002D1C22

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7b1fd16dc73b0ab1c20518a2d4cc24be9a9326ce22d97fc4b9f0c9fff04ad567
Instruction ID: d4723c554371ff9ea1af9e61444346e0cf80ed906110ebedce06763631002203
Opcode Fuzzy Hash: 7b1fd16dc73b0ab1c20518a2d4cc24be9a9326ce22d97fc4b9f0c9fff04ad567
Instruction Fuzzy Hash: 1F0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F04411BE15C4BA42C7F5A864CBE5

Function 0033EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0033EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0033EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0033EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0033EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0033EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0033EB75

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ac91cca3a61e219b19040f82f1c19019848808683f05b533d75308df667068d4
Instruction ID: efcd7724782bae7dc9a2d322bd65e208c32fb1b8a734c6e585422f109c1bcc29
Opcode Fuzzy Hash: ac91cca3a61e219b19040f82f1c19019848808683f05b533d75308df667068d4
Instruction Fuzzy Hash: D6F01772250158BBE6226B62DC0EEBB7A7CEFCBB11F009158F642D119196E45A0186B9

Function 00327439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00327452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00327469
GetWindowDC.USER32(?), ref: 00327475
GetPixel.GDI32(00000000,?,?), ref: 00327484
ReleaseDC.USER32(?,00000000), ref: 00327496
GetSysColor.USER32(00000005), ref: 003274B0

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: ee20413bcd30d83b5d973e53c5f58add2562f722d56cabe4a11a5f794c340fb2
Instruction ID: ec6d697ac93ba2bc8a87dbf8dc789f50bf3f4c01cf8f666df26f048cc89d0d65
Opcode Fuzzy Hash: ee20413bcd30d83b5d973e53c5f58add2562f722d56cabe4a11a5f794c340fb2
Instruction Fuzzy Hash: CB01AD31410215EFDB126FA5EC09BFA7BB9FF04311F55A060FA56A21A0CBB11E51EB60

Function 00331874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0033187F
UnloadUserProfile.USERENV(?,?), ref: 0033188B
CloseHandle.KERNEL32(?), ref: 00331894
CloseHandle.KERNEL32(?), ref: 0033189C
GetProcessHeap.KERNEL32(00000000,?), ref: 003318A5
HeapFree.KERNEL32(00000000), ref: 003318AC

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a6a5fc37bba2d099820f2a0dcc7874db6ad281fcaabc718a389e1ba3857b1b33
Instruction ID: 696e04bed222f9b5935ffb22a65bfaf7fbbcdc5d4b957854c24812f97015c1c5
Opcode Fuzzy Hash: a6a5fc37bba2d099820f2a0dcc7874db6ad281fcaabc718a389e1ba3857b1b33
Instruction Fuzzy Hash: A7E0C236014101BBDA026BA2ED0C91ABB2DFB4AB22B10D221F26581170CBB29430DB60

Function 002DBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002DBEB3

Strings

D%:, xrefs: 002DBE9A
D%:, xrefs: 002DBDED, 002DBD91, 002DBD1B
D%:, xrefs: 002DBCA2
D%:D%:, xrefs: 002DBCA5

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%:$D%:$D%:$D%:D%:
API String ID: 1385522511-518282973
Opcode ID: e0eef7c0df07e987b8e62bbe8fceb59956a5cfba602887d3c385540768dba71d
Instruction ID: 4a1f09f75e984b764c75b8eb8281fc583a4257d4bbd05c2af3214cb1cdaaaebd
Opcode Fuzzy Hash: e0eef7c0df07e987b8e62bbe8fceb59956a5cfba602887d3c385540768dba71d
Instruction Fuzzy Hash: EF914A75A2020ACFCB19CF59C0A06AAB7F2FF59310F25816FD941AB351E771AD91CB90

Function 00357B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 002F0242: EnterCriticalSection.KERNEL32(003A070C,003A1884,?,?,002E198B,003A2518,?,?,?,002D12F9,00000000), ref: 002F024D
Part of subcall function 002F0242: LeaveCriticalSection.KERNEL32(003A070C,?,002E198B,003A2518,?,?,?,002D12F9,00000000), ref: 002F028A

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Part of subcall function 002F00A3: __onexit.LIBCMT ref: 002F00A9

__Init_thread_footer.LIBCMT ref: 00357BFB

Part of subcall function 002F01F8: EnterCriticalSection.KERNEL32(003A070C,?,?,002E8747,003A2514), ref: 002F0202
Part of subcall function 002F01F8: LeaveCriticalSection.KERNEL32(003A070C,?,002E8747,003A2514), ref: 002F0235

Strings

+T2, xrefs: 00357E2E
Variable must be of type 'Object'., xrefs: 00357C3A
G, xrefs: 00357C7F
5, xrefs: 00357C78

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T2$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2360979669
Opcode ID: 9897336bf1c89725111a68eedac4b794152200e82cabd9aa91bbd5055d6455b8
Instruction ID: 23a2b57704592e672a75a7f438163a9859e306f21cce766e0285c9c1467893c7
Opcode Fuzzy Hash: 9897336bf1c89725111a68eedac4b794152200e82cabd9aa91bbd5055d6455b8
Instruction Fuzzy Hash: D2918A74A14209AFCB06EF54E891DBDB7B5FF49301F108059FC06AB2A2DB71AE49CB51

Function 0033C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7620: _wcslen.LIBCMT ref: 002D7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0033C6EE
_wcslen.LIBCMT ref: 0033C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0033C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0033C7CA

Strings

0, xrefs: 0033C6AF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e5e9e5415356178098804284906a0d0063c51d1456a5d3a4ace957a40de05768
Instruction ID: d01fe230c3164633c50c6b5107bad0f48b791189e092596e1263cdec415b49b8
Opcode Fuzzy Hash: e5e9e5415356178098804284906a0d0063c51d1456a5d3a4ace957a40de05768
Instruction Fuzzy Hash: 0B51BF716243009FD7169F28C8C5AABB7E8AF49310F092A2DF995F21A1DB60DD14CF52

Function 0035AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0035AEA3

Part of subcall function 002D7620: _wcslen.LIBCMT ref: 002D7625

GetProcessId.KERNEL32(00000000), ref: 0035AF38
CloseHandle.KERNEL32(00000000), ref: 0035AF67

Strings

@, xrefs: 0035AE72
<, xrefs: 0035AE6B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: c28612b9db7298cd0c674de8422c7bc14ae42d61b9955c8d3bd709ecd4502623
Instruction ID: 573aebd73db95e72e5fb2e85afe2a55d11177719ff9f6ce769681350070ec1d2
Opcode Fuzzy Hash: c28612b9db7298cd0c674de8422c7bc14ae42d61b9955c8d3bd709ecd4502623
Instruction Fuzzy Hash: 16718670A10619CFCB15EF54D481A9EBBF0EF08300F05859AE816AB3A2DB74ED45CF91

Function 0033719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00337206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0033723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0033724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003372CF

Strings

DllGetClassObject, xrefs: 00337242

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 7b3dfc85bc8585c23bb5aa56e0655cd94595173eb5ae3748ac6f5acdac4ddd6d
Instruction ID: 679376ca4e75cfd73936e08f3c0e4ddea31e62f71ce75cabfe482884c2b5bdfd
Opcode Fuzzy Hash: 7b3dfc85bc8585c23bb5aa56e0655cd94595173eb5ae3748ac6f5acdac4ddd6d
Instruction Fuzzy Hash: FE415DB1A04204EFDB26CF54C8C5A9B7BA9EF49310F1584A9FD05DF20AD7B1D944CBA0

Function 00363D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00363E35
IsMenu.USER32(?), ref: 00363E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00363E92
DrawMenuBar.USER32 ref: 00363EA5

Strings

0, xrefs: 00363D89

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 69c6a1062a2430b18846e22a2b1abd1c27ca185b785f73fc71938948cee80e28
Instruction ID: d59057d87e032d1de373448877eb5da898011e645dcf773dca0eef49ccc7fdb9
Opcode Fuzzy Hash: 69c6a1062a2430b18846e22a2b1abd1c27ca185b785f73fc71938948cee80e28
Instruction Fuzzy Hash: F5418776A00209EFDB12DF50D884EAABBF9FF49350F048029F901A7250D775AE14CFA0

Function 00331DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Part of subcall function 00333CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00333CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00331E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00331E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00331EA9

Part of subcall function 002D6B57: _wcslen.LIBCMT ref: 002D6B6A

Strings

ListBox, xrefs: 00331E25
ComboBox, xrefs: 00331DF0

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 0cae7681e656780af121b826b535b1ae34db70084d96b1d7c98aeac3258304de
Instruction ID: 797abed928996815d0fe0d52c42526697636bb795cc9b1af38e56738b717067e
Opcode Fuzzy Hash: 0cae7681e656780af121b826b535b1ae34db70084d96b1d7c98aeac3258304de
Instruction Fuzzy Hash: FD216671A00104BEDB16ABA0DC86CFFB7BCDF45350F14811AF821A72E0DB754D5A8B20

Function 0035C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0035C9F1
_wcslen.LIBCMT ref: 0035CA68
_wcslen.LIBCMT ref: 0035CA9E
_wcslen.LIBCMT ref: 0035CAF9
_wcslen.LIBCMT ref: 0035CB2F
_wcslen.LIBCMT ref: 0035CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0035CA62, 0035CA67
HKLM, xrefs: 0035CA98, 0035CA9D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 2734ce2d316572d9c57160851b2bbe45e2a34f278edb5d914ebe398398730fc7
Instruction ID: 2245b032b34cae6d675cd8142c6867510ce8c9bb4d950ef72f6b80ea43f853f0
Opcode Fuzzy Hash: 2734ce2d316572d9c57160851b2bbe45e2a34f278edb5d914ebe398398730fc7
Instruction Fuzzy Hash: 8B31F933A202694FCB22DF2CD8408BF3BA15BA1759F075029EC45AB365E6B0CD48D790

Function 00362F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00362F8D
LoadLibraryW.KERNEL32(?), ref: 00362F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00362FA9
DestroyWindow.USER32(?), ref: 00362FB1

Strings

SysAnimate32, xrefs: 00362F68

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 1c283bc922383975d8b17166987698d6bdbfe9c9bf7ecc73aa2cc85c611892e0
Instruction ID: 7c31caeb2acba45211a33bc12c402a1382a3f1ee907f3ae46eeeee1aab320000
Opcode Fuzzy Hash: 1c283bc922383975d8b17166987698d6bdbfe9c9bf7ecc73aa2cc85c611892e0
Instruction Fuzzy Hash: 3F212D71200605ABEF124FA4CC80EBB33BCEF59324F128218FA50DA0A8C7B0CC409760

Function 002F4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002F4D1E,003028E9,?,002F4CBE,003028E9,003988B8,0000000C,002F4E15,003028E9,00000002), ref: 002F4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002F4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,002F4D1E,003028E9,?,002F4CBE,003028E9,003988B8,0000000C,002F4E15,003028E9,00000002,00000000), ref: 002F4DC3

Strings

mscoree.dll, xrefs: 002F4D86
CorExitProcess, xrefs: 002F4D98

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b98ba1f5eb7b989b069b7ed40ae479e5bab926e32ddc2eada7f9974f68f0b5c8
Instruction ID: de2b042326d264d2bda2364aa8840f58e8454372cd5a590415187442b1233c2a
Opcode Fuzzy Hash: b98ba1f5eb7b989b069b7ed40ae479e5bab926e32ddc2eada7f9974f68f0b5c8
Instruction Fuzzy Hash: 3DF0443456020DFBDB165F94DC49BFEFBB9EF44751F004065F909A2250DBB55950CB90

Function 002D4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002D4EDD,?,003A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002D4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002D4EAE
FreeLibrary.KERNEL32(00000000,?,?,002D4EDD,?,003A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002D4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 002D4EA8
kernel32.dll, xrefs: 002D4E94

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a02444aa7d79e4b466184c3d38d4fde4a14107167c2fad307834c268436b6272
Instruction ID: ca1a0f2da8abbe4b57e5c0c5e48bd2bbc39eb530f66b41dd659765885d41cdcd
Opcode Fuzzy Hash: a02444aa7d79e4b466184c3d38d4fde4a14107167c2fad307834c268436b6272
Instruction Fuzzy Hash: 7EE08635A215236B92232B256C18A7BA658AF82B62B094116FC41D2200DBB0CD0140A0

Function 002D4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00313CDE,?,003A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002D4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002D4E74
FreeLibrary.KERNEL32(00000000,?,?,00313CDE,?,003A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002D4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 002D4E6E
kernel32.dll, xrefs: 002D4E5B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: a55dcc0111b6fbb04f461c53ab14d1f3a613d88b46e78e481f425a7f071ae073
Instruction ID: 82244e544f6e853eeee49664174aae9231442de6e53be1e9b989f70e6796717e
Opcode Fuzzy Hash: a55dcc0111b6fbb04f461c53ab14d1f3a613d88b46e78e481f425a7f071ae073
Instruction Fuzzy Hash: A5D01235522662675A232F25AC18DEB6B1CAFC6B517059616F945A2214CFB0CD1185D0

Function 00342947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00342C05
DeleteFileW.KERNEL32(?), ref: 00342C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00342C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00342CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00342CC0

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 3e237d653c7ba73adcafe0ba6965a42c923552c170b8f17414b0a93ccc409a16
Instruction ID: 85f63c03f75c2ae6d4da8d0d4fffada251f909597f3a5c98369266d647850004
Opcode Fuzzy Hash: 3e237d653c7ba73adcafe0ba6965a42c923552c170b8f17414b0a93ccc409a16
Instruction Fuzzy Hash: 7BB14F71910119ABDF11DBA4CC85EEFBBBDEF48350F5040A6F609FA151EA70AE448F61

Function 0035A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0035A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0035A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0035A468
CloseHandle.KERNEL32(?), ref: 0035A63D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 07b7a75214e29f4cef80ae43698e3fa7f41b77d433f53d0677ee7a993c1b2078
Instruction ID: 0bbc002eee9cbc60cf7b1a32b2256e8f573e248d6267b9a4111a60d7b7efd82d
Opcode Fuzzy Hash: 07b7a75214e29f4cef80ae43698e3fa7f41b77d433f53d0677ee7a993c1b2078
Instruction Fuzzy Hash: 2EA1CD716047019FD721DF24C882F2AB7E5AF84714F14891DF99A8B3A2DBB0EC45CB82

Function 0033E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0033DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0033CF22,?), ref: 0033DDFD

Part of subcall function 0033DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0033CF22,?), ref: 0033DE16

Part of subcall function 0033E199: GetFileAttributesW.KERNEL32(?,0033CF95), ref: 0033E19A

lstrcmpiW.KERNEL32(?,?), ref: 0033E473
MoveFileW.KERNEL32(?,?), ref: 0033E4AC
_wcslen.LIBCMT ref: 0033E5EB
_wcslen.LIBCMT ref: 0033E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0033E650

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 29cec8eb8e05a09152249b399147ce2b2720a53fc99c1ea9c4e0882f08ad7279
Instruction ID: 1b10bfeec995ae1510399c697619ccd4cda308e803409613defc0fef9c24571f
Opcode Fuzzy Hash: 29cec8eb8e05a09152249b399147ce2b2720a53fc99c1ea9c4e0882f08ad7279
Instruction Fuzzy Hash: D25163B25083455BC725EB90D8819EFB7DCAF85340F00492EF689D3191EF75A5888B66

Function 0035B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Part of subcall function 0035C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035B6AE,?,?), ref: 0035C9B5
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035C9F1
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035CA68
Part of subcall function 0035C998: _wcslen.LIBCMT ref: 0035CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0035BB63
RegCloseKey.ADVAPI32(?,?), ref: 0035BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0035BBB3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 635d0fabfe31723ad301f7fe844ca58472c1d0c650d67bc5018bc405e8210ebd
Instruction ID: 6d14fd6fa3221ba89c1f1ae2e3d880e06896ddeaf0887bcf39ab6f06ebbea9d0
Opcode Fuzzy Hash: 635d0fabfe31723ad301f7fe844ca58472c1d0c650d67bc5018bc405e8210ebd
Instruction Fuzzy Hash: FE61AF31218241AFD315DF24C490E2AFBE9FF84308F55855DF8998B2A2DB71ED49CB92

Function 00338BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00338BCD
VariantClear.OLEAUT32 ref: 00338C3E
VariantClear.OLEAUT32 ref: 00338C9D
VariantClear.OLEAUT32(?), ref: 00338D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00338D3B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a6e9aac2a687fd82b7b39ec93a529a45153e6495fc0ad7afe9464d197ddac540
Instruction ID: c4412901d656e36506f39dca25b699a15c255a360d5cb66441fc618c958403cc
Opcode Fuzzy Hash: a6e9aac2a687fd82b7b39ec93a529a45153e6495fc0ad7afe9464d197ddac540
Instruction Fuzzy Hash: 885168B5A00219EFCB11CF69C884AAAB7F8FF89314F158559F905DB350EB34E911CBA0

Function 00348AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00348BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00348BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00348C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00348C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00348C5F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 90efd6a46c03758ef26bef3ea14dc9a809c3c7b9e1f6c3a4d08e64e0a63d7daa
Instruction ID: 2fa934f4fe4eb03b4cd322ad59ef067cb062256396bc547a570ff71d70a83360
Opcode Fuzzy Hash: 90efd6a46c03758ef26bef3ea14dc9a809c3c7b9e1f6c3a4d08e64e0a63d7daa
Instruction Fuzzy Hash: 7B514735A10215AFCB05DF65C880AAEBBF5FF48314F088459E849AB362DB35ED51CF91

Function 00358EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00358F40
GetProcAddress.KERNEL32(00000000,?), ref: 00358FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00358FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00359032
FreeLibrary.KERNEL32(00000000), ref: 00359052

Part of subcall function 002EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00341043,?,753CE610), ref: 002EF6E6
Part of subcall function 002EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0032FA64,00000000,00000000,?,?,00341043,?,753CE610,?,0032FA64), ref: 002EF70D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 7f01744a645d610dad8af92c3bac99c501adc71eb9ac2eae33f217109008e3b1
Instruction ID: ac5c0c8e0d8fe222c1babece184015ce8172b06398fc537382d0a10d1b01a0c3
Opcode Fuzzy Hash: 7f01744a645d610dad8af92c3bac99c501adc71eb9ac2eae33f217109008e3b1
Instruction Fuzzy Hash: 08513835600245DFC702DF68D494DA9BBB1FF49315B458099EC0AAB362DB31ED89CF90

Function 00366B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00366C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00366C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00366C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0034AB79,00000000,00000000), ref: 00366C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00366CC7

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: c495b8e34080112d05fbea4a01a083683060f69ce63132b8fd1fc1c6fdadf2f1
Instruction ID: 0c7e1e7f50d2e7ba5a6e34d0927856d2c66aaee22bcee4d4b50bec906dfde00a
Opcode Fuzzy Hash: c495b8e34080112d05fbea4a01a083683060f69ce63132b8fd1fc1c6fdadf2f1
Instruction Fuzzy Hash: 3441EA35604504AFD726CF29CC5AFB9BFA9EB09390F158228F895A72E4C371ED41CA80

Function 00302051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003020C3
_free.LIBCMT ref: 003020E3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c19f9f2d22c8101a50b41d49286b7dc4943a80e4dd7b81b6f639edfe9cf83488
Instruction ID: 8c18bd6ee68cb06ab322c8b4581f80ffb6b85608742296610e9d2761b204cd1a
Opcode Fuzzy Hash: c19f9f2d22c8101a50b41d49286b7dc4943a80e4dd7b81b6f639edfe9cf83488
Instruction Fuzzy Hash: 0041E232A012009FCB26DF78C894A5EB3B5EF89314F1645A9E615EB391D731ED01CB90

Function 002E912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002E9141
ScreenToClient.USER32(00000000,?), ref: 002E915E
GetAsyncKeyState.USER32(00000001), ref: 002E9183
GetAsyncKeyState.USER32(00000002), ref: 002E919D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 4f0759d3497560f6e29e295aabbdd14267a82414b9cbf029b9ca0ea49ba38a26
Instruction ID: 421fb0030511854ccd2adc707eba07ba0f9b56b7b59c71abaf814a41fe0afcd9
Opcode Fuzzy Hash: 4f0759d3497560f6e29e295aabbdd14267a82414b9cbf029b9ca0ea49ba38a26
Instruction Fuzzy Hash: 6B41603191851BFBDF169F65D844BEEB774FF05320F208216E429A7290C77069A4DF51

Function 00343874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003438CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00343922
TranslateMessage.USER32(?), ref: 0034394B
DispatchMessageW.USER32(?), ref: 00343955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00343966

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d12098b5a9fc1aef98c7ee0b28b1bf54720dab04b6de28d75e8f579a9ddc2403
Instruction ID: 2643ab0e66fe47257768975c745f7f19d183f03ca9717e4a2caceda200909964
Opcode Fuzzy Hash: d12098b5a9fc1aef98c7ee0b28b1bf54720dab04b6de28d75e8f579a9ddc2403
Instruction Fuzzy Hash: 813191719183429EEB67CB359848BB777ECEB06304F054569E4A28B5A0E7F4BA84CB11

Function 0034CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0034C21E,00000000), ref: 0034CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0034CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0034C21E,00000000), ref: 0034CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0034C21E,00000000), ref: 0034CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0034C21E,00000000), ref: 0034CFF2

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 82f31c7ece1834825d699e04503e3e04157cd8b24576eb220fe1356c63072a53
Instruction ID: 67ad5aebdab79b1b83ccf8b37267bf39be8ffef3e14b7b4a49544d7d60642528
Opcode Fuzzy Hash: 82f31c7ece1834825d699e04503e3e04157cd8b24576eb220fe1356c63072a53
Instruction Fuzzy Hash: A7318C71621205EFDB62DFA5C884AABBBFDEB14310F10942EF506DA101EB34BE44DB60

Function 00331901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00331915
PostMessageW.USER32(00000001,00000201,00000001), ref: 003319C1
Sleep.KERNEL32(00000000,?,?,?), ref: 003319C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 003319DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003319E2

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e96615ee919ad0a69c10b7714b217273178b745443a9c8e1da8ea025e3c35882
Instruction ID: fc0320bb4255464b538fceaea4dc43353fadc900313133f6382b7232c56caf00
Opcode Fuzzy Hash: e96615ee919ad0a69c10b7714b217273178b745443a9c8e1da8ea025e3c35882
Instruction Fuzzy Hash: 6131D471A00219EFCB05CFA8CD99BEE7BB5EB05315F108225F961AB2D1C7B09D54CB90

Function 00365706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00365745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0036579D
_wcslen.LIBCMT ref: 003657AF
_wcslen.LIBCMT ref: 003657BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00365816

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f979aa7b942cc125250c561880bc8c03ee537ff7bfa615f1186c0a8007d4ad57
Instruction ID: cfa8c93ba0a5056c54b7939b9f8e391af2666c684cd5b2bbe908c69d9a240db2
Opcode Fuzzy Hash: f979aa7b942cc125250c561880bc8c03ee537ff7bfa615f1186c0a8007d4ad57
Instruction Fuzzy Hash: E6219671904618DADB229F61CC85AEEBBBCFF04764F10C266F929EB184D7B09985CF50

Function 00350930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00350951
GetForegroundWindow.USER32 ref: 00350968
GetDC.USER32(00000000), ref: 003509A4
GetPixel.GDI32(00000000,?,00000003), ref: 003509B0
ReleaseDC.USER32(00000000,00000003), ref: 003509E8

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ecad88706145c039352a10396ec0698409a6dd61d852ddc2395b5abb8e312228
Instruction ID: 015137a3ae525a46fb46b48938df4bb192588af215f5e2ca244f0090bac7189f
Opcode Fuzzy Hash: ecad88706145c039352a10396ec0698409a6dd61d852ddc2395b5abb8e312228
Instruction Fuzzy Hash: 91218135610204AFD705EF65D884AAEBBE9EF44701F04C069E88ADB762CB70AC44CB90

Function 0030CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0030CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0030CDE9

Part of subcall function 00303820: RtlAllocateHeap.NTDLL(00000000,?,003A1444,?,002EFDF5,?,?,002DA976,00000010,003A1440,002D13FC,?,002D13C6,?,002D1129), ref: 00303852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0030CE0F
_free.LIBCMT ref: 0030CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0030CE31

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 79445f00d1eca74f03cc162391537ba794f444e73eafda7dc677aff1c61faa6d
Instruction ID: 70a93924725054ffc0990406bb1d6226bcbfc7c9cf47adbf0b702323f6c12b68
Opcode Fuzzy Hash: 79445f00d1eca74f03cc162391537ba794f444e73eafda7dc677aff1c61faa6d
Instruction Fuzzy Hash: FF01D8726132157FA32317BAAC5CC7F696DDEC7BA23155229FD05C7280DAA08D01D1B0

Function 002E9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002E9693
SelectObject.GDI32(?,00000000), ref: 002E96A2
BeginPath.GDI32(?), ref: 002E96B9
SelectObject.GDI32(?,00000000), ref: 002E96E2

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e898eb875c743111d878e7ab800f471b79c001831663c50413af8b67b5573b7f
Instruction ID: 4c38d8384b98d793aadbf5ed1fecbdbfa8fe2a9663e0eca8a9e6dd2dc018151f
Opcode Fuzzy Hash: e898eb875c743111d878e7ab800f471b79c001831663c50413af8b67b5573b7f
Instruction Fuzzy Hash: E9218071862386EBDB129F26EC147EA3BACBB02355F50421BF410A61B0D3B499E1CFD4

Function 00335711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00335726
_memcmp.LIBVCRUNTIME ref: 00335744
_memcmp.LIBVCRUNTIME ref: 00335757
_memcmp.LIBVCRUNTIME ref: 0033576F
_memcmp.LIBVCRUNTIME ref: 00335787

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d87cd0a63192350359335c04114a34abe63244071d85f5d08bc91973d4ca70bb
Instruction ID: 6da961a90acb3516428c96b4579900818b0a1d118498a04caa1c81c6566dc77b
Opcode Fuzzy Hash: d87cd0a63192350359335c04114a34abe63244071d85f5d08bc91973d4ca70bb
Instruction Fuzzy Hash: B8019261645A09FED20A5510ADD2EFAA35D9B31394F814030FE049B645F760ED20C7E0

Function 00302DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,002FF2DE,00303863,003A1444,?,002EFDF5,?,?,002DA976,00000010,003A1440,002D13FC,?,002D13C6), ref: 00302DFD
_free.LIBCMT ref: 00302E32
_free.LIBCMT ref: 00302E59
SetLastError.KERNEL32(00000000,002D1129), ref: 00302E66
SetLastError.KERNEL32(00000000,002D1129), ref: 00302E6F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d452d218aa800df5b0573b50e91565bfb05d8e08212715fc4abb81be6dcb428f
Instruction ID: 413b24a15779b54884f7f02096344404a1c36f928765a17663521aefc04aa93a
Opcode Fuzzy Hash: d452d218aa800df5b0573b50e91565bfb05d8e08212715fc4abb81be6dcb428f
Instruction Fuzzy Hash: F401283628760067C6137734EC6DD2B265DAFD23B1F364429F865A62D2EF748C01C320

Function 0033000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0032FF41,80070057,?,?,?,0033035E), ref: 0033002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0032FF41,80070057,?,?), ref: 00330046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0032FF41,80070057,?,?), ref: 00330054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0032FF41,80070057,?), ref: 00330064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0032FF41,80070057,?,?), ref: 00330070

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 7c005368a4d1a3db4dc64b764d61451cac9dac8d9f25f50d472a5431419b13e1
Instruction ID: 3302879166ce5fd833fd187b80148fc44b5416f24f1686667d58d16950ef1f49
Opcode Fuzzy Hash: 7c005368a4d1a3db4dc64b764d61451cac9dac8d9f25f50d472a5431419b13e1
Instruction Fuzzy Hash: 0E01FD72610208BFDB2A4F68DC84BBE7AEDEF44792F108024F845D3210E7B4CD008BA0

Function 0033E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0033E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0033E9A5
Sleep.KERNEL32(00000000), ref: 0033E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0033E9B7
Sleep.KERNEL32 ref: 0033E9F3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7a54208c9da8625733ab60e26f45e14b393fecf407056d8c22bfabfaffebd6e5
Instruction ID: dc81d24ed2493151bd1eb3e9746a4462538f5c5471aa4ec8a6ec54d5fac5d9f0
Opcode Fuzzy Hash: 7a54208c9da8625733ab60e26f45e14b393fecf407056d8c22bfabfaffebd6e5
Instruction Fuzzy Hash: 2E016931C11629DBCF02AFE4DC99AEDBB7CFF09302F014646E942B2280CB789551CBA1

Function 003310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00331114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00330B9B,?,?,?), ref: 00331120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00330B9B,?,?,?), ref: 0033112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00330B9B,?,?,?), ref: 00331136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0033114D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 247bad37d7e5c989a024085f21072bb3248ad78052b8a1a8f779061b7bd3e388
Instruction ID: 668e45a612d75f746af7a5d3a2f9a65dd47e1221a5d000db649e96b874941d34
Opcode Fuzzy Hash: 247bad37d7e5c989a024085f21072bb3248ad78052b8a1a8f779061b7bd3e388
Instruction Fuzzy Hash: DD011D75610205BFDB124F65DC4DAAA3B6EEF85360F214415FA85D7350DA71DC009A60

Function 00330FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00330FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00330FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00330FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00330FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00331002

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: eb7adceceeae67b9ce7166bb8e821fa38666ded2939d2b849478c51ed5fffd51
Instruction ID: 09b9611131d94908daa0ea3a9e6e20c57cbedbbecc43e3128838ce05c5d73e72
Opcode Fuzzy Hash: eb7adceceeae67b9ce7166bb8e821fa38666ded2939d2b849478c51ed5fffd51
Instruction Fuzzy Hash: 51F06D39210301FBDB224FA5DC8DF663BADEF8A762F119414FA89D7251CAB5DC508A60

Function 00331014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0033102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00331036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00331045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0033104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00331062

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1772b3aaa8cc780936e52f460d530b72e69fc8a1941e45a488ee5c27f6c198d3
Instruction ID: 4a02a90272ea5459335f1422e48e838f7bc5ce73dce809f15baf71a1ffed0d50
Opcode Fuzzy Hash: 1772b3aaa8cc780936e52f460d530b72e69fc8a1941e45a488ee5c27f6c198d3
Instruction Fuzzy Hash: C9F06D39210301FBDB235FA5EC9DF663BADEF8A761F115414FA85D7250CAB1D8508A60

Function 0034030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0034017D,?,003432FC,?,00000001,00312592,?), ref: 00340324
CloseHandle.KERNEL32(?,?,?,?,0034017D,?,003432FC,?,00000001,00312592,?), ref: 00340331
CloseHandle.KERNEL32(?,?,?,?,0034017D,?,003432FC,?,00000001,00312592,?), ref: 0034033E
CloseHandle.KERNEL32(?,?,?,?,0034017D,?,003432FC,?,00000001,00312592,?), ref: 0034034B
CloseHandle.KERNEL32(?,?,?,?,0034017D,?,003432FC,?,00000001,00312592,?), ref: 00340358
CloseHandle.KERNEL32(?,?,?,?,0034017D,?,003432FC,?,00000001,00312592,?), ref: 00340365

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 94475bcbab689a4d4791c8e3c9d88f8f794f188712c67164bdec5b18c0270093
Instruction ID: c4ed3ac71aaf1e7a5a4507683704cd47c7983257402d59f3851e7129e4faab6f
Opcode Fuzzy Hash: 94475bcbab689a4d4791c8e3c9d88f8f794f188712c67164bdec5b18c0270093
Instruction Fuzzy Hash: D701A276900B159FC7369F66D890416FBF9BF503153168A3FD29652931C3B1B954CF80

Function 0030D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0030D752

Part of subcall function 003029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000), ref: 003029DE
Part of subcall function 003029C8: GetLastError.KERNEL32(00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000,00000000), ref: 003029F0

_free.LIBCMT ref: 0030D764
_free.LIBCMT ref: 0030D776
_free.LIBCMT ref: 0030D788
_free.LIBCMT ref: 0030D79A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66c0c680e54b0abe1ae60b3b3060d2f0312c0cc7eb19e5f6ba3b64971ebb3b81
Instruction ID: efe18e743a3ed85c127211c5497b9b9c1cf4d1293de88af7fd60a951bcc3fb9b
Opcode Fuzzy Hash: 66c0c680e54b0abe1ae60b3b3060d2f0312c0cc7eb19e5f6ba3b64971ebb3b81
Instruction Fuzzy Hash: 68F01232556204ABC623EFA8F9D5C1777DDBB45B10BA51806F048EB581C731FC8087B4

Function 00335C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00335C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00335C6F
MessageBeep.USER32(00000000), ref: 00335C87
KillTimer.USER32(?,0000040A), ref: 00335CA3
EndDialog.USER32(?,00000001), ref: 00335CBD

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6ddd8b65c7fa8b4026943b0c09eea8881cc35fabcb02c13f2d744bf70f60cd1c
Instruction ID: 2257cf353812456b0f7c7f35250ad7e6b16232e7e87bf163f04402933b9e901d
Opcode Fuzzy Hash: 6ddd8b65c7fa8b4026943b0c09eea8881cc35fabcb02c13f2d744bf70f60cd1c
Instruction Fuzzy Hash: 1C018630510B04ABEB225B10DD8EFA67BBCBB00B09F04655AE5C3A14E1DBF4A984CA94

Function 003022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003022BE

Part of subcall function 003029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000), ref: 003029DE
Part of subcall function 003029C8: GetLastError.KERNEL32(00000000,?,0030D7D1,00000000,00000000,00000000,00000000,?,0030D7F8,00000000,00000007,00000000,?,0030DBF5,00000000,00000000), ref: 003029F0

_free.LIBCMT ref: 003022D0
_free.LIBCMT ref: 003022E3
_free.LIBCMT ref: 003022F4
_free.LIBCMT ref: 00302305

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cd350c1ae840c3a9c7bc55da665948296bbe9d881c30406fd5c2fbadeeb1aacf
Instruction ID: bf133b339a1f794598a665a0cab9d67f621c9ac770ed696336eda8eed317ee12
Opcode Fuzzy Hash: cd350c1ae840c3a9c7bc55da665948296bbe9d881c30406fd5c2fbadeeb1aacf
Instruction Fuzzy Hash: 00F03A748221208FCA27BF54BC1594A3B6CB71A760F55190BF410EB2F1C7324821ABA5

Function 002E95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002E95D4
StrokeAndFillPath.GDI32(?,?,003271F7,00000000,?,?,?), ref: 002E95F0
SelectObject.GDI32(?,00000000), ref: 002E9603
DeleteObject.GDI32 ref: 002E9616
StrokePath.GDI32(?), ref: 002E9631

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: b5fe5cb8bdf7f64e234accd475a71efa601bee7366ed0a1058f27bbc7de68764
Instruction ID: 5fc1f85c27e6ab502da97c7374a9ddebdc8b3959b42b5263d36011a3bec2e99b
Opcode Fuzzy Hash: b5fe5cb8bdf7f64e234accd475a71efa601bee7366ed0a1058f27bbc7de68764
Instruction Fuzzy Hash: C2F08C30025245EBCB135F26EC1C7763B6CEB02322F40821AF469550F0C77889A1CFA0

Function 00300F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003010F9
__freea.LIBCMT ref: 00301117

Part of subcall function 00301537: _free.LIBCMT ref: 0030154F

Strings

am/pm, xrefs: 0030117A
a/p, xrefs: 003011DE

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e9e69f6d27ea4f735c23874011751fb459ac361de7043acd1b334175bacded15
Instruction ID: ef1bdc2b58dd762b0430e77a47dbbff50bc2d0c9c1d659ba45bc618d92d91df3
Opcode Fuzzy Hash: e9e69f6d27ea4f735c23874011751fb459ac361de7043acd1b334175bacded15
Instruction Fuzzy Hash: 89D11535902206CACB2B9F68C875BFEB7B9FF05300F254199E9419BAD0D3759D80CB91

Function 003561D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 002F0242: EnterCriticalSection.KERNEL32(003A070C,003A1884,?,?,002E198B,003A2518,?,?,?,002D12F9,00000000), ref: 002F024D
Part of subcall function 002F0242: LeaveCriticalSection.KERNEL32(003A070C,?,002E198B,003A2518,?,?,?,002D12F9,00000000), ref: 002F028A

Part of subcall function 002F00A3: __onexit.LIBCMT ref: 002F00A9

__Init_thread_footer.LIBCMT ref: 00356238

Part of subcall function 002F01F8: EnterCriticalSection.KERNEL32(003A070C,?,?,002E8747,003A2514), ref: 002F0202
Part of subcall function 002F01F8: LeaveCriticalSection.KERNEL32(003A070C,?,002E8747,003A2514), ref: 002F0235

Part of subcall function 0034359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003435E4
Part of subcall function 0034359C: LoadStringW.USER32(003A2390,?,00000FFF,?), ref: 0034360A

Strings

x#:, xrefs: 0035636F
x#:, xrefs: 0035633A
x#:, xrefs: 00356353

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#:$x#:$x#:
API String ID: 1072379062-4111891144
Opcode ID: 61ee66a8c2b6348d7a2ffb3748d45cc79c1ca815a0298f346359689feda36f41
Instruction ID: bab83706f4816ef548b2bb1b4ce1482a321a65c7bf71be2d170926570c8423b7
Opcode Fuzzy Hash: 61ee66a8c2b6348d7a2ffb3748d45cc79c1ca815a0298f346359689feda36f41
Instruction Fuzzy Hash: A5C1B071A00109AFCB15DF58C891EBEB7B9FF49300F51846AF9059B2A1DB70ED59CB90

Function 00305AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO-, xrefs: 00305BA8, 00305C6C

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID: JO-
API String ID: 0-2960318139
Opcode ID: c4036fee8a332b1827da0d4a4a1d158db1398a5b9f0fcf6174544548d0495e43
Instruction ID: 0c812d6c31e335a7beac803e976d4c2e2b090982baae14bff82913e30b0c537b
Opcode Fuzzy Hash: c4036fee8a332b1827da0d4a4a1d158db1398a5b9f0fcf6174544548d0495e43
Instruction Fuzzy Hash: BB51AD71A126099FDF22DFA4C969FBFBBB8AF05310F15005AE805AB2D2D7719901CF61

Function 00308A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00308B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00308B7A
__dosmaperr.LIBCMT ref: 00308B81

Strings

./, xrefs: 00308A63

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: ./
API String ID: 2434981716-41378711
Opcode ID: 5fd185e50a3c80bc0dc0542addf77028e034b54b1169b0a02afcd872df9df071
Instruction ID: 5a28a31b6b23e7d505fae68ca43b2e2e3267e9b42fb17ca392da26326c910a3f
Opcode Fuzzy Hash: 5fd185e50a3c80bc0dc0542addf77028e034b54b1169b0a02afcd872df9df071
Instruction Fuzzy Hash: EA416C70605155AFDB279F28C8A0A7D7FA9DF46304F2985A9F8C597AD2DE318C028790

Function 00332716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0033B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003321D0,?,?,00000034,00000800,?,00000034), ref: 0033B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00332760

Part of subcall function 0033B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0033B3F8

Part of subcall function 0033B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0033B355
Part of subcall function 0033B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00332194,00000034,?,?,00001004,00000000,00000000), ref: 0033B365
Part of subcall function 0033B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00332194,00000034,?,?,00001004,00000000,00000000), ref: 0033B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003327CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0033281A

Strings

@, xrefs: 00332832

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: deca7eed3a749aa8978f364c70f71e7f402f06c7762e0335e0be8a5d1200cb0c
Instruction ID: 7e89307e9b9a1483bbe8b11ce4faaeb90258f6594c9c5da34a47ebe31741bb69
Opcode Fuzzy Hash: deca7eed3a749aa8978f364c70f71e7f402f06c7762e0335e0be8a5d1200cb0c
Instruction Fuzzy Hash: C3411B76900218BFDB11DBA4CD85AEEBBB8AF09710F108095FA55BB181DB706E45CBA1

Function 0030172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00301769
_free.LIBCMT ref: 00301834
_free.LIBCMT ref: 0030183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00301760, 00301767, 00301796, 003017CE

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 86a1c65328b97e7890ba6161320252d8500fabb1b0a61ef729705e34b0ab7204
Instruction ID: 62a8c3e8b96792eef12a417241f468fb5ba5e227f16299ab1f4d775b4a49b786
Opcode Fuzzy Hash: 86a1c65328b97e7890ba6161320252d8500fabb1b0a61ef729705e34b0ab7204
Instruction Fuzzy Hash: ED318075A01218EBDB23DF99D895D9EBBFCEB86710F114166F80497291D6B08E40CB90

Function 0033C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0033C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0033C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003A1990,01706A68), ref: 0033C395

Strings

0, xrefs: 0033C2DF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: fb6ad2a686d308ecd722982509cc01b1a08fbd9c929ff9f1d483a9688196e61d
Instruction ID: ac1dd3d374090d243d4d0cb3b4e55caf73afe890c96dd6908f03101657e11f67
Opcode Fuzzy Hash: fb6ad2a686d308ecd722982509cc01b1a08fbd9c929ff9f1d483a9688196e61d
Instruction Fuzzy Hash: 2C41B0352143019FD722DF25D884B6ABBE8EF85320F009A5EF9A5A72D1D774E904CB52

Function 00364416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0036CC08,00000000,?,?,?,?), ref: 003644AA
GetWindowLongW.USER32 ref: 003644C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003644D7

Strings

SysTreeView32, xrefs: 0036447C

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 1de469c1fac7fdca7f470a9a89956503058321fc423e107482fef2917622973f
Instruction ID: 0b6625d164d4cb03075b20e1114fe9b894cca2b5e0de75d10f77e860f48cb06e
Opcode Fuzzy Hash: 1de469c1fac7fdca7f470a9a89956503058321fc423e107482fef2917622973f
Instruction Fuzzy Hash: 7B31A031610205AFDF229F38DC46BEA7BA9EB09334F218715F975921E4DB70ECA19B50

Function 00336E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00336EED
VariantCopyInd.OLEAUT32(?,?), ref: 00336F08
VariantClear.OLEAUT32(?), ref: 00336F12

Strings

*j3, xrefs: 00336E8B, 00336E90, 00336EF8

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j3
API String ID: 2173805711-3931764767
Opcode ID: 4e8d58c92a5be6daa3965553e113c57139b64d073ef448d0793411e8f48a2360
Instruction ID: 9bf04b6df5ccd83cd464a3892f88dbbb078dc71743b7bf7463c3c7356e089aa9
Opcode Fuzzy Hash: 4e8d58c92a5be6daa3965553e113c57139b64d073ef448d0793411e8f48a2360
Instruction Fuzzy Hash: 5B31B371604245EFCB07AF64E8A29BD3779EF44301F108499F8064B3A1CB349D21DBD0

Function 0035304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0035335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00353077,?,?), ref: 00353378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0035307A
_wcslen.LIBCMT ref: 0035309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00353106

Strings

255.255.255.255, xrefs: 00353095, 0035309A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 94c276a38d66dbbf70394140d5d65e2b36b85a1d82ec4c9b00a51bdecc7609e0
Instruction ID: 234014e6e00be57724182234c57568abc94c9a6a2f88a32061d8de7a3ac5b1f9
Opcode Fuzzy Hash: 94c276a38d66dbbf70394140d5d65e2b36b85a1d82ec4c9b00a51bdecc7609e0
Instruction Fuzzy Hash: 1631F7352043059FC712DF28C485E6A77E0EF14395F258059EC168B7A2D771DF49CB60

Function 00363EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00363F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00363F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00363F78

Strings

SysMonthCal32, xrefs: 00363F0B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9364fca6e8d415a57218d0612c43daca087d4ddd5134e0298b157292fadf6797
Instruction ID: acce0ee345e65411a075d1f07b64d64baee8e8350ba529b940eb19f9bc5b7f7b
Opcode Fuzzy Hash: 9364fca6e8d415a57218d0612c43daca087d4ddd5134e0298b157292fadf6797
Instruction Fuzzy Hash: 3C21AE32610219BFDF229F90CC46FEA3BB9EF48724F114214FA556B1D0D6B5AD60CBA0

Function 00364653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00364705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00364713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0036471A

Strings

msctls_updown32, xrefs: 00364684

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 048adfeb2cbd554042933dd5caee022e9803d6f299995d7ae80a5c8ae01adc11
Instruction ID: 7017fc2eef557cc75aebe8755cd3bf7e64823e6f1ecd86d6bbdc54475bbfdcdf
Opcode Fuzzy Hash: 048adfeb2cbd554042933dd5caee022e9803d6f299995d7ae80a5c8ae01adc11
Instruction Fuzzy Hash: A92190B5600208AFDB12DF64DCC1DB777ADEB5A394F054059FA109B361CB70EC21CA60

Function 003395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0033961D

Strings

#requireadmin, xrefs: 003395D9
#notrayicon, xrefs: 003395B7
#OnAutoItStartRegister, xrefs: 003395F3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 31e4aeac2f0853d226946832e3ef3d9d40cf1a09128f5ccfbc6a16dca8c6cca8
Instruction ID: e72524a2d0add7ddaf7ac9c6f56893dcfe2f797273ae3a480bdab211e5237948
Opcode Fuzzy Hash: 31e4aeac2f0853d226946832e3ef3d9d40cf1a09128f5ccfbc6a16dca8c6cca8
Instruction Fuzzy Hash: 0C216832214610E6D333AA249C83FB7B39C9F51310F408037FA4A97141EBD1AD91C6E1

Function 003637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00363840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00363850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00363876

Strings

Listbox, xrefs: 0036380F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 207b80a1d7012abe5c49be280bf31210168e40bdd1330fdaae7215e76557179d
Instruction ID: e249f3dc73042b158f4014e7842840a0086224c6f4e9e3c70632ae299549261b
Opcode Fuzzy Hash: 207b80a1d7012abe5c49be280bf31210168e40bdd1330fdaae7215e76557179d
Instruction Fuzzy Hash: AA218E72610218BBEF229F54DC85EFB376EEF89760F11C124F9549B194C6B1DC528BA0

Function 003449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00344A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00344A5C
SetErrorMode.KERNEL32(00000000,?,?,0036CC08), ref: 00344AD0

Strings

%lu, xrefs: 00344A6F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 850ba779ec4d151c2dd625cc2315e47394d853426f62ef8a5c449e0042a78542
Instruction ID: 38d61a6d2684012b0fd1143ab1a5a468de9cf951f1270cfb68ca3400edb70b82
Opcode Fuzzy Hash: 850ba779ec4d151c2dd625cc2315e47394d853426f62ef8a5c449e0042a78542
Instruction Fuzzy Hash: 27314C71A10108AFDB11DF54C985EAA7BF8EF09308F1480A9F909DF262DB71ED45CB61

Function 003641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0036424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00364264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00364271

Strings

msctls_trackbar32, xrefs: 00364226

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c5e664f863a2bb6ee634d85351f9e505198a2b68533bd952986773d1820179a0
Instruction ID: 4739e98e1d5ce57bb5bd82d6b5811810fbdefa4b8b176b88a012c63ea06e7bba
Opcode Fuzzy Hash: c5e664f863a2bb6ee634d85351f9e505198a2b68533bd952986773d1820179a0
Instruction Fuzzy Hash: 63110631650208BEEF225F28CC46FAB7BACEF85B54F124514FA55E6090D2B1DC619B24

Function 00332F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D6B57: _wcslen.LIBCMT ref: 002D6B6A

Part of subcall function 00332DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00332DC5
Part of subcall function 00332DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00332DD6
Part of subcall function 00332DA7: GetCurrentThreadId.KERNEL32 ref: 00332DDD
Part of subcall function 00332DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00332DE4

GetFocus.USER32 ref: 00332F78

Part of subcall function 00332DEE: GetParent.USER32(00000000), ref: 00332DF9

GetClassNameW.USER32(?,?,00000100), ref: 00332FC3
EnumChildWindows.USER32(?,0033303B), ref: 00332FEB

Strings

%s%d, xrefs: 00332FFF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 582550f49d563c015cf143e0655ea07ab7da37d91f075c5979af85e0f6f598d1
Instruction ID: a50c9f980da0cc85c3d6e251233db405f86e1ad002bb1df654cc1ddc67c3fd03
Opcode Fuzzy Hash: 582550f49d563c015cf143e0655ea07ab7da37d91f075c5979af85e0f6f598d1
Instruction Fuzzy Hash: C111B171600205ABCF167F74CCC9EFE376AAF84304F048076F919AB292DE7099498B70

Function 00365882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003658C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003658EE
DrawMenuBar.USER32(?), ref: 003658FD

Strings

0, xrefs: 0036588F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 471dea883567d07dd2aaa07fbd95eaca0ffa1b9ded96815b70af91594d323e0d
Instruction ID: 7e0a6dd83416810edc25f9c9b48edddf630dbb79f23015a1fd99bb939905671f
Opcode Fuzzy Hash: 471dea883567d07dd2aaa07fbd95eaca0ffa1b9ded96815b70af91594d323e0d
Instruction Fuzzy Hash: 4D01AD32510248EFDB229F12DC44BAEBBB8FB45360F04C0A9E889D6151DB309A90DF30

Function 0032D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0032D3BF
FreeLibrary.KERNEL32 ref: 0032D3E5

Strings

X64, xrefs: 0032D2A8
GetSystemWow64DirectoryW, xrefs: 0032D3B9

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 724b1ebd3ae4de6d9d30e863fdeddafa84e9c7bb0d58226d888b24cc389a0d85
Instruction ID: 0bfc8caa6a3b850d806304c181dd3d68df1ac79360e1f08b1176f7e5ba2f3d1b
Opcode Fuzzy Hash: 724b1ebd3ae4de6d9d30e863fdeddafa84e9c7bb0d58226d888b24cc389a0d85
Instruction Fuzzy Hash: E0F0AB3E925730DBD7335310EC14AB97318AF12701FAAD919F443E1148E7A0CC4086C2

Function 0033007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625301de51628249bb411d4503e606416ba8bd326e6807cce8e5081fc55b41b0
Instruction ID: b155bca1a1e8f9c37845e5fcaa5b9c551e2e565a0665b46b271881598b01eaec
Opcode Fuzzy Hash: 625301de51628249bb411d4503e606416ba8bd326e6807cce8e5081fc55b41b0
Instruction Fuzzy Hash: D9C15C75A0020AEFDB19CFA4C8A4EAEB7B5FF48714F218598E505EB251D731ED41CB90

Function 0035342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00353459
CoUninitialize.OLE32 ref: 00353463
VariantInit.OLEAUT32(?), ref: 0035346E
VariantClear.OLEAUT32(?), ref: 0035371B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: f2aa8999b2fd1ea68447c135c8614aefd2130efdf822fe0c420cad3bb2eb6725
Instruction ID: 23a513b0ca7e9af81f0bd1dff39b61c51b6a1c49ffde54050a72328e8f684088
Opcode Fuzzy Hash: f2aa8999b2fd1ea68447c135c8614aefd2130efdf822fe0c420cad3bb2eb6725
Instruction Fuzzy Hash: F8A156756142009FC701DF28C485E2AB7E9EF89355F05885AFD8A9B362DB30EE05CF92

Function 00330436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0036FC08,?), ref: 003305F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0036FC08,?), ref: 00330608
CLSIDFromProgID.OLE32(?,?,00000000,0036CC40,000000FF,?,00000000,00000800,00000000,?,0036FC08,?), ref: 0033062D
_memcmp.LIBVCRUNTIME ref: 0033064E

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c45cb8bd55c1a4a3f0f70d6f22d9ecae4095ae38e3884b72bad419e4372a40c6
Instruction ID: 334958dacf08b67b613cfede026738f3463a87e103180758f906c98020ac4e54
Opcode Fuzzy Hash: c45cb8bd55c1a4a3f0f70d6f22d9ecae4095ae38e3884b72bad419e4372a40c6
Instruction Fuzzy Hash: 45811871A00109EFCB05DF94C994EEEB7B9FF89315F208598E506AB250DB71AE46CF60

Function 0035A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0035A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0035A6BA

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0035A79C
CloseHandle.KERNEL32(00000000), ref: 0035A7AB

Part of subcall function 002ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00313303,?), ref: 002ECE8A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: ab2106bd68aeff523a2fecceab4cc657e8df4e7671e5591ea335f483a8736cd9
Instruction ID: 34247a1a1c5787946398f9d4a50f582e64af3e4e7ed715fd1aeaa14b784b8f46
Opcode Fuzzy Hash: ab2106bd68aeff523a2fecceab4cc657e8df4e7671e5591ea335f483a8736cd9
Instruction Fuzzy Hash: 1C5169715183009FD311EF25C886A6BBBE8FF89704F40891EF985972A2EB70D914CF92

Function 00311391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003114C0

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6c18853f5fdb77b376e51ef77bd8b3f260a0b66bf82a83d6165ee8c9f0bcb1ee
Instruction ID: ca3f04092d64e69f586b4818686e810903749d32050e65a2a1838f14db848318
Opcode Fuzzy Hash: 6c18853f5fdb77b376e51ef77bd8b3f260a0b66bf82a83d6165ee8c9f0bcb1ee
Instruction Fuzzy Hash: 1E417D316001046BDB2B6FFA8C45AFE3AB9EF4A770F150236FB19CA1D2EA7448815761

Function 00366278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003662E2
ScreenToClient.USER32(?,?), ref: 00366315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00366382

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bd482a4ae4d00edaa90ef35b77ecbee7f1e70e2ce3d572ab91ed69405339e990
Instruction ID: cdd334217f8502e4031b167f582baad4f190bdc892ef63fdec1c001beb8e0289
Opcode Fuzzy Hash: bd482a4ae4d00edaa90ef35b77ecbee7f1e70e2ce3d572ab91ed69405339e990
Instruction Fuzzy Hash: 5F513A74A00209AFCF12DF68D8819AE7BB5EF453A0F21815AF8559B2A4D770ED81CB90

Function 00351AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00351AFD
WSAGetLastError.WSOCK32 ref: 00351B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00351B8A
WSAGetLastError.WSOCK32 ref: 00351B94

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 65c22f65053d893e9e3c83038fa41e7dfdadfcd24d0ec4ab15fc3ee2135416ab
Instruction ID: f020a5916c41ac9b04ee6ff6a7f06d3c9b22ac5ee92f0b14d2d8b4c86f8acc5d
Opcode Fuzzy Hash: 65c22f65053d893e9e3c83038fa41e7dfdadfcd24d0ec4ab15fc3ee2135416ab
Instruction Fuzzy Hash: CA41D234640200AFE721AF24C886F2A77E5AB44718F54C449F95A9F7E2D7B2DD42CB90

Function 0030B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33e8d844db0fd92266a97fd8713ac603eaf93fc72603630f694f9c5bd5726a0
Instruction ID: 79064564ca2a494f0316f13d9556032088f7682ee457b2b9163cbeb858ed4700
Opcode Fuzzy Hash: c33e8d844db0fd92266a97fd8713ac603eaf93fc72603630f694f9c5bd5726a0
Instruction Fuzzy Hash: 7F412672A00304AFD7269F78CC51BAAFBA9EF88710F10856AF541DB6C2D3719A418790

Function 003456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00345783
GetLastError.KERNEL32(?,00000000), ref: 003457A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003457CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003457FA

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 2f9b1f06c4b08d9888fe79b3b8bc71cd116d4dafe05608088744be3d317d197c
Instruction ID: 413be04cf3264a08a07c4753433a6c9ff5cbd5f174d7a6c874dd01cfcee51f62
Opcode Fuzzy Hash: 2f9b1f06c4b08d9888fe79b3b8bc71cd116d4dafe05608088744be3d317d197c
Instruction Fuzzy Hash: 84411A39610611DFCB11DF15C444A5ABBE2EF89720B598889EC4AAF362DB34FD10CF91

Function 0030D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,002F6D71,00000000,00000000,002F82D9,?,002F82D9,?,00000001,002F6D71,?,00000001,002F82D9,002F82D9), ref: 0030D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0030D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0030D9AB
__freea.LIBCMT ref: 0030D9B4

Part of subcall function 00303820: RtlAllocateHeap.NTDLL(00000000,?,003A1444,?,002EFDF5,?,?,002DA976,00000010,003A1440,002D13FC,?,002D13C6,?,002D1129), ref: 00303852

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8fa314b0cc4f9ecb4719f707ef2154c798c9edad625ca7e1ef8bd3e454e6a4c2
Instruction ID: 8b582d9dd38e38f8240a0b20b5471cce32ca9af796be179c53fab59cca490408
Opcode Fuzzy Hash: 8fa314b0cc4f9ecb4719f707ef2154c798c9edad625ca7e1ef8bd3e454e6a4c2
Instruction Fuzzy Hash: F431AE72A1120AABDB269FA4DC51EAF7BA9EB41310F164169FC04DA290EB35CD54CB90

Function 003652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00365352
GetWindowLongW.USER32(?,000000F0), ref: 00365375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00365382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003653A8

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 4111ea87fa46a2f02c90f7d3cf3abec4dd2d3d93dad391cd0863e8e6c1f9d0d3
Instruction ID: 58a5b62d87dfdb20d04a451e7f9751543b7271776950f030da14e3f1fa701887
Opcode Fuzzy Hash: 4111ea87fa46a2f02c90f7d3cf3abec4dd2d3d93dad391cd0863e8e6c1f9d0d3
Instruction Fuzzy Hash: 3D31E438A55A08EFEB339E14CC05BE87769AB05B90F69C122FA11963E4C7F09D40DB45

Function 0033AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0033ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0033AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0033AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0033ACC6

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3db4622e72e3c8080649399fac25d3335f427554ca42912607025b01b09dbe19
Instruction ID: e858428852a0467d2fed1946472d4f40a57ef943599fba596d4b6ae432cc2d0f
Opcode Fuzzy Hash: 3db4622e72e3c8080649399fac25d3335f427554ca42912607025b01b09dbe19
Instruction Fuzzy Hash: 3F313970A04B18AFEF37CB65CC887FABBA9AB45710F08631AE4C1D61D1C3758D818792

Function 00367674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0036769A
GetWindowRect.USER32(?,?), ref: 00367710
PtInRect.USER32(?,?,00368B89), ref: 00367720
MessageBeep.USER32(00000000), ref: 0036778C

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f5b81ad581073b9add39acda167c09ebb42ee7f79377427936a8b37e919cf3ae
Instruction ID: 55243307d7ea9313cad10adcfc4237d4de03f149448ad6c37f876c85799fbb8c
Opcode Fuzzy Hash: f5b81ad581073b9add39acda167c09ebb42ee7f79377427936a8b37e919cf3ae
Instruction Fuzzy Hash: A0419A38A052149FDB13CF58C894EB9B7F8BB49358F99C0A8E8149B265D730A941CB90

Function 003616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003616EB

Part of subcall function 00333A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00333A57
Part of subcall function 00333A3D: GetCurrentThreadId.KERNEL32 ref: 00333A5E
Part of subcall function 00333A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003325B3), ref: 00333A65

GetCaretPos.USER32(?), ref: 003616FF
ClientToScreen.USER32(00000000,?), ref: 0036174C
GetForegroundWindow.USER32 ref: 00361752

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ae0e25012e91366c8c70d8cc8f2e7daca58ca1fc8c1235e3064722678137cd4f
Instruction ID: f04f373da0f26ec792a3f964c6c7f0f92f4c661c82f50de05926b4e985e8feb3
Opcode Fuzzy Hash: ae0e25012e91366c8c70d8cc8f2e7daca58ca1fc8c1235e3064722678137cd4f
Instruction Fuzzy Hash: 89313E71D10149AFC701EFAAC881CAEBBFDEF48304B5480AAE455E7311E6319E45CFA0

Function 0033DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 002D7620: _wcslen.LIBCMT ref: 002D7625

_wcslen.LIBCMT ref: 0033DFCB
_wcslen.LIBCMT ref: 0033DFE2
_wcslen.LIBCMT ref: 0033E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0033E018

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 98b5c08f3efd1e7fcc81adfd151438f1d5f43212eacf5d135367c1a24de7a688
Instruction ID: eeff4486da83c4e104d77d8c7f1201f4ef8f2ff88386cd85816c2f0942211e4d
Opcode Fuzzy Hash: 98b5c08f3efd1e7fcc81adfd151438f1d5f43212eacf5d135367c1a24de7a688
Instruction Fuzzy Hash: C921D171900218EFCB21AFA8D9C1BBEB7F8EF45750F158065E904BB285D6B09E408FA1

Function 00368FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002E9BB2

GetCursorPos.USER32(?), ref: 00369001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00327711,?,?,?,?,?), ref: 00369016
GetCursorPos.USER32(?), ref: 0036905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00327711,?,?,?), ref: 00369094

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a504856c9eb4b4a5c3997446d97fefb32a03068f87cd95b4c87240537f8c68a3
Instruction ID: 9dd2b780ebd2c69e1d813f36718e922fef1f3826eaa0bf2036a3a331017be193
Opcode Fuzzy Hash: a504856c9eb4b4a5c3997446d97fefb32a03068f87cd95b4c87240537f8c68a3
Instruction Fuzzy Hash: B8216D35611018AFDF268F95CC58FFA7BBDEB4A350F14809AF90547261C7719990DB60

Function 0033D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0036CB68), ref: 0033D2FB
GetLastError.KERNEL32 ref: 0033D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0033D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0036CB68), ref: 0033D376

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0a07dc0bd3974a20ebb9bb94af8e19219d3dc320770cd8bf83cb0519a56da645
Instruction ID: f5d388d54bbe5d71585521deb6b76f7f5abdebfc1a660b4a83c19644d533a8b2
Opcode Fuzzy Hash: 0a07dc0bd3974a20ebb9bb94af8e19219d3dc320770cd8bf83cb0519a56da645
Instruction Fuzzy Hash: 0721AE745192019FC701DF28E8818AAB7E8EE5A724F104A1EF499C72A1DB31DD4ACB93

Function 00331571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00331014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0033102A
Part of subcall function 00331014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00331036
Part of subcall function 00331014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00331045
Part of subcall function 00331014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0033104C
Part of subcall function 00331014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00331062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003315BE
_memcmp.LIBVCRUNTIME ref: 003315E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00331617
HeapFree.KERNEL32(00000000), ref: 0033161E

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 95984ecb62faf889826fe7a858b29db96383fe4e2af2290b2d6440331fbad2e0
Instruction ID: 6f576fa6f11fc4740f047b2dbba4a974a759c8ec14d4a4b27b7b7eb4c93714cd
Opcode Fuzzy Hash: 95984ecb62faf889826fe7a858b29db96383fe4e2af2290b2d6440331fbad2e0
Instruction Fuzzy Hash: 2F21A131E10109EFDF11DFA5C985BEEB7B8EF45344F098469E841AB241D770AA05CB60

Function 00362782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0036280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00362824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00362832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00362840

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 4d93e24dc2bbf84acb2cfebcab32837b549a628bcdbcf6435ef46458669fe860
Instruction ID: 1531591af7d94b56d7697f2804905a152ae8719cd59c8a6019f188ba416bbc37
Opcode Fuzzy Hash: 4d93e24dc2bbf84acb2cfebcab32837b549a628bcdbcf6435ef46458669fe860
Instruction Fuzzy Hash: A421F131204911AFD7169B24CC44FAB7B99AF46324F16C159F4268B6E2CBB1FC42CBD0

Function 003378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00338D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0033790A,?,000000FF,?,00338754,00000000,?,0000001C,?,?), ref: 00338D8C
Part of subcall function 00338D7D: lstrcpyW.KERNEL32(00000000,?,?,0033790A,?,000000FF,?,00338754,00000000,?,0000001C,?,?,00000000), ref: 00338DB2
Part of subcall function 00338D7D: lstrcmpiW.KERNEL32(00000000,?,0033790A,?,000000FF,?,00338754,00000000,?,0000001C,?,?), ref: 00338DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00338754,00000000,?,0000001C,?,?,00000000), ref: 00337923
lstrcpyW.KERNEL32(00000000,?,?,00338754,00000000,?,0000001C,?,?,00000000), ref: 00337949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00338754,00000000,?,0000001C,?,?,00000000), ref: 00337984

Strings

cdecl, xrefs: 0033797B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 072039424f3bae743505123be7a900b126f904b08534d4f6553c7b67cacceabe
Instruction ID: 3b3c3dff9019371ee721461c744e520be0e92f14cab3d5b5167a1df428b83aad
Opcode Fuzzy Hash: 072039424f3bae743505123be7a900b126f904b08534d4f6553c7b67cacceabe
Instruction Fuzzy Hash: A511E97A200341ABCB265F35D885E7A77A9FF45350F50812AF946CB364EB71D811C761

Function 00367CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00367D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00367D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00367D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0034B7AD,00000000), ref: 00367D6B

Part of subcall function 002E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002E9BB2

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: f60154d8d6c535e14dd808b864b93a7abeaf8e7ae929dccce0521112aea590ed
Instruction ID: bb6e7df940536fd34896e528a44a020ac7f6fe8781704d154867c6f00a8a1b44
Opcode Fuzzy Hash: f60154d8d6c535e14dd808b864b93a7abeaf8e7ae929dccce0521112aea590ed
Instruction Fuzzy Hash: EF11A5316146159FCB129F28CC08ABA3BA9AF46364F55C728F835C71F4E7309950CB50

Function 00365660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 003656BB
_wcslen.LIBCMT ref: 003656CD
_wcslen.LIBCMT ref: 003656D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00365816

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b0e3df3d9d6f141a5a41afd30e5bb50612aba7da611d6e14c15846ab7849ebf3
Instruction ID: 698c730177f05ab14fb53f71e5ee3569778c346da357aea7e822c6729be0a841
Opcode Fuzzy Hash: b0e3df3d9d6f141a5a41afd30e5bb50612aba7da611d6e14c15846ab7849ebf3
Instruction Fuzzy Hash: 4311D37160460996DB229F61CC85AFEB7ACEF11764F10C07AF915D6085EBB4CA84CF60

Function 00301D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccab163804992f7ca51bc04db8acfac7141e12af515c0afee3812df3223cd39
Instruction ID: 221f27be3a275d8f38e5a11609544bb9194128765739da4944805b1740fbe230
Opcode Fuzzy Hash: dccab163804992f7ca51bc04db8acfac7141e12af515c0afee3812df3223cd39
Instruction Fuzzy Hash: 8601D1B320B6163EF62326B86CE0F37661CEF423B8F310325F521A51D2EBA08C005170

Function 00331A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00331A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00331A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00331A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00331A8A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bb423ee942457670efd8520eadff1dc4a934b2672309a793e902aabc73013d7d
Instruction ID: dc0f1f570cb6c7af8a16e0b2cb8d099f51555c27518411e32e83366e60ead055
Opcode Fuzzy Hash: bb423ee942457670efd8520eadff1dc4a934b2672309a793e902aabc73013d7d
Instruction Fuzzy Hash: E011093AD01219FFEB11DBA5CD85FADFB78EB08750F210091EA04B7290D671AE50DB94

Function 0033E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0033E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0033E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0033E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0033E24D

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: c6c1109bb0da72b323e81a7f80a15f0600b6ce6ecc304652d8c05f2031e79c63
Instruction ID: 037626b2f704751c01ae909196b677eca86e4a44d1c3abe0c06ed909876dbea0
Opcode Fuzzy Hash: c6c1109bb0da72b323e81a7f80a15f0600b6ce6ecc304652d8c05f2031e79c63
Instruction Fuzzy Hash: F5112B76904258BFCB03AFA8DC45AAF7FACAB46310F008215F924D32D1D2B0DD0087A0

Function 002FD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,002FCFF9,00000000,00000004,00000000), ref: 002FD218
GetLastError.KERNEL32 ref: 002FD224
__dosmaperr.LIBCMT ref: 002FD22B
ResumeThread.KERNEL32(00000000), ref: 002FD249

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c1116476eca076b1ba5b072f4745ff64b6ad858b7d6b15edae6833b1f72535d0
Instruction ID: abc16adb3cb6e9ecd289403a9bc1e12cdd119bb533b14385a799567dd63cfd1d
Opcode Fuzzy Hash: c1116476eca076b1ba5b072f4745ff64b6ad858b7d6b15edae6833b1f72535d0
Instruction Fuzzy Hash: 6C01083642510C7BD7125FA5DC05BBBBA5EDF823B0F204239FE25911D1CBB18820C6A0

Function 00369EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 002E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002E9BB2

GetClientRect.USER32(?,?), ref: 00369F31
GetCursorPos.USER32(?), ref: 00369F3B
ScreenToClient.USER32(?,?), ref: 00369F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00369F7A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 33733cd18dd81228a6141405ec1e97afd0ceca357dbb5194ea33a875582ce104
Instruction ID: 28741ca3c1dbd31991c12749bb058601338e9d8a3c79afd2f898718d68170ea4
Opcode Fuzzy Hash: 33733cd18dd81228a6141405ec1e97afd0ceca357dbb5194ea33a875582ce104
Instruction Fuzzy Hash: 25115E3551011AABDB02DF59C845AFE77BCFB05312F418456F911EB140D770BA91CBA1

Function 002D600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002D604C
GetStockObject.GDI32(00000011), ref: 002D6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 002D606A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5275a7a883b99552df63c3a9cc083165ad5ca30644b4c831bb054eddfaa8dae3
Instruction ID: 64aefeec1706b4aec5b988dd2a12bdc8022aef47a639ff0f959accec2c6c0e54
Opcode Fuzzy Hash: 5275a7a883b99552df63c3a9cc083165ad5ca30644b4c831bb054eddfaa8dae3
Instruction Fuzzy Hash: 00115B72521509BFEF125FA49C48AEABB6DFF093A5F044216FA1492210D7769C60DBA0

Function 002F3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 002F3B56

Part of subcall function 002F3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 002F3AD2
Part of subcall function 002F3AA3: ___AdjustPointer.LIBCMT ref: 002F3AED

_UnwindNestedFrames.LIBCMT ref: 002F3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 002F3B7C
CallCatchBlock.LIBVCRUNTIME ref: 002F3BA4

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 24e16f5e1d60ee3d5a3091e21853bbac1e269fb19e51782dba9591e3f65d2a93
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: B001DB3211014DBBDF11AE95CC46DFBBB69EF58798F044029FE4856121C672D9719FA0

Function 00303073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002D13C6,00000000,00000000,?,0030301A,002D13C6,00000000,00000000,00000000,?,0030328B,00000006,FlsSetValue), ref: 003030A5
GetLastError.KERNEL32(?,0030301A,002D13C6,00000000,00000000,00000000,?,0030328B,00000006,FlsSetValue,00372290,FlsSetValue,00000000,00000364,?,00302E46), ref: 003030B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0030301A,002D13C6,00000000,00000000,00000000,?,0030328B,00000006,FlsSetValue,00372290,FlsSetValue,00000000), ref: 003030BF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 22b291b989d167ea8cd872e25d140cfb98c82fe42a35299715ae088968a2a716
Instruction ID: 212b39446cf9d8d4994af11ab36d976b098a149562bfbbdd429cfd8f222095f4
Opcode Fuzzy Hash: 22b291b989d167ea8cd872e25d140cfb98c82fe42a35299715ae088968a2a716
Instruction Fuzzy Hash: 1E01DB36713222ABCB334B799C54A777B9CAF45B61F214621F947E71C0D721D901C6E0

Function 00337464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0033747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00337497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003374AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003374CA

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: a842c06b186868f333ab88245047b1a5de11c65ede40283184a85996456634ff
Instruction ID: e5bd60d19ac50b0387575a7f786da4efac562c42070d5027478d253f3d39be7a
Opcode Fuzzy Hash: a842c06b186868f333ab88245047b1a5de11c65ede40283184a85996456634ff
Instruction Fuzzy Hash: ED11ADF1219310ABE732CF56EC48BA27BFCEB00B00F108569E696D6591DBB0F904DB60

Function 0033B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0033ACD3,?,00008000), ref: 0033B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0033ACD3,?,00008000), ref: 0033B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0033ACD3,?,00008000), ref: 0033B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0033ACD3,?,00008000), ref: 0033B126

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 21031f827472f010bb20011ba56693929c0a5c0c4fed39208562bbe3819295ef
Instruction ID: 6ce9b94c61842061cb2952dadff4aaa0bb6112296d45b418131ff12ce929ffe9
Opcode Fuzzy Hash: 21031f827472f010bb20011ba56693929c0a5c0c4fed39208562bbe3819295ef
Instruction Fuzzy Hash: 9C116D31C1152CE7CF06AFE4E9996FEFB78FF4A711F118086DA81B6185CB7096508B61

Function 00367E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00367E33
ScreenToClient.USER32(?,?), ref: 00367E4B
ScreenToClient.USER32(?,?), ref: 00367E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00367E8A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: caf99cf11802b8942835dc7d77ad1d711d7d46bc1566eaa2e1fce598b48bd2c6
Instruction ID: 7b31caa623508fbc001e3c30471ae14076125756c71c2a2991933b69480231d1
Opcode Fuzzy Hash: caf99cf11802b8942835dc7d77ad1d711d7d46bc1566eaa2e1fce598b48bd2c6
Instruction Fuzzy Hash: 701153B9D1024AAFDB41CF98C884AEEBBF9FF08310F509066E955E3210D775AA54CF90

Function 00332DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00332DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00332DD6
GetCurrentThreadId.KERNEL32 ref: 00332DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00332DE4

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b4757a1bff0e14c0f32bbbfc49326cc10ef57e5f868905175ba60a449ef173c0
Instruction ID: f1a0f5be652c70d025e4a8750b910172d21cef11c7075ca6bde92c99e95b94b5
Opcode Fuzzy Hash: b4757a1bff0e14c0f32bbbfc49326cc10ef57e5f868905175ba60a449ef173c0
Instruction Fuzzy Hash: 1BE06D71111224BADB222B62DC4DEFB7E6CEF42BA1F045015F106D10909AE58840C6B0

Function 00368863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002E9693
Part of subcall function 002E9639: SelectObject.GDI32(?,00000000), ref: 002E96A2
Part of subcall function 002E9639: BeginPath.GDI32(?), ref: 002E96B9
Part of subcall function 002E9639: SelectObject.GDI32(?,00000000), ref: 002E96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00368887
LineTo.GDI32(?,?,?), ref: 00368894
EndPath.GDI32(?), ref: 003688A4
StrokePath.GDI32(?), ref: 003688B2

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f6fd64fa9d2a7a5704b8b8200b89ca39031ae587b943e9e3e98f50d675312741
Instruction ID: 2078ee1e9d4254b7ec9f143161e975e121b007c61ac1f62fee4e40a7f9252cda
Opcode Fuzzy Hash: f6fd64fa9d2a7a5704b8b8200b89ca39031ae587b943e9e3e98f50d675312741
Instruction Fuzzy Hash: 8BF03A36051258BADB136F94AC09FDA3E6DAF0A310F44C101FA61650E1C7B95561CFE5

Function 002E98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002E98CC
SetTextColor.GDI32(?,?), ref: 002E98D6
SetBkMode.GDI32(?,00000001), ref: 002E98E9
GetStockObject.GDI32(00000005), ref: 002E98F1

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 8aa5936437e7de776a247b23a20656e9b21bc6b8417353f60ca199593713201f
Instruction ID: 2c065e8ca0431caa3ddd7aa3bb93b4cfd8017e976e77fbd6d9274b6267bdb992
Opcode Fuzzy Hash: 8aa5936437e7de776a247b23a20656e9b21bc6b8417353f60ca199593713201f
Instruction Fuzzy Hash: 50E06D31254280AADB226B75BC09BF93F24AB13336F14D21AF6FA980E1C3B146909B11

Function 0033162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00331634
OpenThreadToken.ADVAPI32(00000000,?,?,?,003311D9), ref: 0033163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003311D9), ref: 00331648
OpenProcessToken.ADVAPI32(00000000,?,?,?,003311D9), ref: 0033164F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: ae1d11dabe5a32fdecd7ea6307a5954c8bd9e42b57a37586b4c4f23766a5c5ac
Instruction ID: e6ce0e13173d658835636217fecc0e9744c584d7f293c1e4f8624a86bf7f6a02
Opcode Fuzzy Hash: ae1d11dabe5a32fdecd7ea6307a5954c8bd9e42b57a37586b4c4f23766a5c5ac
Instruction Fuzzy Hash: 81E08631611211EBD7211FE19D0DB663B7CBF44791F15C808F685C9080D6B48440C750

Function 0032D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0032D858
GetDC.USER32(00000000), ref: 0032D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0032D882
ReleaseDC.USER32(?), ref: 0032D8A3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 89938885a251ab0c5af43e42e3a39047c7bb9ad7a483a6c94fac9fc3c73b051a
Instruction ID: ef59eeae2dac8a819da67e320d3c9948cedc28c6c0bddbe35f8c7fb763dcf30e
Opcode Fuzzy Hash: 89938885a251ab0c5af43e42e3a39047c7bb9ad7a483a6c94fac9fc3c73b051a
Instruction Fuzzy Hash: 3AE01275820205DFCB429FA0D80867DBBB9FB08310F14E005E846E7250C7B45911DF54

Function 0032D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0032D86C
GetDC.USER32(00000000), ref: 0032D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0032D882
ReleaseDC.USER32(?), ref: 0032D8A3

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c74a1a1a36afd3a44c1b891408762db6133b281e375cf6c94b83edeab40723ea
Instruction ID: 27f90da6262dc26264b306aa2069e377fdb0e9ae49b42c311e215bfd285526b8
Opcode Fuzzy Hash: c74a1a1a36afd3a44c1b891408762db6133b281e375cf6c94b83edeab40723ea
Instruction Fuzzy Hash: 46E01A70820200DFCB429FA0D80866DBBB9FB08310F18A009E88AE7250C7B85911DF54

Function 00344D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7620: _wcslen.LIBCMT ref: 002D7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00344ED4

Strings

*, xrefs: 00344E10
LPT, xrefs: 00344DFB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 81532c271cb09ae7b3e099fb956a21e0295de85096a2ec12478e622d0d997d91
Instruction ID: da12e45125b3c62b608f86116499f564fe63efb31bde41dd614a02fba31fc463
Opcode Fuzzy Hash: 81532c271cb09ae7b3e099fb956a21e0295de85096a2ec12478e622d0d997d91
Instruction Fuzzy Hash: 83915D75A002049FCB15DF58C484FAABBF5AF48304F5980A9E80A9F7A2D735ED85CB91

Function 002FE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002FE30D

Strings

pow, xrefs: 002FE2E5, 002FE302

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 443d365878ad11213c51a5bf0aed08892c71a8b3a32625e288446b58457042e9
Instruction ID: 83db638750e83bc53aeec1b4055f2c7f8eba2e40afc62dd185ba5e262210b260
Opcode Fuzzy Hash: 443d365878ad11213c51a5bf0aed08892c71a8b3a32625e288446b58457042e9
Instruction Fuzzy Hash: 22519D61E2E20796CF237B14C91537A6BA8AB407C0F3149B8E5D5462F9EB349CE1DB42

Function 00357771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0032569E,00000000,?,0036CC08,?,00000000,00000000), ref: 003578DD

Part of subcall function 002D6B57: _wcslen.LIBCMT ref: 002D6B6A

CharUpperBuffW.USER32(0032569E,00000000,?,0036CC08,00000000,?,00000000,00000000), ref: 0035783B

Strings

<s9, xrefs: 003577C8

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s9
API String ID: 3544283678-2301061083
Opcode ID: e5018b4a81f15e7c08430193a221016a5552beee316fd6d51906ad8c3d785681
Instruction ID: ab931369d788a2339673ed423812c2d572b03896b813490fa98e1bea8ac1cddf
Opcode Fuzzy Hash: e5018b4a81f15e7c08430193a221016a5552beee316fd6d51906ad8c3d785681
Instruction Fuzzy Hash: 9A616C76924119AACF06EBA4EC91DFDB378BF14701B444126F942B32A1EF305E59CBA0

Function 002EE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 002EE1B1

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ab42dd8f3d36f056967b3cabde178b563cee09fe726969094817f56a2ec27ea4
Instruction ID: a2cb6e99e054dc803b8bdbf53a72275db3a9fd2133c1d781b46b436871fd4f58
Opcode Fuzzy Hash: ab42dd8f3d36f056967b3cabde178b563cee09fe726969094817f56a2ec27ea4
Instruction Fuzzy Hash: FF514335640396DFDF16DF68E0826BA7BA8EF25310F658055FC919B2C0D7309D52CBA0

Function 002EF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 002EF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 002EF2BB

Strings

@, xrefs: 002EF2AF

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: ecf77da42d27378243c1cb3e21ab7ee3f3b1bc2436d949eec96b5e0a4388fe8f
Instruction ID: 2eb8c36ad2e53458214c6aa78a3d3d18a1bf66925b8a9ff84441adc816639d04
Opcode Fuzzy Hash: ecf77da42d27378243c1cb3e21ab7ee3f3b1bc2436d949eec96b5e0a4388fe8f
Instruction Fuzzy Hash: EA5138714187459BD320AF10DC86BABBBFCFB84300F91885EF1D9811A5EB718939CB66

Function 00355745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003557E0
_wcslen.LIBCMT ref: 003557EC

Strings

CALLARGARRAY, xrefs: 003557E6, 003557EB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6e52de74e06a9f34fbc4a053d76eabb22f1e509c8baf60da9f0f3aab0986e5ec
Instruction ID: c6017ffb54571f0bae8f008c35a65a37baf15f2454768e0e53d8a0795f90c631
Opcode Fuzzy Hash: 6e52de74e06a9f34fbc4a053d76eabb22f1e509c8baf60da9f0f3aab0986e5ec
Instruction Fuzzy Hash: 9541D231E102099FCB05DFA9C891DBEBBB5FF59311F518029E805AB2A1E771AD85CF90

Function 0034D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0034D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0034D13A

Strings

|, xrefs: 0034D10B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 47397282a65599debc6925115a1261401f73cac2063e8fc97bc7805a86e22489
Instruction ID: d991b7ee45db5b7d528f81025ffec525d0c13abcd63d01f69a6c640f0b24ad85
Opcode Fuzzy Hash: 47397282a65599debc6925115a1261401f73cac2063e8fc97bc7805a86e22489
Instruction Fuzzy Hash: F5310875D10209ABCF15EFA4CC85EEEBFB9FF04340F00001AE915AA262D731AA56DF50

Function 0036356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00363621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0036365C

Strings

static, xrefs: 003635BC

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 60ace7b3b319039a41e6ad0a38f841d85afa050eb4ab7fe15bb848f27a6fbd1e
Instruction ID: de4b1e0916b444b82d9f30aa98766ba0e3cc9076a8afbb471c6cfb67b51361cf
Opcode Fuzzy Hash: 60ace7b3b319039a41e6ad0a38f841d85afa050eb4ab7fe15bb848f27a6fbd1e
Instruction Fuzzy Hash: BB31DC71110204AEDB119F28CC80EFB33ACFF88720F11D61AF9A587280CA70AD91CB60

Function 00364537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0036461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00364634

Strings

', xrefs: 0036458E

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 2f004c01a1718c09455989c0b09f3c53aaa329a49998d5aff9817bc3dfbd18e9
Instruction ID: 6919d23f183f5455a819cf3037b930e3a22b6c42e45604a3a8e25317b7193dde
Opcode Fuzzy Hash: 2f004c01a1718c09455989c0b09f3c53aaa329a49998d5aff9817bc3dfbd18e9
Instruction Fuzzy Hash: 9F310874E013099FDB15CF69C990BDABBB9FF4A300F15806AEA05AB355D770A941CF90

Function 003631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0036327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00363287

Strings

Combobox, xrefs: 00363249

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2a2bff4fd89690225523747390f3cefa9429a830f45ae0222e9dcdc00117bf0f
Instruction ID: 6d98aa114d8f6a594f5715f82f5f739513d70dc0506ef280ad4265d2086e3bae
Opcode Fuzzy Hash: 2a2bff4fd89690225523747390f3cefa9429a830f45ae0222e9dcdc00117bf0f
Instruction Fuzzy Hash: 7711E2713002087FFF229F54DC90EBB3BAEEB983A4F118524F928972D4D6719D618760

Function 00363710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 002D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002D604C
Part of subcall function 002D600E: GetStockObject.GDI32(00000011), ref: 002D6060
Part of subcall function 002D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D606A

GetWindowRect.USER32(00000000,?), ref: 0036377A
GetSysColor.USER32(00000012), ref: 00363794

Strings

static, xrefs: 00363757

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1cfc07b1a8956d7ceef9e47512d28c2938c2321f3300526eb5db89c060af47a3
Instruction ID: f8fd3f1b2a7943260ab90a10ed1e85eb537e60d6c5cf47e385531d2fc0e2e330
Opcode Fuzzy Hash: 1cfc07b1a8956d7ceef9e47512d28c2938c2321f3300526eb5db89c060af47a3
Instruction Fuzzy Hash: 3C116AB2610209AFDF02DFA8CC45EFA7BB8FB09304F018515F966E3250D775E8509B50

Function 0034CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0034CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0034CDA6

Strings

<local>, xrefs: 0034CD66

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 014937b2bf47080265698984e66ac3f9dd62f8e320b998ff742793a1c0210316
Instruction ID: c0d78ed1bd9ce51086c4180b6d81d21d7b8530f81882e204b90f49f21e8f7eff
Opcode Fuzzy Hash: 014937b2bf47080265698984e66ac3f9dd62f8e320b998ff742793a1c0210316
Instruction Fuzzy Hash: 7D110671A226317AD77A4B668C45EF3BEECEF137A4F005226F14987090D370A840D6F0

Function 00363429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003634AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003634BA

Strings

edit, xrefs: 0036348F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 47dc4c33b9a39b8979e5fbd3e2df57ca236725423a086787f3adb9d50d65f764
Instruction ID: be4e943f07ec2e86888b28efb683bdbed08cfcdf82bbd3123352c61ba901b8ce
Opcode Fuzzy Hash: 47dc4c33b9a39b8979e5fbd3e2df57ca236725423a086787f3adb9d50d65f764
Instruction Fuzzy Hash: 29116D71110108AAEB134E66DC44ABB776EEB05374F518324FA61971E8CB71DC519B60

Function 00336C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00336CB6
_wcslen.LIBCMT ref: 00336CC2

Strings

STOP, xrefs: 00336CBC, 00336CC1

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 25818541f9131b72745c1ce341549e04df9eeaf4a590f9fd915a75a2e529e867
Instruction ID: b6be9f1254cad9233971c26dfdaad00234331efd0387fa14f24db393411396b4
Opcode Fuzzy Hash: 25818541f9131b72745c1ce341549e04df9eeaf4a590f9fd915a75a2e529e867
Instruction Fuzzy Hash: 24010432610526AECB22AFBDDCC28BF73B8FA60714F014539E85296295EA31DC50CB50

Function 00331CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Part of subcall function 00333CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00333CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00331D4C

Strings

ListBox, xrefs: 00331D16
ComboBox, xrefs: 00331CEB

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 30f48e500bd18298a50fb070b8c01ab5b7c656300ba61ff3ff3e6c702e6dfbbd
Instruction ID: ec9ed4bbcf57a20957ada75ce3c31ee0de8a65344dadb6d08c2ec3dba53e0f13
Opcode Fuzzy Hash: 30f48e500bd18298a50fb070b8c01ab5b7c656300ba61ff3ff3e6c702e6dfbbd
Instruction Fuzzy Hash: 6101D871621214ABCB06FBA4DC91CFE7368EB57350F04051AF872573C1EA305D589B60

Function 00331BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Part of subcall function 00333CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00333CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00331C46

Strings

ListBox, xrefs: 00331C10
ComboBox, xrefs: 00331BE5

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ba1db90112048e125db7996704b5aaaa41afc691a76ce521d4deeda62cca9edd
Instruction ID: 186036f619ae32af877e0afa6cc199b90604e9cfc4a47c4ea301c9f1133f2b3c
Opcode Fuzzy Hash: ba1db90112048e125db7996704b5aaaa41afc691a76ce521d4deeda62cca9edd
Instruction Fuzzy Hash: 3801A275B911086ACF06EBA1CA92AFF77AC9B15340F14101AF81667281EA609E589BB1

Function 00331C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Part of subcall function 00333CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00333CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00331CC8

Strings

ListBox, xrefs: 00331C94
ComboBox, xrefs: 00331C69

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 012b416861854d6328d0346fddf4fab1c575b256a7f5f9f98d200740fe01e605
Instruction ID: 7892b6503e5ed81a30e4fbc5ac8cd50974cc95106b01b3423bf144f3a9464c9b
Opcode Fuzzy Hash: 012b416861854d6328d0346fddf4fab1c575b256a7f5f9f98d200740fe01e605
Instruction Fuzzy Hash: 7E01D67179011867CF06EBA0CA81AFE73AC9B11740F141016B802B7281EA609F58D771

Function 002EA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002EA529

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Strings

,%:, xrefs: 002EA509
3y2, xrefs: 002EA545, 002EA54D, 002EA552

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%:$3y2
API String ID: 2551934079-383142059
Opcode ID: ee0cd0838f8dd6155cab34a8269a2754e6a885a2ce484ea64d827f916f56f22c
Instruction ID: 0aac42fcb625af407912fd6580880125236c03f2e7b3018170a942b3bcbbb47c
Opcode Fuzzy Hash: ee0cd0838f8dd6155cab34a8269a2754e6a885a2ce484ea64d827f916f56f22c
Instruction Fuzzy Hash: D9014731FA025487C605F76AD857AAE7354DB07750FC00429F501172C3DE506D618E97

Function 00331D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D9CB3: _wcslen.LIBCMT ref: 002D9CBD

Part of subcall function 00333CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00333CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00331DD3

Strings

ListBox, xrefs: 00331DA0
ComboBox, xrefs: 00331D75

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 47787094587e0cc9ff504fb940ea1d58df77249d8d80d728bf11c8c705b52468
Instruction ID: 0268f7cd894dbfc2bf11d7732b358fca0c6092b2646ea9699ca20fac1cf94309
Opcode Fuzzy Hash: 47787094587e0cc9ff504fb940ea1d58df77249d8d80d728bf11c8c705b52468
Instruction Fuzzy Hash: F3F0C871B6121466DB06F7A4DC92FFF777CAF06750F040916F822A73C1DA605D588760

Function 00368172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003A3018,003A305C), ref: 003681BF
CloseHandle.KERNEL32 ref: 003681D1

Strings

\0:, xrefs: 0036818A

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0:
API String ID: 3712363035-2209210759
Opcode ID: 17cd862f79a6515bc270cdb27105e9dc4893b18b1203a54414521964fc18aa34
Instruction ID: 7b1f4be5b2d211ec137976de3317c791107db0375b31ad8c2c5d627024ad16c7
Opcode Fuzzy Hash: 17cd862f79a6515bc270cdb27105e9dc4893b18b1203a54414521964fc18aa34
Instruction Fuzzy Hash: C9F082F5650304BEE322A761AC45FB77A5CDB06750F008461FB0AD51A2D6798E1487F8

Function 0035747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00357493
_wcslen.LIBCMT ref: 003574B9

Strings

3, 3, 16, 1, xrefs: 00357483

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 6245f92b2faf3e550ca9362d5011d1b045e918d1f829253dbe7a13f5fd6e043b
Instruction ID: b13ae3b0ecc357aa6b55ebc57da43ea795b6501ce3475cf615ff739638d3310b
Opcode Fuzzy Hash: 6245f92b2faf3e550ca9362d5011d1b045e918d1f829253dbe7a13f5fd6e043b
Instruction Fuzzy Hash: 08E02B86324260109232227BBCC5D7F9689CFC5791714183FFE85C2276EAD48DA193A0

Function 00330B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00330B23

Strings

Error allocating memory., xrefs: 00330B1C
AutoIt, xrefs: 00330B17

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 25830709668ab8d9b0be1b5f467241b2e77f9ebef1def34cbff01733ad441525
Instruction ID: baeb3a828b0b837dde6db3248ae341af8cab8251c334e1cfdc78f06c7d2a2bbd
Opcode Fuzzy Hash: 25830709668ab8d9b0be1b5f467241b2e77f9ebef1def34cbff01733ad441525
Instruction Fuzzy Hash: E6E0D8322A43482AD31636957C43FD9BA848F05B50F104426F788955C38BD264A04AA9

Function 002F0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002F0D71,?,?,?,002D100A), ref: 002EF7CE

IsDebuggerPresent.KERNEL32(?,?,?,002D100A), ref: 002F0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002D100A), ref: 002F0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002F0D7F

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 4c7beeaeb39926f336a4e7005b8a00a4ad54b675b4c96f493532f6c028da8b09
Instruction ID: e4c6676dcf166ee4bd8387d76ad36978db8d6fc5cbceb07289dfffdc668d58ee
Opcode Fuzzy Hash: 4c7beeaeb39926f336a4e7005b8a00a4ad54b675b4c96f493532f6c028da8b09
Instruction Fuzzy Hash: 60E0ED742103418FE7219FB8E4447A2BBE8EB00780F00C93DE882C2656DBB1E4448BA0

Function 002EE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002EE3D5

Strings

0%:, xrefs: 002EE3B5
8%:, xrefs: 002EE3CA

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%:$8%:
API String ID: 1385522511-2720582554
Opcode ID: 7855eed6a0c3fa2b9c7f31bb13c8098232735c587c17a25ad957e58c2d34ef09
Instruction ID: 2aaf34aee26540812760867a9b20f2574e5c8a4a35922674115f0f4a38764bc9
Opcode Fuzzy Hash: 7855eed6a0c3fa2b9c7f31bb13c8098232735c587c17a25ad957e58c2d34ef09
Instruction Fuzzy Hash: C7E02639CB0954CBCE0AAB1DB8B4EAEB399FB07320F9101F5F102875D29B3028518A54

Function 00343017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0034302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00343044

Strings

aut, xrefs: 00343038

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a630576459036fa19d5169b0870ead8a4c80fc082bfb8179f8c8b9b7b4992924
Instruction ID: eb0a7cabe75205f0b59ff2fc2d0c60dcd7e6bc97c7861c200c5ef686ff650505
Opcode Fuzzy Hash: a630576459036fa19d5169b0870ead8a4c80fc082bfb8179f8c8b9b7b4992924
Instruction Fuzzy Hash: 01D05EB250032867DE20A7A4EC0EFDB3A6CDB04750F0046A2FA95E2091DBF49984CAE0

Function 0032D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0032D220

Strings

X64, xrefs: 0032D2A8
%.3d, xrefs: 0032D22B

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 1d68e0a5ce5bda2b3b715c2671057ee5dbe6258f48d877cdfd0d154afbd3ea84
Instruction ID: 0a844b4de44072ef8e57a53fdf512ca699aefd3184fcc20e966431a55654f3fe
Opcode Fuzzy Hash: 1d68e0a5ce5bda2b3b715c2671057ee5dbe6258f48d877cdfd0d154afbd3ea84
Instruction Fuzzy Hash: DAD01271858228EACF9197E0EC458F9B37CAB08301FA08852F80691440D634C518AB61

Function 00362322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0036232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0036233F

Part of subcall function 0033E97B: Sleep.KERNEL32 ref: 0033E9F3

Strings

Shell_TrayWnd, xrefs: 00362325

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 35f65c5191f1730d5928463d13a59a087a15ea59004bf7826a1e4bc8f3fcc5f6
Instruction ID: 79dcd629103f8736783fd1ea0e2aa87e7c37d088240bbf92ca5ef4a11fc36f06
Opcode Fuzzy Hash: 35f65c5191f1730d5928463d13a59a087a15ea59004bf7826a1e4bc8f3fcc5f6
Instruction Fuzzy Hash: D1D012363A5310B7EA65B771EC4FFD6BA189B44B10F009916F786AA1D0CAF4A801CB58

Function 00362356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0036236C
PostMessageW.USER32(00000000), ref: 00362373

Part of subcall function 0033E97B: Sleep.KERNEL32 ref: 0033E9F3

Strings

Shell_TrayWnd, xrefs: 00362365

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 554d9504233ab45f0e2558b65e654eb0a5cac6a3ed24886bead23587f220eb97
Instruction ID: 365cb4c5657f1a4f1ee31ec8da99e31ea49de2ad5e6d97dbf3921ba1c78fae38
Opcode Fuzzy Hash: 554d9504233ab45f0e2558b65e654eb0a5cac6a3ed24886bead23587f220eb97
Instruction Fuzzy Hash: 7FD0C9323913107AEA66B771EC4FFD6AA189B45B10F009916B786AA1D0CAF4A8018A58

Function 0030BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0030BE93
GetLastError.KERNEL32 ref: 0030BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0030BEFC

Memory Dump Source

Source File: 00000000.00000002.1740786938.00000000002D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000000.00000002.1740758697.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.000000000036C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740873632.0000000000392000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740939333.000000000039C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740971050.00000000003A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a0c103a9cc4ad46bfa1961b7089951e77f44303ef74c4936fedcb308700986a3
Instruction ID: 7f11fbc699e19539e614ea08635e5cf21c460019669e83bf6e453d623fdaf9a0
Opcode Fuzzy Hash: a0c103a9cc4ad46bfa1961b7089951e77f44303ef74c4936fedcb308700986a3
Instruction Fuzzy Hash: 5F41B535606207AFCF238F64DC64ABAFBA9EF42750F154169FA59971E1DB308D01CB60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1812198479.000001B936BA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843133502.000001B936BA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843456689.000001B93638A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1861501416.000001B936E54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846487869.000001B936E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1814996390.000001B934610000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B934738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1814996390.000001B934610000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B934738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1843456689.000001B93638A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1762086888.000001B92D1B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1813242751.000001B93638A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1861501416.000001B936E54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846487869.000001B936E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1864439800.000001B934758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B934738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1864439800.000001B934758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B934738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1814996390.000001B934610000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B934738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1814996390.000001B934610000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847081216.000001B934738000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1898068392.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910205317.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1898068392.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910205317.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1898068392.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910205317.000001B92FA84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899739162.000001B92E690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1846487869.000001B936E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1814371955.000001B9357E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893906762.000001B9357E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917782812.000001B9357D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1861501416.000001B936E54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846487869.000001B936E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1814371955.000001B9357E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893906762.000001B9357E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917782812.000001B9357D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1762086888.000001B92D198000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1762086888.000001B92D17E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49836 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_90977c2a-2535-45b2-aa00-c72931e3c4d4.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_90977c2a-2535-45b2-aa00-c72931e3c4d4.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre