Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545192
MD5:	7e0177a38be142ca0e1b17462920fff1
SHA1:	866237a9b4a0789af4aef04eb89491d3cbb8ee20
SHA256:	85b95128b907a8ca0288b0aff6d826119b5aaec3afe4806b897594096cb00882
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7E0177A38BE142CA0E1B17462920FFF1)

taskkill.exe (PID: 7364 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7460 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7524 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7596 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7664 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7728 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7764 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7780 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8016 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52ff7113-6985-4006-bec7-7eb2328d957f} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d29b56fb10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7576 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd698bc7-645a-4afe-acb1-9f9348c4d216} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d2ad635210 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4996 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5212 -prefMapHandle 5264 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58edcd17-e6ab-4b3e-b629-9824facfceb3} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d2ac551310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7348	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00C9EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C9EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C9ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00C9EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00C8AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CB9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1aa3320a-e
Source: file.exe, 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d2cd5e22-3
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cc22e106-5
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bfc96f21-a

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002715DFA21F2 NtQuerySystemInformation,		16_2_000002715DFA21F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002715DFA9EF7 NtQuerySystemInformation,		16_2_000002715DFA9EF7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00C8D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C81201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C81201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C8E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C92046	0_2_00C92046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C28060	0_2_00C28060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C88298	0_2_00C88298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5E4FF	0_2_00C5E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5676B	0_2_00C5676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB4873	0_2_00CB4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2CAF0	0_2_00C2CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4CAA0	0_2_00C4CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3CC39	0_2_00C3CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C56DD9	0_2_00C56DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C291C0	0_2_00C291C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3B119	0_2_00C3B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C41394	0_2_00C41394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C41706	0_2_00C41706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4781B	0_2_00C4781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C419B0	0_2_00C419B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3997D	0_2_00C3997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C27920	0_2_00C27920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C47A4A	0_2_00C47A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C47CA7	0_2_00C47CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C41C77	0_2_00C41C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C59EEE	0_2_00C59EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CABE44	0_2_00CABE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C41F32	0_2_00C41F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002715DFA21F2	16_2_000002715DFA21F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002715DFA9EF7	16_2_000002715DFA9EF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002715DFA2232	16_2_000002715DFA2232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002715DFA291C	16_2_000002715DFA291C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C3F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C40A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@67/13

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C937B5 GetLastError,FormatMessageW,

0_2_00C937B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C810BF AdjustTokenPrivileges,CloseHandle,		0_2_00C810BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C816C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C951CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C8D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C9648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C242A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1922955281.000002D2B59A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1924439228.000002D2B4C88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52ff7113-6985-4006-bec7-7eb2328d957f} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d29b56fb10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd698bc7-645a-4afe-acb1-9f9348c4d216} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d2ad635210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5212 -prefMapHandle 5264 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58edcd17-e6ab-4b3e-b629-9824facfceb3} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d2ac551310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52ff7113-6985-4006-bec7-7eb2328d957f} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d29b56fb10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd698bc7-645a-4afe-acb1-9f9348c4d216} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d2ad635210 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5212 -prefMapHandle 5264 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58edcd17-e6ab-4b3e-b629-9824facfceb3} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d2ac551310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000D.00000003.1966574772.000002D2ACD2F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000D.00000003.1966574772.000002D2ACD2F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000D.00000003.1966118502.000002D2ACD8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000D.00000003.1966118502.000002D2ACDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981023542.000002D2ACDD5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000D.00000003.1966118502.000002D2ACD8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000D.00000003.1966574772.000002D2ACD2F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdb source: firefox.exe, 0000000D.00000003.1955034607.000002D2A8D77000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953180026.000002D2A8D77000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951697702.000002D2A8D77000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949898060.000002D2A8D77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000D.00000003.1967399355.000002D2ACBC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000D.00000003.1966574772.000002D2ACD2F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1972056630.000002D2A8D1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1969511275.000002D2A8D18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1965975679.000002D2AD7BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1979773141.000002D2AD7BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1979580420.000002D2AD921000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000D.00000003.1976105990.000002D2AEA61000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb_childCount source: firefox.exe, 0000000D.00000003.1966574772.000002D2ACD2F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000D.00000003.1966118502.000002D2ACD8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000D.00000003.1967399355.000002D2ACBC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000D.00000003.1967399355.000002D2ACBC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000D.00000003.1966118502.000002D2ACDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981023542.000002D2ACDD5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdbGCTL source: firefox.exe, 0000000D.00000003.1955034607.000002D2A8D77000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953180026.000002D2A8D77000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951697702.000002D2A8D77000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949898060.000002D2A8D77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000D.00000003.1967399355.000002D2ACBC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000D.00000003.1966118502.000002D2ACD8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000D.00000003.1967399355.000002D2ACBC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000D.00000003.1966574772.000002D2ACD2F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1969511275.000002D2A8D18000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000D.00000003.1966574772.000002D2ACD2F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000D.00000003.1966118502.000002D2ACDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981023542.000002D2ACDD5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000D.00000003.1966574772.000002D2ACD2F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000D.00000003.1966118502.000002D2ACD8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000D.00000003.1967399355.000002D2ACBC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1972056630.000002D2A8D1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000D.00000003.1966118502.000002D2ACD8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000D.00000003.1966118502.000002D2ACD8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1966118502.000002D2ACDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981023542.000002D2ACDD5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdbaccessibilityCache source: firefox.exe, 0000000D.00000003.1966118502.000002D2ACDD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981023542.000002D2ACDD5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000D.00000003.1967399355.000002D2ACBC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000D.00000003.1966574772.000002D2ACD2F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000D.00000003.1967399355.000002D2ACBC0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000D.00000003.1966574772.000002D2ACD2F000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C242DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C76686 push ss; ret	0_2_00C76687
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C76682 push ss; ret	0_2_00C76683
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7668E push ss; ret	0_2_00C7668F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C40A76 push ecx; ret	0_2_00C40A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C31199 push cs; ret	0_2_00C3119A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3119C push cs; ret	0_2_00C311A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5959 push ebp; retf	0_2_00CB595F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5968 push edi; retf	0_2_00CB596B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB596C push ebp; retf	0_2_00CB596F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5978 push ebp; retf	0_2_00CB597B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5971 push esi; retf	0_2_00CB5973
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5975 push edi; retf	0_2_00CB5977
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C31900 push ss; ret	0_2_00C31906
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5EED push C74815FFh; retf	0_2_00CB5EF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5E88 push C74815FFh; retf	0_2_00CB5E92

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C3F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C3F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CB1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95715

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002715DFA21F2 rdtsc

16_2_000002715DFA21F2

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Users\user\Desktop\file.exe TID: 7352	Thread sleep count: 89 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7352	Thread sleep count: 183 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C8DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C968EE FindFirstFileW,FindClose,	0_2_00C968EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00C9698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C8D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C8D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C99642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C99642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C9979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C99B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00C99B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C95C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00C95C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C242DE

Source: firefox.exe, 00000011.00000002.3001045541.000001C076500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWCe
Source: firefox.exe, 0000000F.00000002.3001514126.0000021BEB100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6}
Source: firefox.exe, 00000010.00000002.2994798524.000002715DC2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`Ed^q
Source: firefox.exe, 0000000F.00000002.2996361524.0000021BEABEA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3001104298.000002715E640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3001104298.000002715E640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: firefox.exe, 0000000F.00000002.3000636253.0000021BEB014000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3001104298.000002715E640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: firefox.exe, 00000011.00000002.2995853116.000001C07619A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0#Pv
Source: firefox.exe, 0000000F.00000002.3001514126.0000021BEB100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQr
Source: firefox.exe, 0000000F.00000002.2996361524.0000021BEABEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"
Source: firefox.exe, 0000000F.00000002.3001514126.0000021BEB100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7y
Source: firefox.exe, 00000010.00000002.3001104298.000002715E640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002715DFA21F2 rdtsc

16_2_000002715DFA21F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9EAA2 BlockInput,

0_2_00C9EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C52622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C242DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C44CE8 mov eax, dword ptr fs:[00000030h]

0_2_00C44CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C80B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00C80B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C52622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C4083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C409D5 SetUnhandledExceptionFilter,	0_2_00C409D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C40C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C40C21

Source: C:\Users\user\Desktop\file.exe

0_2_00C81201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C62BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C62BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8B226 SendInput,keybd_event,

0_2_00C8B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00CA22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00C80B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C81663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C81663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C40698 cpuid

0_2_00C40698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C98195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00C98195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C7D27A GetUserNameW,

0_2_00C7D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C5BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C5BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C242DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7348, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7348, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00CA1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00CA1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.251.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.65.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.185.238	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.186.174	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.65.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000010.00000002.2998349877.000002715E0C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2997826262.000001C0764C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1878621215.000002D2ADC92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1973787456.000002D2B4D39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2997570346.0000021BEAECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998349877.000002715E0E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3001259579.000001C076603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1934488889.000002D2B342E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.2997826262.000001C07648F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1929444477.000002D2AE963000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976534075.000002D2AE96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962290241.000002D2AE963000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1957194605.000002D2B3834000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1945818045.000002D2B4C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924439228.000002D2B4C7C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1918872268.000002D2B672A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1925442060.000002D2B3824000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1927647784.000002D2B3364000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1945818045.000002D2B4C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1817464292.000002D2ABEAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778617609.000002D2AB33C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1976898520.000002D2ADDDA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1778143484.000002D2AB100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778440762.000002D2AB31F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778890589.000002D2AB35A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779239005.000002D2AB377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778617609.000002D2AB33C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1945640474.000002D2B4CE9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1929444477.000002D2AE963000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976534075.000002D2AE96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962290241.000002D2AE963000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2997570346.0000021BEAECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998349877.000002715E0E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3001259579.000001C076603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
http://www.microsoft.JG	firefox.exe, 0000000D.00000003.1953180026.000002D2A8D77000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1951697702.000002D2A8D77000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949898060.000002D2A8D77000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1970307999.000002D2B4DB7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1838956192.000002D2ACAFE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1928904849.000002D2AE9C4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1932189690.000002D2ACDD5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2997570346.0000021BEAECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998349877.000002715E0E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3001259579.000001C076603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000D.00000003.1817464292.000002D2ABEA9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998349877.000002715E00A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2997826262.000001C076403000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1873513921.000002D2ADC96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1974892767.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926028996.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958041034.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1942244227.000002D2B4DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970307999.000002D2B4DB7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000010.00000002.2998349877.000002715E0C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2997826262.000001C0764C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1827068161.000002D2AC71F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
http://crl3.digic	firefox.exe, 0000000D.00000003.1949898060.000002D2A8D90000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1953180026.000002D2A8D90000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1954398522.000002D2A8D90000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1957194605.000002D2B3834000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1945640474.000002D2B4C88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998349877.000002715E012000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2997826262.000001C076413000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818305488.000002D2B3714000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1927647784.000002D2B3364000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1974892767.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926028996.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958041034.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1907211512.000002D2AB9C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834076596.000002D2AC9D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883693787.000002D2AC7CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830005670.000002D2AC6BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914344090.000002D2ACAFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962570236.000002D2AE91E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894934567.000002D2AEDE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1787260530.000002D2AB6D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827068161.000002D2AC71A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1943861410.000002D2AC6C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927198419.000002D2B33D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930975482.000002D2ADF26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976634182.000002D2ADF21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981023542.000002D2ACDB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896383738.000002D2AC9CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1952678808.000002D2AB6F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960586134.000002D2B3364000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960676786.000002D2B3321000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845875578.000002D2AC3C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889775140.000002D2AB6E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903467842.000002D2AC6B9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1976898520.000002D2ADDDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1929444477.000002D2AE963000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976534075.000002D2AE96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976898520.000002D2ADDDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962290241.000002D2AE963000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1931621084.000002D2AD580000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927198419.000002D2B33E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1817464292.000002D2ABEA9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1931621084.000002D2AD580000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927198419.000002D2B33E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1817464292.000002D2ABEA9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1974892767.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926028996.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958041034.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1934488889.000002D2B342E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1782835687.000002D2AAF33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1782605285.000002D2AAF17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781660375.000002D2AAF33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1976585148.000002D2AE966000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929444477.000002D2AE963000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962290241.000002D2AE963000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1873513921.000002D2ADC96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1782835687.000002D2AAF33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1782605285.000002D2AAF17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781660375.000002D2AAF33000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1942244227.000002D2B4DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970307999.000002D2B4DB7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2997570346.0000021BEAECA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998349877.000002715E0E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3001259579.000001C076603000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1945640474.000002D2B4C88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1958041034.000002D2B35EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1973067488.000002D2B59C0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1778617609.000002D2AB33C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1945640474.000002D2B4CE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778440762.000002D2AB31F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778890589.000002D2AB35A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830005670.000002D2AC6D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779239005.000002D2AB377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1817464292.000002D2ABEAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778617609.000002D2AB33C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1927647784.000002D2B3364000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.1929444477.000002D2AE963000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1976534075.000002D2AE96B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1962290241.000002D2AE963000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2997126180.0000021BEAC50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2996477055.000002715DF10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2997121018.000001C076340000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.1962290241.000002D2AE943000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929444477.000002D2AE943000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1928904849.000002D2AE9C4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://vk.com/	firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1962290241.000002D2AE943000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929444477.000002D2AE943000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1873513921.000002D2ADC96000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.114.101	unknown	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.185.238	youtube.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545192
Start date and time:	2024-10-30 08:21:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@67/13
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.160.212.113, 54.185.230.140, 52.11.191.138, 216.58.206.46, 2.22.61.56, 2.22.61.72, 172.217.18.10, 142.250.186.138, 142.250.186.110
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
03:22:13	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	B6eg13TpEH.elf	Get hash	malicious	Unknown	Browse	199.233.13.49
	https://trvelocity.petra-dee.org/index.php/campaigns/ao946pbrfq631/track-url/lk782m0eyna84/24e9f9ecc31181de7c43e9793836ee263a7fcd94%20%20office365_event_type%20alert	Get hash	malicious	Unknown	Browse	151.101.1.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
ATGS-MMD-ASUS	LJSS65p4Kz.elf	Get hash	malicious	Unknown	Browse	48.186.202.220
	W6Z9uSRsKQ.elf	Get hash	malicious	Unknown	Browse	51.234.59.164
	wZU2edEGL3.elf	Get hash	malicious	Unknown	Browse	48.151.123.182
	SuNMTBkfPo.elf	Get hash	malicious	Unknown	Browse	34.38.58.171
	8v2IShmMos.elf	Get hash	malicious	Unknown	Browse	48.105.223.96
	B6eg13TpEH.elf	Get hash	malicious	Unknown	Browse	51.228.224.164
	vHnFyxemFf.elf	Get hash	malicious	Unknown	Browse	48.89.33.244
	v6pwbOEUpl.elf	Get hash	malicious	Unknown	Browse	48.239.71.56
	j3Lr4Fk7Kb.elf	Get hash	malicious	Mirai	Browse	48.15.161.199
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.101 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.101 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.101 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.101 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 142.250.114.101 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.101 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 142.250.114.101 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.101 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.101 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 142.250.114.101 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_acf8b154-b237-4e2d-afd7-0699068602cd.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.180685029445647
Encrypted:	false
SSDEEP:	192:ajMXhRhNhGcbhbVbTbfbRbObtbyEl7n8NpJA6WnSrDtTUd/SkDro:aYxjfGcNhnzFSJcNEBnSrDhUd/a
MD5:	E3780C9AE5A524D56D9C0949A8075CFB
SHA1:	7891175385E51CFFB6395313DB8E87A73085CB36
SHA-256:	9B52BAB0BEEBD8BD63298D211F616C5CFCBF8A415112F716BB9592A5D03EADCA
SHA-512:	9B05B2A24E9792D7AF751AE035FDB6E69AD92AFBEC559CB16AD1EED499F979F7844AD7F3EB565E6302A695507917EC63080A4250EB758FD0E2B175B16D44854F
Malicious:	false
Preview:	{"type":"uninstall","id":"acf8b154-b237-4e2d-afd7-0699068602cd","creationDate":"2024-10-30T08:44:14.420Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_acf8b154-b237-4e2d-afd7-0699068602cd.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.180685029445647
Encrypted:	false
SSDEEP:	192:ajMXhRhNhGcbhbVbTbfbRbObtbyEl7n8NpJA6WnSrDtTUd/SkDro:aYxjfGcNhnzFSJcNEBnSrDhUd/a
MD5:	E3780C9AE5A524D56D9C0949A8075CFB
SHA1:	7891175385E51CFFB6395313DB8E87A73085CB36
SHA-256:	9B52BAB0BEEBD8BD63298D211F616C5CFCBF8A415112F716BB9592A5D03EADCA
SHA-512:	9B05B2A24E9792D7AF751AE035FDB6E69AD92AFBEC559CB16AD1EED499F979F7844AD7F3EB565E6302A695507917EC63080A4250EB758FD0E2B175B16D44854F
Malicious:	false
Preview:	{"type":"uninstall","id":"acf8b154-b237-4e2d-afd7-0699068602cd","creationDate":"2024-10-30T08:44:14.420Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9272469592314
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNs9p:8S+OfJQPUFpOdwNIOdYVjvYcXaNLLe8P
MD5:	159612F6E2B953FDC8D58A5A5C14462A
SHA1:	CEAB27B6F98CDD62FE6C6FC8C368040392EFEFEF
SHA-256:	174D8D522422234D4F0B9835D33E1E06382B12B0C811C213B541AB134E80167B
SHA-512:	A22810042F00CAF028BAEF276E319E13F34F3B273045F6EFEA9D674A42E13B64C2661BE12C3D5C83D203F446510C0494391FC9B2219F844E403B7B66D38CA3B6
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9272469592314
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNs9p:8S+OfJQPUFpOdwNIOdYVjvYcXaNLLe8P
MD5:	159612F6E2B953FDC8D58A5A5C14462A
SHA1:	CEAB27B6F98CDD62FE6C6FC8C368040392EFEFEF
SHA-256:	174D8D522422234D4F0B9835D33E1E06382B12B0C811C213B541AB134E80167B
SHA-512:	A22810042F00CAF028BAEF276E319E13F34F3B273045F6EFEA9D674A42E13B64C2661BE12C3D5C83D203F446510C0494391FC9B2219F844E403B7B66D38CA3B6
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07335892763187632
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	B118215782E8A098CF0FDF9707A4AF0D
SHA1:	6288DFB75E353CFC62A1D3D2D9B1B59EFBC6FB4E
SHA-256:	7DDB32FE00AEE0CF0B13F7110C70BCA6C08C8EB6D4F1664EDEAAAC30F987780A
SHA-512:	CC22EAB4C77AA64A89ECFC9B9D8B8C49B492027529A46E66D783F8322111ABB456F4619A11439DF8561425CAEFFA319E9CB8121B02D2E7A5128ABA5C5162B400
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03560170223186293
Encrypted:	false
SSDEEP:	3:GtlstFv0/ZhW7qlstFv0/ZhW7f/T89//alEl:GtWtaRhgqWtaRhgj89XuM
MD5:	1E4FA11CC68291D7F0FF3A873FDA6701
SHA1:	7AF10E2763D9432B1BCD58C414417B88EC0DBF01
SHA-256:	F9C6A08F0EC63907AB087DB3E7DE9C95D3868CC4416583B15F88536F98A2C56B
SHA-512:	F3D1D6DF125736A2340E9A334D88EDB944740D170D1B7842A177FC863B23A55513A331E9EB76F307D90FC33146435EFBB8AC5BA4958FB1E01AB7A8CA2A5B8DBC
Malicious:	false
Preview:	..-.....................xebt.h.4..ZT9>:l...w.....-.....................xebt.h.4..ZT9>:l...w...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03989725522705737
Encrypted:	false
SSDEEP:	3:Ol1A/xA8lWzfZdbhh4N7l8rEXsxdwhml8XW3R2:Ki/SNZhh4pl8dMhm93w
MD5:	5907E660579FBF09664F7BE326F61041
SHA1:	646C44305AC7F081723B7745A7C6E59070A2F529
SHA-256:	73F2CC4353252A9AD300567EE62B6DFE2D08682C95D6060F33F83786B3636C24
SHA-512:	79A50FB28B4938218EEC1B0002748020E30CD332D35717CCD7382192BE7ECC6E60DE5044436784627AB6E866662E8926DCCFEA5D7F4BE79E366E141EC064E157
Malicious:	false
Preview:	7....-............ZT9>:l*!..N.............ZT9>:ltbex4.h.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494921091806181
Encrypted:	false
SSDEEP:	192:+naRtLYbBp6thj4qyaaXA6KS0NjB5RfGNBw8dJSl:7enqUJUZcwK0
MD5:	2FDA4C658FF39C70AFBD4AE6A12B6434
SHA1:	5C59D449DF2C5747C2646BE4EC630B7B6F49E0AB
SHA-256:	A33B1EF214DAA2422B5C088F6C1F83698D01CEE096D055CE0544651B040C8643
SHA-512:	82AF27542380AAB60A9702BDC55AD17F03F553D6E8282259D0E43233604E43CEF2DA5DCB074CDCFC314D7EDF7798DD81169D0D5C607B236190A285E9F10BA389
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730277824);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730277824);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730277824);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173027

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494921091806181
Encrypted:	false
SSDEEP:	192:+naRtLYbBp6thj4qyaaXA6KS0NjB5RfGNBw8dJSl:7enqUJUZcwK0
MD5:	2FDA4C658FF39C70AFBD4AE6A12B6434
SHA1:	5C59D449DF2C5747C2646BE4EC630B7B6F49E0AB
SHA-256:	A33B1EF214DAA2422B5C088F6C1F83698D01CEE096D055CE0544651B040C8643
SHA-512:	82AF27542380AAB60A9702BDC55AD17F03F553D6E8282259D0E43233604E43CEF2DA5DCB074CDCFC314D7EDF7798DD81169D0D5C607B236190A285E9F10BA389
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730277824);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730277824);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730277824);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173027

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.335725496702056
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS0AxLXnIgl/pnxQwRlszT5sKtN3eHVQj6Te2amhujJlOsIomM69r0M:GUpOxhk3nR6v3eHTe24JlN6yD4
MD5:	295D8339A9DEC5CDF5A2CC31B5481921
SHA1:	0FC87A525156B1F28C980DFFB9CA4CE9A7DCA0BE
SHA-256:	DFDB8E6FB1351E018985401650F946EA8AD711F660F2B57CF732711BF6229166
SHA-512:	2D7F9C4FDAEA3E890ABBB333163EC4FF04664D3D3B8B601860F906A4E6E3F183F9C7C08A3C9637D6DB0C06E80487F92850378D3E19F05D3FB7C6856F331A415F
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ee4b1bed-fa56-43c8-a183-2c4cbcd6f2f5}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730277830031,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`794230...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...02012,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.335725496702056
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS0AxLXnIgl/pnxQwRlszT5sKtN3eHVQj6Te2amhujJlOsIomM69r0M:GUpOxhk3nR6v3eHTe24JlN6yD4
MD5:	295D8339A9DEC5CDF5A2CC31B5481921
SHA1:	0FC87A525156B1F28C980DFFB9CA4CE9A7DCA0BE
SHA-256:	DFDB8E6FB1351E018985401650F946EA8AD711F660F2B57CF732711BF6229166
SHA-512:	2D7F9C4FDAEA3E890ABBB333163EC4FF04664D3D3B8B601860F906A4E6E3F183F9C7C08A3C9637D6DB0C06E80487F92850378D3E19F05D3FB7C6856F331A415F
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ee4b1bed-fa56-43c8-a183-2c4cbcd6f2f5}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730277830031,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`794230...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...02012,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.335725496702056
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS0AxLXnIgl/pnxQwRlszT5sKtN3eHVQj6Te2amhujJlOsIomM69r0M:GUpOxhk3nR6v3eHTe24JlN6yD4
MD5:	295D8339A9DEC5CDF5A2CC31B5481921
SHA1:	0FC87A525156B1F28C980DFFB9CA4CE9A7DCA0BE
SHA-256:	DFDB8E6FB1351E018985401650F946EA8AD711F660F2B57CF732711BF6229166
SHA-512:	2D7F9C4FDAEA3E890ABBB333163EC4FF04664D3D3B8B601860F906A4E6E3F183F9C7C08A3C9637D6DB0C06E80487F92850378D3E19F05D3FB7C6856F331A415F
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ee4b1bed-fa56-43c8-a183-2c4cbcd6f2f5}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730277830031,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`794230...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...02012,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033663845991701
Encrypted:	false
SSDEEP:	48:YrSAYnsH6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcb5:ycsHyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	F996F207AD05673758CC867444952643
SHA1:	D8126F0C8B012DB0A8455814D68DD9B63762CD43
SHA-256:	41EE02DF54F08555122C9E345DF382DFA2F36708052BA364118FDB1CF93F2B55
SHA-512:	0EF709758D12B70062AB6C4E0D8EE89FDBF75CCDFECA383D086C7CB3AD0C26078A892436FC5F0DE991F4EF5C71921583F0928D6910285F34B987978377DC49DE
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T08:43:30.472Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033663845991701
Encrypted:	false
SSDEEP:	48:YrSAYnsH6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcb5:ycsHyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	F996F207AD05673758CC867444952643
SHA1:	D8126F0C8B012DB0A8455814D68DD9B63762CD43
SHA-256:	41EE02DF54F08555122C9E345DF382DFA2F36708052BA364118FDB1CF93F2B55
SHA-512:	0EF709758D12B70062AB6C4E0D8EE89FDBF75CCDFECA383D086C7CB3AD0C26078A892436FC5F0DE991F4EF5C71921583F0928D6910285F34B987978377DC49DE
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T08:43:30.472Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584685243283922
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	7e0177a38be142ca0e1b17462920fff1
SHA1:	866237a9b4a0789af4aef04eb89491d3cbb8ee20
SHA256:	85b95128b907a8ca0288b0aff6d826119b5aaec3afe4806b897594096cb00882
SHA512:	e14d442b86fbfa1c001612eb520120667e13e938ac6e2f78af9df0b4d1e905af53a9ad6135035311ac3713e7bfb9da93219e452c626b2968a1f296a9d6196cf6
SSDEEP:	12288:vqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Ts:vqDEvCTbMWu7rQYlBQcBiT6rprG8abs
TLSH:	AD159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6721D8B8 [Wed Oct 30 06:56:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F82C91E7DA3h
jmp 00007F82C91E76AFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F82C91E788Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F82C91E785Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F82C91EA44Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F82C91EA498h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F82C91EA481h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	50b29bca47fa8c1b68218d1f0e334403	False	0.3156398338607595	data	5.373911552674555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 08:22:08.283494949 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:08.283529997 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 08:22:08.289855003 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:08.294740915 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:08.294766903 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 08:22:08.918473005 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 08:22:08.918553114 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:08.926912069 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:08.926925898 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 08:22:08.927083015 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:08.927133083 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 08:22:08.927206993 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:10.343092918 CET	49738	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:10.343139887 CET	443	49738	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:10.344204903 CET	49738	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:10.346034050 CET	49738	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:10.346050024 CET	443	49738	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:10.519598961 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:10.522281885 CET	49740	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:10.522308111 CET	443	49740	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:10.524996996 CET	80	49739	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:10.526130915 CET	49740	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:10.526130915 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:10.530375004 CET	49740	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:10.530388117 CET	443	49740	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:10.530543089 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:10.535900116 CET	80	49739	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:10.873477936 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:10.873522043 CET	443	49741	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:10.873584032 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:10.874933004 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:10.874949932 CET	443	49741	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:11.121572971 CET	80	49739	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:11.175976992 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:11.233889103 CET	443	49738	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:11.233987093 CET	49738	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.234576941 CET	443	49738	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:11.234628916 CET	49738	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.296211004 CET	49738	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.296228886 CET	443	49738	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:11.296339989 CET	49738	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.296426058 CET	443	49738	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:11.296998978 CET	49738	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.334110022 CET	49742	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:11.334141016 CET	443	49742	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:11.345406055 CET	49742	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:11.345632076 CET	49742	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:11.345649004 CET	443	49742	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:11.346023083 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:11.346035004 CET	443	49743	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:11.351171970 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:11.352679014 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:11.352694988 CET	443	49743	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:11.353914976 CET	49744	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:11.359277964 CET	80	49744	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:11.359390020 CET	49744	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:11.359550953 CET	49744	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:11.364814043 CET	80	49744	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:11.400094986 CET	443	49740	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:11.400187969 CET	49740	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.401082039 CET	443	49740	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:11.401304007 CET	49740	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.404675961 CET	49740	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.404681921 CET	443	49740	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:11.404803991 CET	49740	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.404853106 CET	443	49740	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:11.405023098 CET	49740	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.405107975 CET	49745	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.405133963 CET	443	49745	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:11.405607939 CET	49745	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.406951904 CET	49745	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:11.406970978 CET	443	49745	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:11.450654030 CET	49746	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:11.450687885 CET	443	49746	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:11.450807095 CET	49746	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:11.451056004 CET	49746	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:11.451072931 CET	443	49746	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:11.493092060 CET	443	49741	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:11.493451118 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:11.497783899 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:11.497793913 CET	443	49741	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:11.497906923 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:11.498025894 CET	443	49741	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:11.498253107 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:11.498306036 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:11.498311996 CET	49741	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:11.498594046 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:11.500039101 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:11.500056028 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:11.955490112 CET	80	49744	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:11.966322899 CET	443	49743	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:11.966633081 CET	443	49742	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:11.966648102 CET	443	49742	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:11.986417055 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:11.986510992 CET	49742	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:12.006735086 CET	49744	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:12.051453114 CET	49742	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:12.051510096 CET	443	49742	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:12.051791906 CET	443	49742	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:12.067440987 CET	443	49746	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.079344034 CET	443	49746	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.087483883 CET	49746	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.092969894 CET	49746	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.092978954 CET	443	49746	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.093091011 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:12.093131065 CET	443	49743	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:12.093424082 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:12.093471050 CET	443	49746	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.093755007 CET	443	49743	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:12.095913887 CET	49742	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:12.096002102 CET	49742	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:12.096128941 CET	443	49742	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:12.098308086 CET	49746	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.098411083 CET	49746	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.098599911 CET	443	49746	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.098892927 CET	49749	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.098956108 CET	443	49749	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.103342056 CET	443	49746	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.107857943 CET	49746	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.107889891 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:12.107889891 CET	49742	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:12.107907057 CET	49746	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.107965946 CET	49746	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.110207081 CET	49749	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.116569996 CET	49749	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.116609097 CET	443	49749	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.116884947 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:12.117892981 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:12.122313023 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:12.122328043 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:12.122394085 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:12.122667074 CET	443	49747	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:12.123509884 CET	49747	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:12.263782024 CET	443	49745	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:12.263916016 CET	49745	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:12.266482115 CET	443	49745	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:12.266674042 CET	49745	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:12.271728992 CET	49745	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:12.271750927 CET	443	49745	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:12.271851063 CET	49745	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:12.271946907 CET	443	49745	142.250.185.238	192.168.2.4
Oct 30, 2024 08:22:12.273760080 CET	49745	443	192.168.2.4	142.250.185.238
Oct 30, 2024 08:22:12.523427010 CET	49744	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:12.523458958 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:12.529287100 CET	80	49744	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:12.529449940 CET	49744	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:12.529763937 CET	80	49739	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:12.529863119 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:12.729918957 CET	49750	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:12.730010986 CET	443	49750	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:12.734036922 CET	49750	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:12.734188080 CET	443	49749	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.734204054 CET	443	49749	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.735532999 CET	49750	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:12.735579967 CET	443	49750	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:12.735673904 CET	49749	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.738590002 CET	49749	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.738604069 CET	443	49749	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.738831997 CET	443	49749	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.741770029 CET	49749	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.741844893 CET	49749	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.741892099 CET	443	49749	34.160.144.191	192.168.2.4
Oct 30, 2024 08:22:12.745119095 CET	49749	443	192.168.2.4	34.160.144.191
Oct 30, 2024 08:22:12.851895094 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:12.857333899 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:12.857911110 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:12.858064890 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:12.863384962 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:13.363271952 CET	443	49750	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:13.363399982 CET	49750	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:13.373199940 CET	49750	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:13.373210907 CET	443	49750	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:13.373399973 CET	49750	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:13.373449087 CET	443	49750	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:13.373507023 CET	49750	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:13.374011993 CET	49753	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:13.374058962 CET	443	49753	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:13.374188900 CET	49753	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:13.375726938 CET	49753	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:13.375741959 CET	443	49753	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:13.465186119 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:13.521483898 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:13.738289118 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:13.743733883 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:13.743817091 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:13.743963003 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:13.749272108 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:14.105129004 CET	443	49753	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:14.105281115 CET	49753	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:14.122661114 CET	49753	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:14.122684002 CET	443	49753	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:14.122868061 CET	49753	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:14.123374939 CET	443	49753	34.117.188.166	192.168.2.4
Oct 30, 2024 08:22:14.130016088 CET	49753	443	192.168.2.4	34.117.188.166
Oct 30, 2024 08:22:14.341741085 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:14.385598898 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:14.681947947 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:14.784910917 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:14.906457901 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:14.958713055 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:17.479376078 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:17.480129957 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:17.481343031 CET	49756	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:17.481368065 CET	443	49756	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:17.486011028 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:17.486612082 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:17.489398003 CET	49756	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:17.501837969 CET	49756	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:17.501853943 CET	443	49756	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:17.510123968 CET	49757	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:17.510137081 CET	443	49757	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:17.511814117 CET	49757	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:17.513477087 CET	49757	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:17.513490915 CET	443	49757	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:17.516612053 CET	49758	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:17.516644001 CET	443	49758	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:17.517247915 CET	49759	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:17.517271996 CET	443	49759	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:17.517339945 CET	49758	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:17.518820047 CET	49758	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:17.518835068 CET	443	49758	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:17.521109104 CET	49759	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:17.521295071 CET	49759	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:17.521311045 CET	443	49759	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:17.605864048 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:17.608297110 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:17.652714014 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:17.655018091 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:18.108333111 CET	443	49756	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:18.108349085 CET	443	49756	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:18.108438969 CET	49756	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:18.114195108 CET	49756	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:18.114202976 CET	443	49756	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:18.114283085 CET	49756	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:18.114362001 CET	443	49756	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:18.114420891 CET	49756	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:18.133131981 CET	443	49758	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:18.134216070 CET	49758	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:18.141468048 CET	49758	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:18.141510963 CET	443	49758	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:18.141623020 CET	49758	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:18.141773939 CET	443	49758	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:18.141834021 CET	49758	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:18.142098904 CET	49760	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:18.142139912 CET	443	49760	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:18.142247915 CET	49760	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:18.143678904 CET	49760	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:18.143695116 CET	443	49760	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:18.145860910 CET	443	49759	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:18.145944118 CET	49759	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:18.148808956 CET	49759	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:18.148823023 CET	443	49759	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:18.149123907 CET	443	49759	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:18.151597977 CET	49759	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:18.151622057 CET	49759	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:18.151802063 CET	443	49759	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:18.154215097 CET	49759	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:18.162781000 CET	443	49757	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:18.162868023 CET	49757	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:18.169459105 CET	49757	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:18.169466019 CET	443	49757	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:18.169553995 CET	49757	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:18.169727087 CET	443	49757	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:18.169821978 CET	49757	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:18.751774073 CET	443	49760	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:18.751868963 CET	49760	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:18.756664991 CET	49760	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:18.756670952 CET	443	49760	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:18.756756067 CET	49760	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:18.756817102 CET	443	49760	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:18.756867886 CET	49760	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:21.154603958 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:21.160011053 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:21.280111074 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:21.348946095 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:23.018877983 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:23.024460077 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:23.028775930 CET	49767	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.028815031 CET	443	49767	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.029108047 CET	49767	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.030586004 CET	49767	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.030602932 CET	443	49767	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.051984072 CET	49768	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.052026033 CET	443	49768	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.054789066 CET	49768	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.054994106 CET	49768	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.055008888 CET	443	49768	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.138098955 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.138221979 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.138596058 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.138768911 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.138806105 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.146226883 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:23.207592964 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:23.494431973 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:23.500015974 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:23.619842052 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:23.663158894 CET	443	49768	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.663238049 CET	49768	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.671237946 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:23.671776056 CET	443	49767	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.672501087 CET	49767	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.733942986 CET	49768	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.733964920 CET	443	49768	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.734396935 CET	443	49768	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.737746000 CET	49767	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.737766981 CET	443	49767	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.737832069 CET	49767	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.737921000 CET	49768	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.737987041 CET	49768	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.738061905 CET	443	49767	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.738120079 CET	49767	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.738147020 CET	443	49768	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.738195896 CET	49768	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.754396915 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.754477978 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.757340908 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.757352114 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.757869005 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.759901047 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.759990931 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.760127068 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:23.760515928 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:23.760531902 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:24.173880100 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:24.175287008 CET	49770	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:24.175329924 CET	443	49770	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:24.177443981 CET	49770	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:24.178932905 CET	49770	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:24.178947926 CET	443	49770	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:24.179385900 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:24.300925016 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:24.342106104 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:24.417426109 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:24.422832966 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:24.542874098 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:24.589577913 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:24.787545919 CET	443	49770	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:24.787620068 CET	49770	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:24.843620062 CET	49770	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:24.897360086 CET	49770	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:24.897382021 CET	443	49770	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:24.897471905 CET	49770	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:24.897691965 CET	443	49770	34.120.208.123	192.168.2.4
Oct 30, 2024 08:22:24.897761106 CET	49770	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:22:26.148483038 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:26.153944969 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:26.275649071 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:26.316772938 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:26.417196989 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:26.422590017 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:26.542383909 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:26.595531940 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:28.047956944 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:28.048015118 CET	443	49771	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:28.052571058 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:28.054918051 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:28.054938078 CET	443	49771	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:28.661864042 CET	443	49771	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:28.661947966 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:28.666620016 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:28.666635036 CET	443	49771	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:28.666706085 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:28.666800976 CET	443	49771	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:28.667380095 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:28.669251919 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:28.674556971 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:28.796336889 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:28.799694061 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:28.805018902 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:28.855509043 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:28.926366091 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:28.971436024 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:37.007086992 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.007122993 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.008528948 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.008631945 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.008637905 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.017842054 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:37.017884970 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:37.018178940 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:37.018302917 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:37.018320084 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:37.023175001 CET	49774	443	192.168.2.4	151.101.65.91
Oct 30, 2024 08:22:37.023211002 CET	443	49774	151.101.65.91	192.168.2.4
Oct 30, 2024 08:22:37.023689985 CET	49774	443	192.168.2.4	151.101.65.91
Oct 30, 2024 08:22:37.023828983 CET	49774	443	192.168.2.4	151.101.65.91
Oct 30, 2024 08:22:37.023847103 CET	443	49774	151.101.65.91	192.168.2.4
Oct 30, 2024 08:22:37.538639069 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:37.538691044 CET	443	49775	35.190.72.216	192.168.2.4
Oct 30, 2024 08:22:37.543533087 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:37.545037031 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:37.545059919 CET	443	49775	35.190.72.216	192.168.2.4
Oct 30, 2024 08:22:37.567642927 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 08:22:37.567684889 CET	443	49776	35.201.103.21	192.168.2.4
Oct 30, 2024 08:22:37.570203066 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 08:22:37.571619987 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 08:22:37.571644068 CET	443	49776	35.201.103.21	192.168.2.4
Oct 30, 2024 08:22:37.625765085 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.626559019 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.629683971 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.629699945 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.630028963 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.632626057 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.632767916 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.632824898 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.633172035 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.636648893 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:37.637083054 CET	443	49774	151.101.65.91	192.168.2.4
Oct 30, 2024 08:22:37.637192011 CET	49774	443	192.168.2.4	151.101.65.91
Oct 30, 2024 08:22:37.640021086 CET	49774	443	192.168.2.4	151.101.65.91
Oct 30, 2024 08:22:37.640029907 CET	443	49774	151.101.65.91	192.168.2.4
Oct 30, 2024 08:22:37.640295029 CET	443	49774	151.101.65.91	192.168.2.4
Oct 30, 2024 08:22:37.642030954 CET	49774	443	192.168.2.4	151.101.65.91
Oct 30, 2024 08:22:37.642106056 CET	49774	443	192.168.2.4	151.101.65.91
Oct 30, 2024 08:22:37.642189026 CET	443	49774	151.101.65.91	192.168.2.4
Oct 30, 2024 08:22:37.642540932 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:37.643840075 CET	49774	443	192.168.2.4	151.101.65.91
Oct 30, 2024 08:22:37.643978119 CET	49774	443	192.168.2.4	151.101.65.91
Oct 30, 2024 08:22:37.645373106 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:37.647838116 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:37.650827885 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:37.650842905 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:37.651154995 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:37.653675079 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.653714895 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.653891087 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.654021025 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.654032946 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.654326916 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:37.654392958 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:37.654484987 CET	443	49773	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:37.655047894 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.655070066 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.655334949 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.655345917 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.655502081 CET	49773	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:37.655543089 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.655544996 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.655628920 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.655637980 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.655719995 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:37.655726910 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:37.764188051 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:37.767184019 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:37.772568941 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:37.820702076 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:37.892437935 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:37.936604977 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:38.153388023 CET	443	49775	35.190.72.216	192.168.2.4
Oct 30, 2024 08:22:38.161295891 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:38.165481091 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:38.165494919 CET	443	49775	35.190.72.216	192.168.2.4
Oct 30, 2024 08:22:38.165596008 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:38.165772915 CET	443	49775	35.190.72.216	192.168.2.4
Oct 30, 2024 08:22:38.168144941 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:38.168467045 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 08:22:38.173502922 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:38.180486917 CET	443	49776	35.201.103.21	192.168.2.4
Oct 30, 2024 08:22:38.184103012 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 08:22:38.188113928 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 08:22:38.188124895 CET	443	49776	35.201.103.21	192.168.2.4
Oct 30, 2024 08:22:38.188216925 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 08:22:38.188338995 CET	443	49776	35.201.103.21	192.168.2.4
Oct 30, 2024 08:22:38.188422918 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 08:22:38.201224089 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:38.201275110 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:38.201438904 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:38.201564074 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:38.201576948 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:38.261321068 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.262718916 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.265512943 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.265522003 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.265806913 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.268251896 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.268357992 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.268389940 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.268516064 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.270723104 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.270797014 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.271774054 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.271845102 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.273438931 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.273446083 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.273777962 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.275685072 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.275693893 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.275940895 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.278547049 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.278629065 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.278745890 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.278790951 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.278839111 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.278944969 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 08:22:38.279256105 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.279273033 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.279287100 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.279309034 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 08:22:38.295156002 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:38.298260927 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:38.303563118 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:38.353385925 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:38.424153090 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:38.469283104 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:38.799719095 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:38.799746037 CET	443	49782	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:38.800170898 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:38.801704884 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:38.801716089 CET	443	49782	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:38.817379951 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:38.817482948 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:38.820868015 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:38.820883989 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:38.821163893 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:38.823915005 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:38.824007034 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:38.824142933 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 08:22:38.826873064 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 08:22:38.828371048 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:38.833719015 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:38.955564022 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:38.958645105 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:38.964590073 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:39.001955986 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:39.084471941 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:39.124464989 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:39.415466070 CET	443	49782	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:39.415680885 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:39.419806004 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:39.419816971 CET	443	49782	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:39.419893980 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:39.420098066 CET	443	49782	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:39.420152903 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:39.422705889 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:39.428023100 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:39.549659967 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:39.554588079 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:39.559909105 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:39.603709936 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:39.680032015 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:39.726159096 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:41.166305065 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:41.171660900 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:41.293495893 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:41.300884008 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:41.306246996 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:41.346398115 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:41.426104069 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:41.477910995 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:51.306689024 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:51.312155962 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:51.438219070 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:51.443582058 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:51.949632883 CET	53057	443	192.168.2.4	142.250.114.101
Oct 30, 2024 08:22:51.949692011 CET	443	53057	142.250.114.101	192.168.2.4
Oct 30, 2024 08:22:51.949763060 CET	53057	443	192.168.2.4	142.250.114.101
Oct 30, 2024 08:22:51.949919939 CET	53057	443	192.168.2.4	142.250.114.101
Oct 30, 2024 08:22:51.949933052 CET	443	53057	142.250.114.101	192.168.2.4
Oct 30, 2024 08:22:52.555825949 CET	443	53057	142.250.114.101	192.168.2.4
Oct 30, 2024 08:22:52.556468964 CET	443	53057	142.250.114.101	192.168.2.4
Oct 30, 2024 08:22:52.559206963 CET	53057	443	192.168.2.4	142.250.114.101
Oct 30, 2024 08:22:52.559245110 CET	443	53057	142.250.114.101	192.168.2.4
Oct 30, 2024 08:22:52.562614918 CET	53057	443	192.168.2.4	142.250.114.101
Oct 30, 2024 08:22:52.562654972 CET	443	53057	142.250.114.101	192.168.2.4
Oct 30, 2024 08:22:52.562835932 CET	443	53057	142.250.114.101	192.168.2.4
Oct 30, 2024 08:22:52.565795898 CET	53057	443	192.168.2.4	142.250.114.101
Oct 30, 2024 08:22:52.565895081 CET	53057	443	192.168.2.4	142.250.114.101
Oct 30, 2024 08:22:52.565948009 CET	443	53057	142.250.114.101	192.168.2.4
Oct 30, 2024 08:22:52.565994978 CET	53057	443	192.168.2.4	142.250.114.101
Oct 30, 2024 08:22:52.571098089 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:52.576452017 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:52.705760956 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:52.708898067 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:52.714339018 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:52.764149904 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:52.834602118 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:22:52.880018950 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:22:59.727715015 CET	53085	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:59.727771044 CET	443	53085	34.107.243.93	192.168.2.4
Oct 30, 2024 08:22:59.727869987 CET	53085	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:59.729839087 CET	53085	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:22:59.729862928 CET	443	53085	34.107.243.93	192.168.2.4
Oct 30, 2024 08:23:00.345774889 CET	443	53085	34.107.243.93	192.168.2.4
Oct 30, 2024 08:23:00.345870972 CET	53085	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:23:00.351385117 CET	53085	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:23:00.351421118 CET	443	53085	34.107.243.93	192.168.2.4
Oct 30, 2024 08:23:00.351491928 CET	53085	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:23:00.351541042 CET	443	53085	34.107.243.93	192.168.2.4
Oct 30, 2024 08:23:00.351773977 CET	53085	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:23:00.354439020 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:00.359888077 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:00.482064009 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:00.486355066 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:00.491851091 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:00.530021906 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:00.611612082 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:00.668071032 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:07.055948019 CET	53130	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.055969000 CET	443	53130	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.056274891 CET	53131	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.056361914 CET	443	53131	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.056634903 CET	53130	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.056782007 CET	53130	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.056785107 CET	53131	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.056794882 CET	443	53130	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.056978941 CET	53131	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.056993008 CET	443	53131	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.072743893 CET	53133	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.072793961 CET	443	53133	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.073280096 CET	53133	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.073429108 CET	53133	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.073455095 CET	443	53133	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.663141966 CET	443	53131	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.663266897 CET	53131	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.664557934 CET	443	53130	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.664622068 CET	53130	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.666719913 CET	53131	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.666728973 CET	443	53131	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.666965008 CET	443	53131	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.669331074 CET	53130	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.669338942 CET	443	53130	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.669538975 CET	443	53130	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.672319889 CET	53131	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.672384977 CET	53131	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.672456980 CET	53130	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.672513008 CET	443	53131	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.672534943 CET	53130	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.672579050 CET	443	53130	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.672728062 CET	53130	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.672751904 CET	53130	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.672785997 CET	53131	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.677233934 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:07.682620049 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:07.693299055 CET	443	53133	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.693401098 CET	53133	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.696348906 CET	53133	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.696377993 CET	443	53133	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.697211027 CET	443	53133	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.698828936 CET	53133	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.698971033 CET	53133	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.699074984 CET	443	53133	34.120.208.123	192.168.2.4
Oct 30, 2024 08:23:07.699641943 CET	53133	443	192.168.2.4	34.120.208.123
Oct 30, 2024 08:23:07.805013895 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:07.808275938 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:07.813776970 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:07.851068974 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:07.933948040 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:07.989145041 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:17.804781914 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:17.810750008 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:17.936362028 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:17.941843987 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:27.817581892 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:27.822995901 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:27.949146032 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:27.954504013 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:37.830990076 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:37.836385965 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:37.962781906 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:37.968583107 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:40.432282925 CET	53319	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:23:40.432369947 CET	443	53319	34.107.243.93	192.168.2.4
Oct 30, 2024 08:23:40.434020996 CET	53319	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:23:40.436043024 CET	53319	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:23:40.436081886 CET	443	53319	34.107.243.93	192.168.2.4
Oct 30, 2024 08:23:41.255147934 CET	443	53319	34.107.243.93	192.168.2.4
Oct 30, 2024 08:23:41.255295992 CET	53319	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:23:41.262713909 CET	53319	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:23:41.262743950 CET	443	53319	34.107.243.93	192.168.2.4
Oct 30, 2024 08:23:41.262857914 CET	53319	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:23:41.262888908 CET	443	53319	34.107.243.93	192.168.2.4
Oct 30, 2024 08:23:41.263874054 CET	53319	443	192.168.2.4	34.107.243.93
Oct 30, 2024 08:23:41.266194105 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:41.271545887 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:41.395442009 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:41.400172949 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:41.407028913 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:41.441801071 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:41.527498007 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:41.573312998 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:51.401804924 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:51.407380104 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:23:51.533287048 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:23:51.538799047 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:24:01.416897058 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:24:01.422377110 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:24:01.548477888 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:24:01.553885937 CET	80	49754	34.107.221.82	192.168.2.4
Oct 30, 2024 08:24:11.439097881 CET	49752	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:24:11.444463015 CET	80	49752	34.107.221.82	192.168.2.4
Oct 30, 2024 08:24:11.570635080 CET	49754	80	192.168.2.4	34.107.221.82
Oct 30, 2024 08:24:11.576081991 CET	80	49754	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 08:22:08.286273956 CET	58065	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:08.293692112 CET	53	58065	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:08.301661015 CET	52344	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:08.309117079 CET	53	52344	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:10.329277039 CET	49908	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:10.334661961 CET	52091	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:10.338761091 CET	63233	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:10.341876984 CET	53	52091	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:10.343765020 CET	51282	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:10.346065044 CET	53	63233	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:10.346754074 CET	63334	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:10.351095915 CET	53	51282	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:10.352148056 CET	62656	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:10.354032040 CET	53	63334	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:10.359463930 CET	53	62656	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:10.856101990 CET	62039	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:10.863789082 CET	53	62039	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:10.873648882 CET	58548	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:10.881366014 CET	53	58548	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:10.888961077 CET	64911	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:10.896794081 CET	53	64911	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:11.325711012 CET	63768	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:11.326703072 CET	60738	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:11.333467007 CET	53	63768	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:11.334443092 CET	53	60738	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:11.342689037 CET	57199	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:11.344321966 CET	62651	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:11.350361109 CET	53	57199	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:11.355340004 CET	55927	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:11.355524063 CET	54645	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:11.362832069 CET	53	55927	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:11.363758087 CET	60620	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:11.363823891 CET	53	54645	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:11.364378929 CET	60959	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:11.371716022 CET	53	60620	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:11.372256994 CET	53	60959	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:11.441204071 CET	63692	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:11.448601007 CET	53	63692	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:11.451248884 CET	56903	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:11.459276915 CET	53	56903	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:11.459903002 CET	55015	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:11.467307091 CET	53	55015	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:14.681925058 CET	62156	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:14.700181961 CET	60637	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:14.786525011 CET	53	60637	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:14.791194916 CET	56548	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:14.798266888 CET	53	56548	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:14.803869963 CET	52788	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:14.811801910 CET	53	52788	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:14.811868906 CET	53	60779	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:17.246378899 CET	64714	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:17.253799915 CET	53	64714	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:17.267585039 CET	63182	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:17.275504112 CET	53	63182	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:17.318010092 CET	57403	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:17.355091095 CET	53	57403	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:17.502985954 CET	53323	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:17.503273010 CET	50920	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:17.503595114 CET	54950	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:17.510656118 CET	53	50920	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:17.510842085 CET	53	54950	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:17.511409998 CET	53	53323	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:17.516028881 CET	53343	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:17.516721964 CET	51276	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:17.523365021 CET	53	53343	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:17.525249958 CET	53	51276	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:17.541235924 CET	50463	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:17.548749924 CET	53	50463	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:23.020330906 CET	51784	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:23.027849913 CET	53	51784	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.048954010 CET	49594	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.056555986 CET	53	49594	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.170331001 CET	64702	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.170505047 CET	51377	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.170505047 CET	60466	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.177625895 CET	53	51377	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.177642107 CET	53	60466	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.177954912 CET	53	64702	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.178513050 CET	52772	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.178513050 CET	64215	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.179294109 CET	53606	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.186064005 CET	53	52772	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.186527967 CET	53	64215	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.186909914 CET	53	53606	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.194545984 CET	51147	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.194653988 CET	51474	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.195514917 CET	52303	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.202189922 CET	53	51474	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.202299118 CET	53	51147	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.202938080 CET	64424	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.203273058 CET	53	52303	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.203288078 CET	50096	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.210036993 CET	53	64424	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.210565090 CET	53	50096	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.210820913 CET	51708	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.211325884 CET	57434	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.217978001 CET	53	51708	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.218523979 CET	53	57434	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.218626976 CET	52808	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.218996048 CET	50973	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:28.226615906 CET	53	52808	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:28.226639032 CET	53	50973	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:37.014009953 CET	62955	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:37.015372992 CET	62267	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:37.021786928 CET	53	62955	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:37.022643089 CET	53	62267	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:37.023622036 CET	64519	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:37.031524897 CET	53	64519	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:37.032128096 CET	55766	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:37.039617062 CET	53	55766	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:37.545509100 CET	52985	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:37.554056883 CET	53	52985	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:37.568753958 CET	56258	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:37.576741934 CET	53	56258	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:37.578788042 CET	64507	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:37.585902929 CET	53	64507	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:37.636976004 CET	61840	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:38.791480064 CET	55531	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:38.798810005 CET	53	55531	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:38.800103903 CET	49856	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:38.807357073 CET	53	49856	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:51.329796076 CET	53	59781	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:59.717061996 CET	61504	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:59.724596977 CET	53	61504	1.1.1.1	192.168.2.4
Oct 30, 2024 08:22:59.726855040 CET	58101	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:22:59.734823942 CET	53	58101	1.1.1.1	192.168.2.4
Oct 30, 2024 08:23:07.056529999 CET	56441	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:23:07.063682079 CET	53	56441	1.1.1.1	192.168.2.4
Oct 30, 2024 08:23:40.433221102 CET	57515	53	192.168.2.4	1.1.1.1
Oct 30, 2024 08:23:40.440519094 CET	53	57515	1.1.1.1	192.168.2.4
Oct 30, 2024 08:23:41.266525984 CET	59074	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 08:22:08.286273956 CET	192.168.2.4	1.1.1.1	0xc5ab	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:08.301661015 CET	192.168.2.4	1.1.1.1	0x367d	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 08:22:10.329277039 CET	192.168.2.4	1.1.1.1	0xa82f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.334661961 CET	192.168.2.4	1.1.1.1	0x35c7	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.338761091 CET	192.168.2.4	1.1.1.1	0xac5e	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.343765020 CET	192.168.2.4	1.1.1.1	0x86fe	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.346754074 CET	192.168.2.4	1.1.1.1	0xd05c	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 08:22:10.352148056 CET	192.168.2.4	1.1.1.1	0x8358	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 30, 2024 08:22:10.856101990 CET	192.168.2.4	1.1.1.1	0xcb06	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.873648882 CET	192.168.2.4	1.1.1.1	0x26b2	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.888961077 CET	192.168.2.4	1.1.1.1	0xce80	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 08:22:11.325711012 CET	192.168.2.4	1.1.1.1	0x85c	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.326703072 CET	192.168.2.4	1.1.1.1	0x6eb1	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.342689037 CET	192.168.2.4	1.1.1.1	0x6ae2	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.344321966 CET	192.168.2.4	1.1.1.1	0x90e2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.355340004 CET	192.168.2.4	1.1.1.1	0xfa7c	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.355524063 CET	192.168.2.4	1.1.1.1	0xd4e4	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.363758087 CET	192.168.2.4	1.1.1.1	0x582d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 08:22:11.364378929 CET	192.168.2.4	1.1.1.1	0x5a9d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 08:22:11.441204071 CET	192.168.2.4	1.1.1.1	0x3df	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.451248884 CET	192.168.2.4	1.1.1.1	0xd3b3	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.459903002 CET	192.168.2.4	1.1.1.1	0x41cf	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 08:22:14.681925058 CET	192.168.2.4	1.1.1.1	0xaa98	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:14.700181961 CET	192.168.2.4	1.1.1.1	0x9372	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:14.791194916 CET	192.168.2.4	1.1.1.1	0x6a40	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:14.803869963 CET	192.168.2.4	1.1.1.1	0x7c69	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 08:22:17.246378899 CET	192.168.2.4	1.1.1.1	0x32a5	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.267585039 CET	192.168.2.4	1.1.1.1	0x25ac	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.318010092 CET	192.168.2.4	1.1.1.1	0xb920	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 08:22:17.502985954 CET	192.168.2.4	1.1.1.1	0x6dca	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 08:22:17.503273010 CET	192.168.2.4	1.1.1.1	0xeccf	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.503595114 CET	192.168.2.4	1.1.1.1	0x7215	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.516028881 CET	192.168.2.4	1.1.1.1	0xf427	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 08:22:17.516721964 CET	192.168.2.4	1.1.1.1	0x4e1c	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.541235924 CET	192.168.2.4	1.1.1.1	0xd6e6	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 08:22:23.020330906 CET	192.168.2.4	1.1.1.1	0xe7b9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 08:22:28.048954010 CET	192.168.2.4	1.1.1.1	0x68d3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 08:22:28.170331001 CET	192.168.2.4	1.1.1.1	0x2108	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.170505047 CET	192.168.2.4	1.1.1.1	0x93cb	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.170505047 CET	192.168.2.4	1.1.1.1	0x719b	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.178513050 CET	192.168.2.4	1.1.1.1	0xf32e	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.178513050 CET	192.168.2.4	1.1.1.1	0x948	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.179294109 CET	192.168.2.4	1.1.1.1	0x4059	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.194545984 CET	192.168.2.4	1.1.1.1	0x5859	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 30, 2024 08:22:28.194653988 CET	192.168.2.4	1.1.1.1	0x9ea0	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 30, 2024 08:22:28.195514917 CET	192.168.2.4	1.1.1.1	0x5304	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 30, 2024 08:22:28.202938080 CET	192.168.2.4	1.1.1.1	0x43b6	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.203288078 CET	192.168.2.4	1.1.1.1	0x2e08	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.210820913 CET	192.168.2.4	1.1.1.1	0x4a79	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.211325884 CET	192.168.2.4	1.1.1.1	0x67d3	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.218626976 CET	192.168.2.4	1.1.1.1	0x924d	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 30, 2024 08:22:28.218996048 CET	192.168.2.4	1.1.1.1	0x1fff	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 30, 2024 08:22:37.014009953 CET	192.168.2.4	1.1.1.1	0x7b63	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.015372992 CET	192.168.2.4	1.1.1.1	0xead5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 08:22:37.023622036 CET	192.168.2.4	1.1.1.1	0x5bd8	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.032128096 CET	192.168.2.4	1.1.1.1	0x1679	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 30, 2024 08:22:37.545509100 CET	192.168.2.4	1.1.1.1	0x892d	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.568753958 CET	192.168.2.4	1.1.1.1	0xdde2	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.578788042 CET	192.168.2.4	1.1.1.1	0x32ee	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 08:22:37.636976004 CET	192.168.2.4	1.1.1.1	0x7dd5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:38.791480064 CET	192.168.2.4	1.1.1.1	0x72ff	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:38.800103903 CET	192.168.2.4	1.1.1.1	0xdc1c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 08:22:59.717061996 CET	192.168.2.4	1.1.1.1	0x5ac0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:59.726855040 CET	192.168.2.4	1.1.1.1	0x75ee	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 08:23:07.056529999 CET	192.168.2.4	1.1.1.1	0x6608	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 08:23:40.433221102 CET	192.168.2.4	1.1.1.1	0x769b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 08:23:41.266525984 CET	192.168.2.4	1.1.1.1	0x92d1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 08:22:08.271707058 CET	1.1.1.1	192.168.2.4	0x7de7	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:08.293692112 CET	1.1.1.1	192.168.2.4	0xc5ab	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.337277889 CET	1.1.1.1	192.168.2.4	0xa82f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:10.337277889 CET	1.1.1.1	192.168.2.4	0xa82f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.341876984 CET	1.1.1.1	192.168.2.4	0x35c7	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.346065044 CET	1.1.1.1	192.168.2.4	0xac5e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.351095915 CET	1.1.1.1	192.168.2.4	0x86fe	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.354032040 CET	1.1.1.1	192.168.2.4	0xd05c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 08:22:10.359463930 CET	1.1.1.1	192.168.2.4	0x8358	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 30, 2024 08:22:10.863789082 CET	1.1.1.1	192.168.2.4	0xcb06	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:10.881366014 CET	1.1.1.1	192.168.2.4	0x26b2	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.332757950 CET	1.1.1.1	192.168.2.4	0x935a	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:11.332757950 CET	1.1.1.1	192.168.2.4	0x935a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.333467007 CET	1.1.1.1	192.168.2.4	0x85c	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:11.333467007 CET	1.1.1.1	192.168.2.4	0x85c	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.334443092 CET	1.1.1.1	192.168.2.4	0x6eb1	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.350361109 CET	1.1.1.1	192.168.2.4	0x6ae2	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.350361109 CET	1.1.1.1	192.168.2.4	0x6ae2	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.352690935 CET	1.1.1.1	192.168.2.4	0x90e2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:11.352690935 CET	1.1.1.1	192.168.2.4	0x90e2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.362832069 CET	1.1.1.1	192.168.2.4	0xfa7c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.363823891 CET	1.1.1.1	192.168.2.4	0xd4e4	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.448601007 CET	1.1.1.1	192.168.2.4	0x3df	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:11.448601007 CET	1.1.1.1	192.168.2.4	0x3df	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:11.448601007 CET	1.1.1.1	192.168.2.4	0x3df	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.459276915 CET	1.1.1.1	192.168.2.4	0xd3b3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:11.467307091 CET	1.1.1.1	192.168.2.4	0x41cf	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 08:22:14.786525011 CET	1.1.1.1	192.168.2.4	0x9372	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:14.786695004 CET	1.1.1.1	192.168.2.4	0xaa98	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:14.798266888 CET	1.1.1.1	192.168.2.4	0x6a40	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.253799915 CET	1.1.1.1	192.168.2.4	0x32a5	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:17.253799915 CET	1.1.1.1	192.168.2.4	0x32a5	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:17.253799915 CET	1.1.1.1	192.168.2.4	0x32a5	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.275504112 CET	1.1.1.1	192.168.2.4	0x25ac	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.486634970 CET	1.1.1.1	192.168.2.4	0xc763	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.498406887 CET	1.1.1.1	192.168.2.4	0x54c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:17.498406887 CET	1.1.1.1	192.168.2.4	0x54c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.510656118 CET	1.1.1.1	192.168.2.4	0xeccf	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:17.510656118 CET	1.1.1.1	192.168.2.4	0xeccf	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.510842085 CET	1.1.1.1	192.168.2.4	0x7215	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:17.525249958 CET	1.1.1.1	192.168.2.4	0x4e1c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:23.027751923 CET	1.1.1.1	192.168.2.4	0x438e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177625895 CET	1.1.1.1	192.168.2.4	0x93cb	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177625895 CET	1.1.1.1	192.168.2.4	0x93cb	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177642107 CET	1.1.1.1	192.168.2.4	0x719b	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177642107 CET	1.1.1.1	192.168.2.4	0x719b	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.177954912 CET	1.1.1.1	192.168.2.4	0x2108	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186064005 CET	1.1.1.1	192.168.2.4	0xf32e	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186527967 CET	1.1.1.1	192.168.2.4	0x948	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.186909914 CET	1.1.1.1	192.168.2.4	0x4059	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.202189922 CET	1.1.1.1	192.168.2.4	0x9ea0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 08:22:28.202189922 CET	1.1.1.1	192.168.2.4	0x9ea0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 08:22:28.202189922 CET	1.1.1.1	192.168.2.4	0x9ea0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 08:22:28.202189922 CET	1.1.1.1	192.168.2.4	0x9ea0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 08:22:28.202299118 CET	1.1.1.1	192.168.2.4	0x5859	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 30, 2024 08:22:28.203273058 CET	1.1.1.1	192.168.2.4	0x5304	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 30, 2024 08:22:28.210036993 CET	1.1.1.1	192.168.2.4	0x43b6	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:28.210036993 CET	1.1.1.1	192.168.2.4	0x43b6	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.210036993 CET	1.1.1.1	192.168.2.4	0x43b6	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.210036993 CET	1.1.1.1	192.168.2.4	0x43b6	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.210036993 CET	1.1.1.1	192.168.2.4	0x43b6	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.210565090 CET	1.1.1.1	192.168.2.4	0x2e08	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.217978001 CET	1.1.1.1	192.168.2.4	0x4a79	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.217978001 CET	1.1.1.1	192.168.2.4	0x4a79	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.217978001 CET	1.1.1.1	192.168.2.4	0x4a79	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.217978001 CET	1.1.1.1	192.168.2.4	0x4a79	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:28.218523979 CET	1.1.1.1	192.168.2.4	0x67d3	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.013787985 CET	1.1.1.1	192.168.2.4	0x831	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:37.013787985 CET	1.1.1.1	192.168.2.4	0x831	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.021786928 CET	1.1.1.1	192.168.2.4	0x7b63	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.021786928 CET	1.1.1.1	192.168.2.4	0x7b63	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.021786928 CET	1.1.1.1	192.168.2.4	0x7b63	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.021786928 CET	1.1.1.1	192.168.2.4	0x7b63	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.031524897 CET	1.1.1.1	192.168.2.4	0x5bd8	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.031524897 CET	1.1.1.1	192.168.2.4	0x5bd8	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.031524897 CET	1.1.1.1	192.168.2.4	0x5bd8	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.031524897 CET	1.1.1.1	192.168.2.4	0x5bd8	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.039617062 CET	1.1.1.1	192.168.2.4	0x1679	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 08:22:37.039617062 CET	1.1.1.1	192.168.2.4	0x1679	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 08:22:37.039617062 CET	1.1.1.1	192.168.2.4	0x1679	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 08:22:37.039617062 CET	1.1.1.1	192.168.2.4	0x1679	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 08:22:37.554056883 CET	1.1.1.1	192.168.2.4	0x892d	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:37.554056883 CET	1.1.1.1	192.168.2.4	0x892d	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.576741934 CET	1.1.1.1	192.168.2.4	0xdde2	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:37.647094965 CET	1.1.1.1	192.168.2.4	0x7dd5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:37.647094965 CET	1.1.1.1	192.168.2.4	0x7dd5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:38.294903994 CET	1.1.1.1	192.168.2.4	0x42ed	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:38.294903994 CET	1.1.1.1	192.168.2.4	0x42ed	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:22:38.798810005 CET	1.1.1.1	192.168.2.4	0x72ff	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:22:59.724596977 CET	1.1.1.1	192.168.2.4	0x5ac0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:23:07.054016113 CET	1.1.1.1	192.168.2.4	0x452	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:23:41.274239063 CET	1.1.1.1	192.168.2.4	0x92d1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:23:41.274239063 CET	1.1.1.1	192.168.2.4	0x92d1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	7780	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:22:10.530543089 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:11.121572971 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63474 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	34.107.221.82	80	7780	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:22:11.359550953 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:11.955490112 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54400 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49752	34.107.221.82	80	7780	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:22:12.858064890 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:13.465186119 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63476 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:14.681947947 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:14.906457901 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63477 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:17.480129957 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:17.608297110 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63480 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:23.018877983 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:23.146226883 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63486 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:24.173880100 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:24.300925016 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63487 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:26.148483038 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:26.275649071 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63489 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:28.669251919 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:28.796336889 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63491 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:37.636648893 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:37.764188051 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63500 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:38.168144941 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:38.295156002 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63501 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:38.828371048 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:38.955564022 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63501 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:39.422705889 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:39.549659967 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63502 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:41.166305065 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:41.293495893 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63504 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:22:51.306689024 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:22:52.571098089 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:22:52.705760956 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63515 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:23:00.354439020 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:23:00.482064009 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63523 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:23:07.677233934 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:23:07.805013895 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63530 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:23:17.804781914 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:23:27.817581892 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:23:37.830990076 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:23:41.266194105 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 08:23:41.395442009 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 63564 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 08:23:51.401804924 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:24:01.416897058 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:24:11.439097881 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49754	34.107.221.82	80	7780	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:22:13.743963003 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:14.341741085 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54403 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:17.479376078 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:17.605864048 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54406 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:21.154603958 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:21.280111074 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54410 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:23.494431973 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:23.619842052 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54412 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:24.417426109 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:24.542874098 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54413 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:26.417196989 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:26.542383909 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54415 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:28.799694061 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:28.926366091 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54417 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:37.767184019 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:37.892437935 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54426 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:38.298260927 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:38.424153090 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54427 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:38.958645105 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:39.084471941 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54428 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:39.554588079 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:39.680032015 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54428 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:41.300884008 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:41.426104069 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54430 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:22:51.438219070 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:22:52.708898067 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:22:52.834602118 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54441 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:23:00.486355066 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:23:00.611612082 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54449 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:23:07.808275938 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:23:07.933948040 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54456 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:23:17.936362028 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:23:27.949146032 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:23:37.962781906 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:23:41.400172949 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 08:23:41.527498007 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 54490 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 08:23:51.533287048 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:24:01.548477888 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 08:24:11.570635080 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	03:22:01
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xc20000
File size:	919'552 bytes
MD5 hash:	7E0177A38BE142CA0E1B17462920FFF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:22:01
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x580000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:22:01
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:22:03
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x580000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:22:03
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:22:03
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x580000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:22:03
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:22:04
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x580000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:22:04
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:22:04
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x580000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:22:04
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:22:04
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:22:04
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:22:04
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	03:22:05
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52ff7113-6985-4006-bec7-7eb2328d957f} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d29b56fb10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	03:22:07
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -parentBuildID 20230927232528 -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd698bc7-645a-4afe-acb1-9f9348c4d216} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d2ad635210 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	03:22:16
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5212 -prefMapHandle 5264 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58edcd17-e6ab-4b3e-b629-9824facfceb3} 7780 "\\.\pipe\gecko-crash-server-pipe.7780" 2d2ac551310 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.1%
Total number of Nodes:	1633
Total number of Limit Nodes:	73

Executed Functions

Function 00C242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C2430D

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

GetCurrentProcess.KERNEL32(?,00CBCB64,00000000,?,?), ref: 00C24422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C24429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C24454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C24466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C24474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C2447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C244A0

Strings

|O, xrefs: 00C636F8
kernel32.dll, xrefs: 00C2444F
GetNativeSystemInfo, xrefs: 00C24460

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: a28b92ce42c0969d0580c80d95df29910caf09e4f9bc409f5b49c04457be9cea
Instruction ID: df395008ea6071cf081cf4119e593a77fb469452163e82176e35f97dfa2267d8
Opcode Fuzzy Hash: a28b92ce42c0969d0580c80d95df29910caf09e4f9bc409f5b49c04457be9cea
Instruction Fuzzy Hash: 00A1A47695A2D4DFC725D76DBC813BD7FE47B26300B0C58A9E88593A32D220460DDB23

Function 00C242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C250AA,?,?,00000000,00000000), ref: 00C242B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C250AA,?,?,00000000,00000000), ref: 00C242C9
LoadResource.KERNEL32(?,00000000,?,?,00C250AA,?,?,00000000,00000000,?,?,?,?,?,?,00C24F20), ref: 00C635BE
SizeofResource.KERNEL32(?,00000000,?,?,00C250AA,?,?,00000000,00000000,?,?,?,?,?,?,00C24F20), ref: 00C635D3
LockResource.KERNEL32(00C250AA,?,?,00C250AA,?,?,00000000,00000000,?,?,?,?,?,?,00C24F20,?), ref: 00C635E6

Strings

SCRIPT, xrefs: 00C242BF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 75c7461af66aa40c8b018f6f9a6b3ca241d12a061dc769340d51e6fffe336d2f
Instruction ID: 575fb7980e9cdbe4cb7df6f0d7a614ef3f7f49f473b4a454a3f654ad45f4298a
Opcode Fuzzy Hash: 75c7461af66aa40c8b018f6f9a6b3ca241d12a061dc769340d51e6fffe336d2f
Instruction Fuzzy Hash: 45118E74200700FFDB258BA6EC88F6B7BB9EBC5B51F104269F412D6690DB71DD008631

Function 00C62BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C22B6B

Part of subcall function 00C23A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CF1418,?,00C22E7F,?,?,?,00000000), ref: 00C23A78

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00CE2224), ref: 00C62C10
ShellExecuteW.SHELL32(00000000,?,?,00CE2224), ref: 00C62C17

Strings

runas, xrefs: 00C62C0B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 5c1ec2d320ce27fd56cfd984e923afe80dc18ebb527ea507b8c840e197860688
Instruction ID: 814ce076987985d504cd36ba5ae8a48415e0d428471e1811e856b010e7526302
Opcode Fuzzy Hash: 5c1ec2d320ce27fd56cfd984e923afe80dc18ebb527ea507b8c840e197860688
Instruction Fuzzy Hash: 0C11B431208395ABC714FF60F891ABE7BA4EBD5310F48082DF593164A2CF358A0AE752

Function 00C8D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C8D501
Process32FirstW.KERNEL32(00000000,?), ref: 00C8D50F
Process32NextW.KERNEL32(00000000,?), ref: 00C8D52F
CloseHandle.KERNELBASE(00000000), ref: 00C8D5DC

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 78998eb209254bd539a24003a26a2fe1ad175320e446738283e1611e60ef4980
Instruction ID: 590048f85dd6ca1ca63e158975a11d27f885f25e48db3ada6ca8d9e8005e6406
Opcode Fuzzy Hash: 78998eb209254bd539a24003a26a2fe1ad175320e446738283e1611e60ef4980
Instruction Fuzzy Hash: 3E31A0711083009FD300EF54D881BAFBBF8EF99358F14092DF582961E1EB719A48DBA2

Function 00C8DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00C65222), ref: 00C8DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00C8DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00C8DBEE
FindClose.KERNEL32(00000000), ref: 00C8DBFA

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 438a329c50dae272d230189913c443148ddf884473f791442d0290b68eba845d
Instruction ID: 89b52405fd4f394b89de54686912e10796b291827fda286346169963f6f74753
Opcode Fuzzy Hash: 438a329c50dae272d230189913c443148ddf884473f791442d0290b68eba845d
Instruction Fuzzy Hash: BFF0A030810910578320BB7CAC4DAAE376C9E01338F104702F836C20F0EBB05E54879A

Function 00C44CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00C528E9,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002,00000000,?,00C528E9), ref: 00C44D09
TerminateProcess.KERNEL32(00000000,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002,00000000,?,00C528E9), ref: 00C44D10
ExitProcess.KERNEL32 ref: 00C44D22

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f52595dada68502b1ec2449d3bb6bbb087d2fbeea38bb4f60d5b26629416dbd9
Instruction ID: 4668bae2dd484a16145d27a87caf61ac8151bc4171efa051005fddc7ff000577
Opcode Fuzzy Hash: f52595dada68502b1ec2449d3bb6bbb087d2fbeea38bb4f60d5b26629416dbd9
Instruction Fuzzy Hash: 69E0B631400148ABCF15AF54DD49B9C3BA9FB41791F604118FC159A132CB35DE42DA80

Function 00CAAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00CAB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CAB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CAB1D4
_wcslen.LIBCMT ref: 00CAB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CAB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CAB236
_wcslen.LIBCMT ref: 00CAB332

Part of subcall function 00C905A7: GetStdHandle.KERNEL32(000000F6), ref: 00C905C6

_wcslen.LIBCMT ref: 00CAB34B
_wcslen.LIBCMT ref: 00CAB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CAB3B6
GetLastError.KERNEL32(00000000), ref: 00CAB407
CloseHandle.KERNEL32(?), ref: 00CAB439
CloseHandle.KERNEL32(00000000), ref: 00CAB44A
CloseHandle.KERNEL32(00000000), ref: 00CAB45C
CloseHandle.KERNEL32(00000000), ref: 00CAB46E
CloseHandle.KERNEL32(?), ref: 00CAB4E3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 7fdfed7cf4bf5a3aca8458298a0d3c7ce16fe7e38211c7a2d9520b6d2f1b3abd
Instruction ID: 1a7a50f8f28d1fa4495a824febf840a8e410b9680344b09599482587ae10e06f
Opcode Fuzzy Hash: 7fdfed7cf4bf5a3aca8458298a0d3c7ce16fe7e38211c7a2d9520b6d2f1b3abd
Instruction Fuzzy Hash: 5DF1CE715083019FCB14EF24C891B6EBBE5BF86318F14895DF8999B2A2CB31ED41DB52

Function 00C2D731 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C2D807
timeGetTime.WINMM ref: 00C2DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C2DB28
TranslateMessage.USER32(?), ref: 00C2DB7B
DispatchMessageW.USER32(?), ref: 00C2DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C2DB9F
Sleep.KERNELBASE(0000000A), ref: 00C2DBB1

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 146cd260856fc98bc7382b97f3d0789039d8cf16edd76395bdbc05428790d33f
Instruction ID: 229aa22f4ee67e3b22c2cd70db2b99569fdde0ad4786cb8a9c1cfc2fe0eba868
Opcode Fuzzy Hash: 146cd260856fc98bc7382b97f3d0789039d8cf16edd76395bdbc05428790d33f
Instruction Fuzzy Hash: B9421430608351DFD729DF25D894BAAB7E0FF65310F14861DF8AA87691CB70E984DB82

Function 00C22CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C22D07
RegisterClassExW.USER32(00000030), ref: 00C22D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C22D42
InitCommonControlsEx.COMCTL32(?), ref: 00C22D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C22D6F
LoadIconW.USER32(000000A9), ref: 00C22D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C22D94

Strings

TaskbarCreated, xrefs: 00C22D37
0, xrefs: 00C22CE9
+, xrefs: 00C22CF0
AutoIt v3 GUI, xrefs: 00C22D23

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 48cb3919f34594d187c80732589acb9d7ca6f88662b16abad4bad662f7a32075
Instruction ID: c874d4120f9da2bdab68b8a3a19fa68037f7382f9eb0b89d504458baa29af947
Opcode Fuzzy Hash: 48cb3919f34594d187c80732589acb9d7ca6f88662b16abad4bad662f7a32075
Instruction Fuzzy Hash: EB2193B5911318EFDB00DFA4E889BEDBBB4FB08701F14421AF951A62A0DBB55644CF91

Function 00C6065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C6039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C60704,?,?,00000000,?,00C60704,00000000,0000000C), ref: 00C603B7

GetLastError.KERNEL32 ref: 00C6076F
__dosmaperr.LIBCMT ref: 00C60776
GetFileType.KERNELBASE(00000000), ref: 00C60782
GetLastError.KERNEL32 ref: 00C6078C
__dosmaperr.LIBCMT ref: 00C60795
CloseHandle.KERNEL32(00000000), ref: 00C607B5
CloseHandle.KERNEL32(?), ref: 00C608FF
GetLastError.KERNEL32 ref: 00C60931
__dosmaperr.LIBCMT ref: 00C60938

Strings

H, xrefs: 00C608BD

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b473bc92d311320b5b8d5c9a4614c67877c4124be1115801b4c826cc0852addd
Instruction ID: 4498fb81f6e140ada7c5fb8000bc93d0eb991f4a11b314791d475d23cc92d894
Opcode Fuzzy Hash: b473bc92d311320b5b8d5c9a4614c67877c4124be1115801b4c826cc0852addd
Instruction Fuzzy Hash: 8FA11932A141048FDF29EF68D891BAE7BE1AB46320F24015DF815AB3D2D7319D13DB51

Function 00C2344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C23A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CF1418,?,00C22E7F,?,?,?,00000000), ref: 00C23A78

Part of subcall function 00C23357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C23379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C2356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C6318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C631CE
RegCloseKey.ADVAPI32(?), ref: 00C63210
_wcslen.LIBCMT ref: 00C63277
_wcslen.LIBCMT ref: 00C63286

Strings

\, xrefs: 00C6328C
Software\AutoIt v3\AutoIt, xrefs: 00C23560
Include, xrefs: 00C63184, 00C631C5
\Include\, xrefs: 00C23527

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 1182dd80d9caf72f1f6ec27feecb34034386bf502ff250812807fc9e1a00477f
Instruction ID: 832550c77ee87eedf93035d7e0ce599f1b3feed97b8dd6a4a2619ae642de9620
Opcode Fuzzy Hash: 1182dd80d9caf72f1f6ec27feecb34034386bf502ff250812807fc9e1a00477f
Instruction Fuzzy Hash: EA7158B14043119FC314EF69E881AAFBBE8FF95740F40082EF555831B1EB349A49DB62

Function 00C22B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C22B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C22B9D
LoadIconW.USER32(00000063), ref: 00C22BB3
LoadIconW.USER32(000000A4), ref: 00C22BC5
LoadIconW.USER32(000000A2), ref: 00C22BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C22BEF
RegisterClassExW.USER32(?), ref: 00C22C40

Part of subcall function 00C22CD4: GetSysColorBrush.USER32(0000000F), ref: 00C22D07
Part of subcall function 00C22CD4: RegisterClassExW.USER32(00000030), ref: 00C22D31
Part of subcall function 00C22CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C22D42
Part of subcall function 00C22CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C22D5F
Part of subcall function 00C22CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C22D6F
Part of subcall function 00C22CD4: LoadIconW.USER32(000000A9), ref: 00C22D85
Part of subcall function 00C22CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C22D94

Strings

#, xrefs: 00C22C16
AutoIt v3, xrefs: 00C22C2F
0, xrefs: 00C22C0F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f07bbd3559d42480ec2bba9df5dd9fdec49a7cc65753cbf197c3982c187eb96b
Instruction ID: 3a1c936d2516d1a4c3ffb925519768383f89cebc6fa2f65d5bb8d16d80917558
Opcode Fuzzy Hash: f07bbd3559d42480ec2bba9df5dd9fdec49a7cc65753cbf197c3982c187eb96b
Instruction Fuzzy Hash: 04211A74E00315EBDB109FA6EC95BBE7FB4FB48B50F08011AEA00A66B0D7B10548DF91

Function 00C23170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C2316A,?,?), ref: 00C231D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C2316A,?,?), ref: 00C23204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C23227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C2316A,?,?), ref: 00C23232
CreatePopupMenu.USER32 ref: 00C23246
PostQuitMessage.USER32(00000000), ref: 00C23267

Strings

TaskbarCreated, xrefs: 00C2322D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: aed12e9d9249a8b3cf2458bb916f4a1a8b4e084e4e9b16a72d9e65fa788ae418
Instruction ID: 3e8166f0ac0d4102081a277bd88c79e605cdfbd6e5097357f70fc8cde74ceb36
Opcode Fuzzy Hash: aed12e9d9249a8b3cf2458bb916f4a1a8b4e084e4e9b16a72d9e65fa788ae418
Instruction Fuzzy Hash: 844119352402A4E7DF251B78BD8DB7D3A29EB05350F080125F951969E2CB79CB40E7A2

Function 00C21410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C21459
CoUninitialize.COMBASE ref: 00C214F8
UnregisterHotKey.USER32(?), ref: 00C216DD
DestroyWindow.USER32(?), ref: 00C624B9
FreeLibrary.KERNEL32(?), ref: 00C6251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C6254B

Strings

close all, xrefs: 00C21454

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 698b1e768d5179ff5ec8e476db4927a1cd09937b6e987bc54f39502ccbf33a1e
Instruction ID: 4363b7cede5dd9cd9d9a29cd5bfeafc8b4e188ea4d3e84cbc6c498787c348003
Opcode Fuzzy Hash: 698b1e768d5179ff5ec8e476db4927a1cd09937b6e987bc54f39502ccbf33a1e
Instruction Fuzzy Hash: 1AD15A31701622CFDB29EF15D8D9A29F7A0BF15700F1842ADE84A6B661DB30ED12DF91

Function 00C22C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C22C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C22CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C21CAD,?), ref: 00C22CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C21CAD,?), ref: 00C22CCF

Strings

edit, xrefs: 00C22CAC
AutoIt v3, xrefs: 00C22C89, 00C22C8E, 00C22C8F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7f45a87ee89fdb4fa40aa68143275ab475a6abff42f4ac38a440e98b8b160040
Instruction ID: d87b1f67847f975d00776883f5f598a51ab7309dba1edf886e1e1f6441f0741b
Opcode Fuzzy Hash: 7f45a87ee89fdb4fa40aa68143275ab475a6abff42f4ac38a440e98b8b160040
Instruction Fuzzy Hash: 9EF0DA76940290BAEB311B17AC48FBB3EBDD7C7F60F04005AFD00A65B0C6615854DAB1

Function 00C23B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C23B0F,SwapMouseButtons,00000004,?), ref: 00C23B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C23B0F,SwapMouseButtons,00000004,?), ref: 00C23B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C23B0F,SwapMouseButtons,00000004,?), ref: 00C23B83

Strings

Control Panel\Mouse, xrefs: 00C23B3E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 83624f29372261402125faf129cd5a9b94ec09b06bc6675ded936f89fea0a849
Instruction ID: ac3a7b6bb841a1ecc43cc28f1e3ce6f99e48789a6425f1cbdaca580817b76ed7
Opcode Fuzzy Hash: 83624f29372261402125faf129cd5a9b94ec09b06bc6675ded936f89fea0a849
Instruction Fuzzy Hash: 021127B5611268FFDB20CFA5EC84AAEBBB8EF04744B10856AB805D7110E2359F409BA0

Function 00C23923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C633A2

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C23A04

Strings

Line: , xrefs: 00C633EB

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 5a1e1deb63f1d1b7da6a2d1dea6f22de9f11e48d49bc443a94ccbb36aecdf971
Instruction ID: 99eadbe3d41a91bdc409fa20d2f3ab17a4c8b283f3830bc786537e70b9972387
Opcode Fuzzy Hash: 5a1e1deb63f1d1b7da6a2d1dea6f22de9f11e48d49bc443a94ccbb36aecdf971
Instruction Fuzzy Hash: E031E3715083A4ABC325EB20EC45FEFB3E8AB41310F04092AF599825A1DB749B49DBD3

Function 00C3FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C40668

Part of subcall function 00C432A4: RaiseException.KERNEL32(?,?,?,00C4068A,?,00CF1444,?,?,?,?,?,?,00C4068A,00C21129,00CE8738,00C21129), ref: 00C43304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C40685

Strings

Unknown exception, xrefs: 00C40692

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a856ad0e9ce1f173ac098b56388bb856459f0e8e6770235707b236350592e9b7
Instruction ID: 5f53520884f127979cc0f491dc6b15941f3ed7ed66226b56b960af289e67f58c
Opcode Fuzzy Hash: a856ad0e9ce1f173ac098b56388bb856459f0e8e6770235707b236350592e9b7
Instruction Fuzzy Hash: D2F0C23494060DB78B00BA65E84AC9E7B6CBE40310B704535BE2896592EF71DB6AD990

Function 00C210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C21BF4
Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C21BFC
Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C21C07
Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C21C12
Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C21C1A
Part of subcall function 00C21BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C21C22

Part of subcall function 00C21B4A: RegisterWindowMessageW.USER32(00000004,?,00C212C4), ref: 00C21BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C2136A
OleInitialize.OLE32 ref: 00C21388
CloseHandle.KERNEL32(00000000,00000000), ref: 00C624AB

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e525361007a1987db25c1ffcec15958a0bc9490f11537ed309e93eac023380cf
Instruction ID: 9593dc22fbdba46e8d0597eedd62f356b6cb5ee8a432d188450cea0b16101e9a
Opcode Fuzzy Hash: e525361007a1987db25c1ffcec15958a0bc9490f11537ed309e93eac023380cf
Instruction Fuzzy Hash: 3071ABB4911244CFC784EF7AA9457BD3AE0FB9839475D822AED0ACB2A1EB314444DF43

Function 00C8C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C23923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C23A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C8C259
KillTimer.USER32(?,00000001,?,?), ref: 00C8C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C8C270

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 1d2e52cd2af639d04ecb94ad8fbf90894aeeb6fd2b795f095d0abc05d18815a1
Instruction ID: 275017ad89f0b2b115dd2cdb8760c65aa3f313b643fbeea7fec5af522ccd4da1
Opcode Fuzzy Hash: 1d2e52cd2af639d04ecb94ad8fbf90894aeeb6fd2b795f095d0abc05d18815a1
Instruction Fuzzy Hash: EA319870904354AFEB62DF64C8D5BEBBBFC9B06308F04049DD5E997181C7745A84CB65

Function 00C586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00C585CC,?,00CE8CC8,0000000C), ref: 00C58704
GetLastError.KERNEL32(?,00C585CC,?,00CE8CC8,0000000C), ref: 00C5870E
__dosmaperr.LIBCMT ref: 00C58739

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: bf1ec7d8455da0d6f24934c963950affb11eb7b4a6fa363925c5c51caef6b8ae
Instruction ID: e021187d1d5b25a395236bfb7b996fd7896776822e4b03f7f978691c658d6199
Opcode Fuzzy Hash: bf1ec7d8455da0d6f24934c963950affb11eb7b4a6fa363925c5c51caef6b8ae
Instruction Fuzzy Hash: 9D016B3AA1562017D3606234A84577E27494F91776F390219FC28AB0E2DEA08DCDD15C

Function 00C2DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00C2DB7B
DispatchMessageW.USER32(?), ref: 00C2DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C2DB9F
Sleep.KERNELBASE(0000000A), ref: 00C2DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00C71CC9

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 84d5f514fadc40bd3f0c238611ca2c77ec9f0d304d348f47c29acdbd8e33782a
Instruction ID: 743b8c2093b660208ca41967ff0721401f2e0d73e0dafa3bc133eeecae9426de
Opcode Fuzzy Hash: 84d5f514fadc40bd3f0c238611ca2c77ec9f0d304d348f47c29acdbd8e33782a
Instruction Fuzzy Hash: 57F05E306043449BEB30CBA4DC99FEA73ACEB44351F144618EA5AD30C0DB309588DB26

Function 00C31310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C317F6

Strings

CALL, xrefs: 00C317C6

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 0c6729dd4f973dfb1efb290aaf8c068556cf3e6fd8d8d77574dc031f42c0524c
Instruction ID: 8111a31a317eb38b8682992be1538004ce3a1d4f12ba557ef8981db7281538b8
Opcode Fuzzy Hash: 0c6729dd4f973dfb1efb290aaf8c068556cf3e6fd8d8d77574dc031f42c0524c
Instruction Fuzzy Hash: 2F228A706183019FC714DF25C484B2ABBF1BF89314F28892DF89A8B3A1D731E945DB92

Function 00C22DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00C62C8C

Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2

Part of subcall function 00C22DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C22DC4

Strings

X, xrefs: 00C62C5A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 64a04eb7f8ff782a03f9fc8ee0c760b47b2651a84dd99222002d438ffcd5b09a
Instruction ID: 2da9e425c9c4dced4351ae37b17c109e18fc932f88031d25f5fe49cbc280c60f
Opcode Fuzzy Hash: 64a04eb7f8ff782a03f9fc8ee0c760b47b2651a84dd99222002d438ffcd5b09a
Instruction Fuzzy Hash: D321D570A102A8AFDF11EF94D845BEE7BFCAF58314F004059E405B7241DBB85A49DFA1

Function 00C5C9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00C52D74: GetLastError.KERNEL32(?,?,00C55686,00C63CD6,?,00000000,?,00C55B6A,?,?,?,?,?,00C4E6D1,?,00CE8A48), ref: 00C52D78
Part of subcall function 00C52D74: _free.LIBCMT ref: 00C52DAB
Part of subcall function 00C52D74: SetLastError.KERNEL32(00000000,?,?,?,?,00C4E6D1,?,00CE8A48,00000010,00C24F4A,?,?,00000000,00C63CD6), ref: 00C52DEC
Part of subcall function 00C52D74: _abort.LIBCMT ref: 00C52DF2

Part of subcall function 00C5CADA: _abort.LIBCMT ref: 00C5CB0C
Part of subcall function 00C5CADA: _free.LIBCMT ref: 00C5CB40

Part of subcall function 00C5C74F: GetOEMCP.KERNEL32(00000000), ref: 00C5C77A

_free.LIBCMT ref: 00C5CA33
_free.LIBCMT ref: 00C5CA69

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 28419baa71fb0a47122ecbb0d6edf274d863bb1efb0d69684060e26647f2bf30
Instruction ID: 4dcfcd5a0e3538d9371ff8c2d3cf3829d277fd51253c1371d6515b7b3e066d81
Opcode Fuzzy Hash: 28419baa71fb0a47122ecbb0d6edf274d863bb1efb0d69684060e26647f2bf30
Instruction Fuzzy Hash: DF31E739900348AFDB10DB69D4C1B9D7BF4EF41322F210199EC249B292EB355EC9EB58

Function 00C23837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C23908

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3d5654f76f33353877611d1533910c2159e8a3cf4e46cefefc26d93df182ed4b
Instruction ID: 8d2c3f0d6f85074824b9041dd24e3defddfd1863171f71091c73a5c1d3aef583
Opcode Fuzzy Hash: 3d5654f76f33353877611d1533910c2159e8a3cf4e46cefefc26d93df182ed4b
Instruction Fuzzy Hash: 7A31C370604351CFD320DF25D8847ABBBF8FB49318F00092EF99987690E775AA48CB52

Function 00C3F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C3F661

Part of subcall function 00C2D731: GetInputState.USER32 ref: 00C2D807

Sleep.KERNEL32(00000000), ref: 00C7F2DE

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 740fd6cea3981ebec1d8a8942dc093b2766be1c2963dd3cb830794a811480906
Instruction ID: 7f111ac1bf9c4f89862fcd7ec1592e734d4f43aff898a347e2ecba59aec715e0
Opcode Fuzzy Hash: 740fd6cea3981ebec1d8a8942dc093b2766be1c2963dd3cb830794a811480906
Instruction Fuzzy Hash: 02F08C31240615AFD310EF69E48AB6AB7E8EF55760F00412AF85ADB661DB70AC00CBA0

Function 00C2B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C2BB4E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: f30d912f5da0384fab832d6804072cc03befdf86f65ca649778f78a5b825e946
Instruction ID: ab4a8cdceb332bb6aa255710e91920d7010dcdd4d0ec3649b7f875bccb5ee085
Opcode Fuzzy Hash: f30d912f5da0384fab832d6804072cc03befdf86f65ca649778f78a5b825e946
Instruction Fuzzy Hash: 1C32DF75A00219DFCB20CF54D894BBEB7B9FF44300F248059E929AB6A1C774EE81DB91

Function 00C24ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C24E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E9C
Part of subcall function 00C24E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C24EAE
Part of subcall function 00C24E90: FreeLibrary.KERNEL32(00000000,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24EFD

Part of subcall function 00C24E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E62
Part of subcall function 00C24E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C24E74
Part of subcall function 00C24E59: FreeLibrary.KERNEL32(00000000,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E87

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 292f6051b73d064ef961f11fd8c5d63d1d35175e87cb16c144b6b9fcb6dfcbeb
Instruction ID: d213282ec0657e17a581f3c94821a371a105d5831366b9f8aedcd1bca775d8a7
Opcode Fuzzy Hash: 292f6051b73d064ef961f11fd8c5d63d1d35175e87cb16c144b6b9fcb6dfcbeb
Instruction Fuzzy Hash: 36110A32610215ABDF28FFA4ED42FAD77A5AF90710F10442DF542A65C1DEB09E15AB50

Function 00C58402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C58440

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ec398097ad0c7ba83b339ba374d1066c59cadeabb0a6d4047352af98725c41a3
Instruction ID: f30923892979071522c2cd49a84e7f7afa625e00861493c81887e04a8d036fd9
Opcode Fuzzy Hash: ec398097ad0c7ba83b339ba374d1066c59cadeabb0a6d4047352af98725c41a3
Instruction Fuzzy Hash: E411487590410AAFCB05DF58E940A9F7BF9EF48301F104059FC09AB312DB30DA15CBA9

Function 00C4E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1577ce8737c6c50ce1caede9ddf87ea36775f56c513e9e696c3cfbb4b33cc94a
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D3F0F436510A1896C7313A7A9C05BDA339CBF62336F120715F825A22D2CF74994AA6A9

Function 00C53820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 14491d0b9945779f1f1e7cb3f8beac2928b1ce426015c58378dfa754f0b6f7e4
Instruction ID: e404e36772ac67955ab5d149d69eaf0afd0a7de98ee504897884346dffc834d4
Opcode Fuzzy Hash: 14491d0b9945779f1f1e7cb3f8beac2928b1ce426015c58378dfa754f0b6f7e4
Instruction Fuzzy Hash: B2E0E5391002A4A6E73926679C00B9A3748AB427F6F190123BC24A74D1CB51DF8991F9

Function 00C24F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24F6D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 884a10b9932158cb35cc14403e3b2cf8ae047b36affcfc56d037f21554c86e87
Instruction ID: 74a292d44e26036955d113bb049f39da42626acbe4883bc98bc6ecf17bd3d2ab
Opcode Fuzzy Hash: 884a10b9932158cb35cc14403e3b2cf8ae047b36affcfc56d037f21554c86e87
Instruction Fuzzy Hash: 4CF0A071005321CFCB388FA5E590816B7E0FF40319310897EE1EA82910C7319844DF10

Function 00CB2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CB2A66

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: fe715dd983be26ca8d9004753779febbd4601b40816c166c6ce83dcff44736e4
Instruction ID: 836c788917481129fe2e5b03c6c87374867caa7f59178bf14bf866f40b5ad759
Opcode Fuzzy Hash: fe715dd983be26ca8d9004753779febbd4601b40816c166c6ce83dcff44736e4
Instruction Fuzzy Hash: 30E04F36350126AAC714EA31DC859FE775CEB50395B104536FC26C2140DB309A95A6A4

Function 00C230F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C2314E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: df189a1c6a061ee3c1f013fd09afa22d4e1d20e4d2528afaf5493afe6378a214
Instruction ID: 4de09337f25ec0dd33210728ce76b8231db69fd8b98d93e7c51e5a4407bec53d
Opcode Fuzzy Hash: df189a1c6a061ee3c1f013fd09afa22d4e1d20e4d2528afaf5493afe6378a214
Instruction Fuzzy Hash: DEF037709143589FE7529F24DC46BED7BBCA701708F0401E5A54896192D7745B88CF52

Function 00C22DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C22DC4

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 8ebe9b0acae274b59a75d312204ef584d3ebc5981e122e9af8356c1f4e5f707c
Instruction ID: 153af8c30089c832ed22278ebd1d9efb60af3742a6f5b9ec4b855b88d896a7d2
Opcode Fuzzy Hash: 8ebe9b0acae274b59a75d312204ef584d3ebc5981e122e9af8356c1f4e5f707c
Instruction Fuzzy Hash: 8EE0CD726001245BC720D6989C05FDA77DDDFC8790F040171FD09D7248D960AD809551

Function 00C22B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C23837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C23908

Part of subcall function 00C2D731: GetInputState.USER32 ref: 00C2D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C22B6B

Part of subcall function 00C230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C2314E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 633d9e1b487b6027b1a2684dc00285dff7f2e874c4d202ba32876b62a6544fcb
Instruction ID: 0c4c720f46e3bd9e4e9bc76500da6ac3766bc473451ee500112f3c72e734b4c7
Opcode Fuzzy Hash: 633d9e1b487b6027b1a2684dc00285dff7f2e874c4d202ba32876b62a6544fcb
Instruction Fuzzy Hash: 90E07D213002A807CB04BB34B8526BDB749DBE1311F44053EF143475A3CF2846459362

Function 00C6039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00C60704,?,?,00000000,?,00C60704,00000000,0000000C), ref: 00C603B7

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2778a5a9dcb7957e18d7ed896da1a59ea508340f027fccf47eb771796f7fb271
Instruction ID: 3073017e34baff4bfb0f1b9e75a36dd97ca3a873c9b48ecaba5e68d47e5681a6
Opcode Fuzzy Hash: 2778a5a9dcb7957e18d7ed896da1a59ea508340f027fccf47eb771796f7fb271
Instruction Fuzzy Hash: BBD06C3204010DBBDF028F84DD46EDE3BAAFB48714F014100BE1866020C732E821AB90

Function 00C21CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C21CBC

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 2aeac18e79a37fb3b1f0704529601b6e80cdebaaad1d462bb5e66ee0a20a7557
Instruction ID: 6a76862c34c1cb876c2a91aa919296b9fc89af02a5c9bf4e28be3ff878d0ae89
Opcode Fuzzy Hash: 2aeac18e79a37fb3b1f0704529601b6e80cdebaaad1d462bb5e66ee0a20a7557
Instruction Fuzzy Hash: A5C09B36280305DFF6144B80BC4AF387754A348B00F044001F609555F3C3A11414F651

Non-executed Functions

Function 00CB9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CB961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CB965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CB969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CB96C9
SendMessageW.USER32 ref: 00CB96F2
GetKeyState.USER32(00000011), ref: 00CB978B
GetKeyState.USER32(00000009), ref: 00CB9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CB97AE
GetKeyState.USER32(00000010), ref: 00CB97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CB97E9
SendMessageW.USER32 ref: 00CB9810
SendMessageW.USER32(?,00001030,?,00CB7E95), ref: 00CB9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CB992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CB9941
SetCapture.USER32(?), ref: 00CB994A
ClientToScreen.USER32(?,?), ref: 00CB99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CB99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CB99D6
ReleaseCapture.USER32 ref: 00CB99E1
GetCursorPos.USER32(?), ref: 00CB9A19
ScreenToClient.USER32(?,?), ref: 00CB9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CB9A80
SendMessageW.USER32 ref: 00CB9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CB9AEB
SendMessageW.USER32 ref: 00CB9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CB9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CB9B4A
GetCursorPos.USER32(?), ref: 00CB9B68
ScreenToClient.USER32(?,?), ref: 00CB9B75
GetParent.USER32(?), ref: 00CB9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CB9BFA
SendMessageW.USER32 ref: 00CB9C2B
ClientToScreen.USER32(?,?), ref: 00CB9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CB9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CB9CDE
SendMessageW.USER32 ref: 00CB9D01
ClientToScreen.USER32(?,?), ref: 00CB9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CB9D82

Part of subcall function 00C39944: GetWindowLongW.USER32(?,000000EB), ref: 00C39952

GetWindowLongW.USER32(?,000000F0), ref: 00CB9E05

Strings

@GUI_DRAGID, xrefs: 00CB997D
F, xrefs: 00CB9D07

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 97cdf1d05c72479ca50e57b380db1407f59f4b0e33b1b9b9bd48392e4068476e
Instruction ID: 4a2e24b03d3134f608c2b0a2f53c32a0dda0b1e47155809f95125d57cff8d57b
Opcode Fuzzy Hash: 97cdf1d05c72479ca50e57b380db1407f59f4b0e33b1b9b9bd48392e4068476e
Instruction Fuzzy Hash: A8428A34204651AFDB20CF24CC84FAABBF5FF49310F144619FAA9972A1D771EA50DB92

Function 00CB4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00CB48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00CB4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00CB4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00CB494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00CB495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00CB497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00CB49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00CB49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00CB4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CB4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CB4A7E
IsMenu.USER32(?), ref: 00CB4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CB4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CB4B20
GetWindowLongW.USER32(?,000000F0), ref: 00CB4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00CB4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00CB4C82
wsprintfW.USER32 ref: 00CB4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CB4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CB4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CB4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CB4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CB4D5A

Strings

%d/%02d/%02d, xrefs: 00CB4CA8

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 5e6df20213d44c4634d1b6dc48bfdbed87d6670bcb949b985b345633620d5fde
Instruction ID: a122e118474ddbfcdd26809bd45c5f14441db97658f21f2cb3154076f484388f
Opcode Fuzzy Hash: 5e6df20213d44c4634d1b6dc48bfdbed87d6670bcb949b985b345633620d5fde
Instruction Fuzzy Hash: CD12DF71604214ABEB298F69CC49FEE7BF8EF45710F104229F525EB2E2DB749A41CB50

Function 00C3F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C3F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C7F474
IsIconic.USER32(00000000), ref: 00C7F47D
ShowWindow.USER32(00000000,00000009), ref: 00C7F48A
SetForegroundWindow.USER32(00000000), ref: 00C7F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C7F4AA
GetCurrentThreadId.KERNEL32 ref: 00C7F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C7F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C7F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C7F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C7F4DE
SetForegroundWindow.USER32(00000000), ref: 00C7F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F4F6
keybd_event.USER32(00000012,00000000), ref: 00C7F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F50B
keybd_event.USER32(00000012,00000000), ref: 00C7F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F519
keybd_event.USER32(00000012,00000000), ref: 00C7F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C7F528
keybd_event.USER32(00000012,00000000), ref: 00C7F52D
SetForegroundWindow.USER32(00000000), ref: 00C7F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C7F557

Strings

Shell_TrayWnd, xrefs: 00C7F46F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8f730b6615a5084fc8b750604ca868fdb85f7508fce69228e1cf18d16974117c
Instruction ID: d9609286de4137d328844bdc82a4a6ef913dc81620b3235540c94d86d2e1aa65
Opcode Fuzzy Hash: 8f730b6615a5084fc8b750604ca868fdb85f7508fce69228e1cf18d16974117c
Instruction Fuzzy Hash: CE316471A40318BFEB306BB59C8AFBF7E6CEB44B50F10416AFA15F61D1C6B15D01AA60

Function 00C81201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00C816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C8170D
Part of subcall function 00C816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C8173A
Part of subcall function 00C816C3: GetLastError.KERNEL32 ref: 00C8174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C81286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C812A8
CloseHandle.KERNEL32(?), ref: 00C812B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C812D1
GetProcessWindowStation.USER32 ref: 00C812EA
SetProcessWindowStation.USER32(00000000), ref: 00C812F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C81310

Part of subcall function 00C810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C811FC), ref: 00C810D4
Part of subcall function 00C810BF: CloseHandle.KERNEL32(?,?,00C811FC), ref: 00C810E9

Strings

default, xrefs: 00C8130B
winsta0, xrefs: 00C812CC
, xrefs: 00C8125A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 627e0f048c289c39c2a01f375601d2e974e38a6e89df05f5ae4d92d5a9c04913
Instruction ID: 3efc1373edd04eb24c8680d03162c2da53dac4a55e663825dc877c4f570359fa
Opcode Fuzzy Hash: 627e0f048c289c39c2a01f375601d2e974e38a6e89df05f5ae4d92d5a9c04913
Instruction Fuzzy Hash: 88818C71900209AFDF11AFA5DC89FEE7BBDEF44708F184129F921A61A0D7318A46DB24

Function 00C80B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C81114
Part of subcall function 00C810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81120
Part of subcall function 00C810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C8112F
Part of subcall function 00C810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81136
Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C80BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C80C00
GetLengthSid.ADVAPI32(?), ref: 00C80C17
GetAce.ADVAPI32(?,00000000,?), ref: 00C80C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C80C6D
GetLengthSid.ADVAPI32(?), ref: 00C80C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C80C8C
HeapAlloc.KERNEL32(00000000), ref: 00C80C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C80CB4
CopySid.ADVAPI32(00000000), ref: 00C80CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C80CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C80D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C80D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80D45
HeapFree.KERNEL32(00000000), ref: 00C80D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80D55
HeapFree.KERNEL32(00000000), ref: 00C80D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80D65
HeapFree.KERNEL32(00000000), ref: 00C80D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C80D78
HeapFree.KERNEL32(00000000), ref: 00C80D7F

Part of subcall function 00C81193: GetProcessHeap.KERNEL32(00000008,00C80BB1,?,00000000,?,00C80BB1,?), ref: 00C811A1
Part of subcall function 00C81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C80BB1,?), ref: 00C811A8
Part of subcall function 00C81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C80BB1,?), ref: 00C811B7

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1fe07e153177f5af35c8d5293d31a862b83900b0ba7e59ffd81d85550c02cd85
Instruction ID: fc895690775c07d1da247464c238e69bd55644cf0834599184048b3323e88e28
Opcode Fuzzy Hash: 1fe07e153177f5af35c8d5293d31a862b83900b0ba7e59ffd81d85550c02cd85
Instruction Fuzzy Hash: A8716E7290020AAFDF50EFA4DC84FAEBBB8BF04304F14461AF914A7191D771AA09CB60

Function 00C9EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CBCC08), ref: 00C9EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C9EB37
GetClipboardData.USER32(0000000D), ref: 00C9EB43
CloseClipboard.USER32 ref: 00C9EB4F
GlobalLock.KERNEL32(00000000), ref: 00C9EB87
CloseClipboard.USER32 ref: 00C9EB91
GlobalUnlock.KERNEL32(00000000), ref: 00C9EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00C9EBC9
GetClipboardData.USER32(00000001), ref: 00C9EBD1
GlobalLock.KERNEL32(00000000), ref: 00C9EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00C9EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00C9EC38
GetClipboardData.USER32(0000000F), ref: 00C9EC44
GlobalLock.KERNEL32(00000000), ref: 00C9EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C9EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C9EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C9ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00C9ECF3
CountClipboardFormats.USER32 ref: 00C9ED14
CloseClipboard.USER32 ref: 00C9ED59

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 5f339d5826300197ae47b7591f36ca1536b7c77525952f24811c92ad3096235b
Instruction ID: 82ef10475bf9543704e99ac5301d771c815e3644a3da6cc73d80bd79b4184360
Opcode Fuzzy Hash: 5f339d5826300197ae47b7591f36ca1536b7c77525952f24811c92ad3096235b
Instruction Fuzzy Hash: D361CF35204302AFD700EF24D889F2E77A4EF94714F184659F456972A2DB31DE45DB62

Function 00C9698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C969BE
FindClose.KERNEL32(00000000), ref: 00C96A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C96A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C96A75

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00C96AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C96ADF

Strings

%4d, xrefs: 00C96BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00C96B32
%4d%02d%02d%02d%02d%02d, xrefs: 00C96B6A
%02d, xrefs: 00C96C00, 00C96C0A, 00C96C5A, 00C96CAA, 00C96CFA, 00C96D4A
%03d, xrefs: 00C96DA2

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 488d7e67890118e75d876a2c86a11eac0d01811a46f380386cf4c3460c696bc7
Instruction ID: 8e5895911970f4ce419b43861cdc6cd077e902f31ef2436b0b2333d694eb8f4e
Opcode Fuzzy Hash: 488d7e67890118e75d876a2c86a11eac0d01811a46f380386cf4c3460c696bc7
Instruction Fuzzy Hash: 60D15EB2508350AFC710EBA4D995EAFB7ECBF88704F44491DF585C6291EB34DA08DB62

Function 00C99642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C99663
GetFileAttributesW.KERNEL32(?), ref: 00C996A1
SetFileAttributesW.KERNEL32(?,?), ref: 00C996BB
FindNextFileW.KERNEL32(00000000,?), ref: 00C996D3
FindClose.KERNEL32(00000000), ref: 00C996DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00C996FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00C9974A
SetCurrentDirectoryW.KERNEL32(00CE6B7C), ref: 00C99768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C99772
FindClose.KERNEL32(00000000), ref: 00C9977F
FindClose.KERNEL32(00000000), ref: 00C9978F

Strings

*.*, xrefs: 00C996F5

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 73fa7314986419c50c56b12c0578c7b09a87098f68109ea9dd91af3815fa8213
Instruction ID: d74c898258ecdcc0378eb117d3120593c56a95c12d7572184e6bcb2251e7007a
Opcode Fuzzy Hash: 73fa7314986419c50c56b12c0578c7b09a87098f68109ea9dd91af3815fa8213
Instruction Fuzzy Hash: B031A3325402196BDF24AFF9DC8DBDE77ACEF49320F14426AF915E21A0DB74DA448A24

Function 00C9979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C997BE
FindNextFileW.KERNEL32(00000000,?), ref: 00C99819
FindClose.KERNEL32(00000000), ref: 00C99824
FindFirstFileW.KERNEL32(*.*,?), ref: 00C99840
SetCurrentDirectoryW.KERNEL32(?), ref: 00C99890
SetCurrentDirectoryW.KERNEL32(00CE6B7C), ref: 00C998AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C998B8
FindClose.KERNEL32(00000000), ref: 00C998C5
FindClose.KERNEL32(00000000), ref: 00C998D5

Part of subcall function 00C8DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C8DB00

Strings

*.*, xrefs: 00C9983B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 62b328f67971ff25f2d11fc4e77e70ab09d02d0b36d81d0280e1ed88919ff8d3
Instruction ID: 297f455901cd246c1bcf01e85ac041b12dda6683e1c10f1bd4bddc755a1aa6bb
Opcode Fuzzy Hash: 62b328f67971ff25f2d11fc4e77e70ab09d02d0b36d81d0280e1ed88919ff8d3
Instruction Fuzzy Hash: E231A5315006196BDF24AFB9DC4CADE77ACEF06320F14416DE864A21E1DB71DA44DA64

Function 00CABE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CAB6AE,?,?), ref: 00CAC9B5
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CAC9F1
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA68
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CABF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00CABFA9
RegCloseKey.ADVAPI32(00000000), ref: 00CABFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CAC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CAC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CAC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CAC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00CAC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CAC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CAC382
RegCloseKey.ADVAPI32(00000000), ref: 00CAC38F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 97d4c8441196b024d3d652e5c86e5150f97cbf096ed537529cf4566e24b770ed
Instruction ID: c7dcbdb6bd354e0c9104a8f2e19ad9fe7568c288581725d2940516ad9688c5bf
Opcode Fuzzy Hash: 97d4c8441196b024d3d652e5c86e5150f97cbf096ed537529cf4566e24b770ed
Instruction Fuzzy Hash: 78025B71604201AFC714DF28C8D5E2ABBE5EF89308F18859DF85ADB2A2DB31ED45CB51

Function 00C98195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C98257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C98267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C98273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C98310
SetCurrentDirectoryW.KERNEL32(?), ref: 00C98324
SetCurrentDirectoryW.KERNEL32(?), ref: 00C98356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C9838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00C98395

Strings

*.*, xrefs: 00C9839B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 9e3b60d65ef9c975ea9d3f6293a2cf06cbf116ff60d184686d9227a0bc6a4307
Instruction ID: f18cfb87b9e79a8386ea9292d4563c544ea199aea27f293e236bac4f35665292
Opcode Fuzzy Hash: 9e3b60d65ef9c975ea9d3f6293a2cf06cbf116ff60d184686d9227a0bc6a4307
Instruction Fuzzy Hash: FC617D715043059FCB10EF64D884A9EB3E8FF89314F04492DF999D7251DB31EA49CB92

Function 00C8D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2

Part of subcall function 00C8E199: GetFileAttributesW.KERNEL32(?,00C8CF95), ref: 00C8E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C8D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C8D1DD
MoveFileW.KERNEL32(?,?), ref: 00C8D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C8D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8D237

Part of subcall function 00C8D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C8D21C,?,?), ref: 00C8D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00C8D253
FindClose.KERNEL32(00000000), ref: 00C8D264

Strings

\*.*, xrefs: 00C8D0CD, 00C8D0D6, 00C8D0EB

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 2aa8da9ec9a52228b02d7cdd3969e44be7c2be20786ef41956f3519712763d9e
Instruction ID: a0ca28f4b5b9e6cd379f2dd4203914de4dead61868f2cb3c24074db6529446cb
Opcode Fuzzy Hash: 2aa8da9ec9a52228b02d7cdd3969e44be7c2be20786ef41956f3519712763d9e
Instruction Fuzzy Hash: C3618C31C0115DABCF05FBE0EA92AEDB7B9AF55304F244165E402771A2EB306F09EB65

Function 00C9ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C9ED91
EmptyClipboard.USER32 ref: 00C9ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00C9EDAC
CloseClipboard.USER32 ref: 00C9EEA3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 4244807d53962fd90ce844a3d2e6bdf7e455b731eb9b41ff978f59a441a00e6d
Instruction ID: 16896066d5b74125f401239b219382a0578c4375c597c52a5fac6bbca1b5249b
Opcode Fuzzy Hash: 4244807d53962fd90ce844a3d2e6bdf7e455b731eb9b41ff978f59a441a00e6d
Instruction Fuzzy Hash: 60419E35604621AFEB20DF19E88CF19BBE5FF54328F14C199E4258BA62C735ED41CB91

Function 00C8E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C8170D
Part of subcall function 00C816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C8173A
Part of subcall function 00C816C3: GetLastError.KERNEL32 ref: 00C8174A

ExitWindowsEx.USER32(?,00000000), ref: 00C8E932

Strings

@, xrefs: 00C8E925
SeShutdownPrivilege, xrefs: 00C8E902
, xrefs: 00C8E95C
, xrefs: 00C8E920

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: bca24b24f97498230c13d5779e11b328cc210d20e62a41037ec5ba4d2c58aab3
Instruction ID: 905dc65e19794cc47bb1acca437fb302b66c6f7f24af26bc81eb036cfb5a65e9
Opcode Fuzzy Hash: bca24b24f97498230c13d5779e11b328cc210d20e62a41037ec5ba4d2c58aab3
Instruction Fuzzy Hash: E601F972610211ABEB6436B59CC6FFF729C9714759F194521FC13E31E2D6E09D4093A8

Function 00CA1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CA1276
WSAGetLastError.WSOCK32 ref: 00CA1283
bind.WSOCK32(00000000,?,00000010), ref: 00CA12BA
WSAGetLastError.WSOCK32 ref: 00CA12C5
closesocket.WSOCK32(00000000), ref: 00CA12F4
listen.WSOCK32(00000000,00000005), ref: 00CA1303
WSAGetLastError.WSOCK32 ref: 00CA130D
closesocket.WSOCK32(00000000), ref: 00CA133C

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 70ed36cc78464282c6a005cb8ed62c90a4fcc4eda16568e09b3d252e2342ac5f
Instruction ID: f00dd951b5777ae3d4cab4704ae09f399a1e7d590512591c0f9cbd6a9e15d172
Opcode Fuzzy Hash: 70ed36cc78464282c6a005cb8ed62c90a4fcc4eda16568e09b3d252e2342ac5f
Instruction Fuzzy Hash: A34170316001519FD710DF68D5C8B29BBE5AF46318F188298E8669F2E2C771ED81CBE1

Function 00C8D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2

Part of subcall function 00C8E199: GetFileAttributesW.KERNEL32(?,00C8CF95), ref: 00C8E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C8D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C8D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8D481
FindClose.KERNEL32(00000000), ref: 00C8D498
FindClose.KERNEL32(00000000), ref: 00C8D4A1

Strings

\*.*, xrefs: 00C8D3F2

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6a3af9e65d63ae8fd20f5133236e9b26a086e78671cacac38527894316eab6ea
Instruction ID: 385d25e6f6c1257ab0328ff290b88138927f1b3211082b7caf5e99394136bb3e
Opcode Fuzzy Hash: 6a3af9e65d63ae8fd20f5133236e9b26a086e78671cacac38527894316eab6ea
Instruction Fuzzy Hash: 90315E710083959BC304FF64D8919AFB7A8BE95314F444E2DF4E2931E1EB30AA09DB67

Function 00C5E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C5E645

Strings

1#IND, xrefs: 00C5F83D
1#SNAN, xrefs: 00C5F844
1#QNAN, xrefs: 00C5F84B
1#INF, xrefs: 00C5F852

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 90cf1ba26d00bf62975b924a9ae21002bcb4040cdfa10c40aba5b848ae528631
Instruction ID: 43c13555841c66877fa6bd66b1aa213a91b926109db9cf76250ab0fd0dc3de05
Opcode Fuzzy Hash: 90cf1ba26d00bf62975b924a9ae21002bcb4040cdfa10c40aba5b848ae528631
Instruction Fuzzy Hash: 31C24B75E046288FDB29CE28CD407EAB7B5EB48306F1441EAD85DE7241E774AF868F44

Function 00C9648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C964DC
CoInitialize.OLE32(00000000), ref: 00C96639
CoCreateInstance.OLE32(00CBFCF8,00000000,00000001,00CBFB68,?), ref: 00C96650
CoUninitialize.OLE32 ref: 00C968D4

Strings

.lnk, xrefs: 00C964BA, 00C96524, 00C965E0

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: ddef6713cce895dd9cccacd719feeab4cce7d5c110f53d4882443e14008c21f8
Instruction ID: 2f8a7ae5ca490946edc82139a422ab9b74beba1427033d999e81a3021b2fe96f
Opcode Fuzzy Hash: ddef6713cce895dd9cccacd719feeab4cce7d5c110f53d4882443e14008c21f8
Instruction Fuzzy Hash: 65D14971508211AFC704EF24D895E6BB7E8FF98704F00496DF5958B2A1DB71EE09CBA2

Function 00CA22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00CA22E8

Part of subcall function 00C9E4EC: GetWindowRect.USER32(?,?), ref: 00C9E504

GetDesktopWindow.USER32 ref: 00CA2312
GetWindowRect.USER32(00000000), ref: 00CA2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CA2355
GetCursorPos.USER32(?), ref: 00CA2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CA23DF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 8b239635ff7422a091c569042fc087c732f064803a15843e692eb89af29a9d54
Instruction ID: 91c6e399183cbb87e7e83ed41c7e420ebab90136191a0baa4905c9b4e5aa2c0a
Opcode Fuzzy Hash: 8b239635ff7422a091c569042fc087c732f064803a15843e692eb89af29a9d54
Instruction Fuzzy Hash: 6531E272505316AFCB20DF58D849F9BB7ADFF86318F000A19F99597191DB34EA08CB92

Function 00C99B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C99B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C99C8B

Part of subcall function 00C93874: GetInputState.USER32 ref: 00C938CB
Part of subcall function 00C93874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C93966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C99BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C99C75

Strings

*.*, xrefs: 00C99B5D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 7a83874f51026ba103082a301f436bc67e127e8b56a0af2cb8c8cd11dac210ff
Instruction ID: 6aff522b57f1ce83d6a78a592ed5eaeadd25d96086cd101c02ca496c27fe557d
Opcode Fuzzy Hash: 7a83874f51026ba103082a301f436bc67e127e8b56a0af2cb8c8cd11dac210ff
Instruction Fuzzy Hash: 1041607194421AAFCF14DF68DC89AEEBBB8FF05310F24416AE815A2191EB309F44DF61

Function 00C3997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C39A4E
GetSysColor.USER32(0000000F), ref: 00C39B23
SetBkColor.GDI32(?,00000000), ref: 00C39B36

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 39ba9ec05adac6c3d90c153ddedf2f93cf4609453dd84301e9da47b644d41dcb
Instruction ID: 03a94af83d8e82caa44578b9837308fcec1653fad642d7e20d847bc69d824054
Opcode Fuzzy Hash: 39ba9ec05adac6c3d90c153ddedf2f93cf4609453dd84301e9da47b644d41dcb
Instruction Fuzzy Hash: C2A15C71128408EEE729AA3E8C99FBF365DDB42340F154309F522C66A5CAB59F01E272

Function 00CA1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CA307A
Part of subcall function 00CA304E: _wcslen.LIBCMT ref: 00CA309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CA185D
WSAGetLastError.WSOCK32 ref: 00CA1884
bind.WSOCK32(00000000,?,00000010), ref: 00CA18DB
WSAGetLastError.WSOCK32 ref: 00CA18E6
closesocket.WSOCK32(00000000), ref: 00CA1915

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c7358641c70396b733b1cc55913ede9d2d1f3332807644bd068c2da42b7d3653
Instruction ID: e97ac11fe8c77e1b08db45d7da86bd06c8762c03d17310e14d4c5fa4637c2d18
Opcode Fuzzy Hash: c7358641c70396b733b1cc55913ede9d2d1f3332807644bd068c2da42b7d3653
Instruction Fuzzy Hash: 1C51D371A00210AFDB10AF24D8C6F2A77E5AF49718F188158F9156F3C3C775AE41DBA1

Function 00CB1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CB1CC0
IsWindowEnabled.USER32 ref: 00CB1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00CB1CDB
IsIconic.USER32 ref: 00CB1CE9
IsZoomed.USER32 ref: 00CB1CF7

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 01a43b14940599ac9e0e98d56fd537d91f5a4f777609296b80d3c49404747217
Instruction ID: fe4e7528f1963cc7a1301fa0937f076a4152f08acc6b8a2af5fa6b9b1da8f8e2
Opcode Fuzzy Hash: 01a43b14940599ac9e0e98d56fd537d91f5a4f777609296b80d3c49404747217
Instruction Fuzzy Hash: E921D3317402105FD7218F2AC8A4BAA7FA5EF85315F5C8058EC4ACB351CB71EE42CB90

Function 00C28060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C2843C
VUUU, xrefs: 00C65DF0
ERCP, xrefs: 00C2813C
VUUU, xrefs: 00C283E8
VUUU, xrefs: 00C283FA

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 9496d5b990d85aeebd087d8d5fb06d5fc52e69a33df2dadc01a37a589759942d
Instruction ID: 52942769dd738d46396b985ca1409def38c0fa05db0c6e187167ab63bafd2c22
Opcode Fuzzy Hash: 9496d5b990d85aeebd087d8d5fb06d5fc52e69a33df2dadc01a37a589759942d
Instruction Fuzzy Hash: 27A2A070E0162ACBDF34CF59D8907ADB7B1BF54310F2481AAE825A7684DB749E85CF90

Function 00C8AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C8AAAC
SetKeyboardState.USER32(00000080), ref: 00C8AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C8AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C8AB88

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0d836a337aab5cc15887da3af79cb37af193ab536009790a7e104dff7be27775
Instruction ID: 439ed3f6b0096a23c17c570907a70504b5f0b538a9dd66a0ba84324a12320b96
Opcode Fuzzy Hash: 0d836a337aab5cc15887da3af79cb37af193ab536009790a7e104dff7be27775
Instruction Fuzzy Hash: 57313970A40218AFFF35EB65CC45BFE7BAAAB44318F04421BF0A1561D0D3758E81D76A

Function 00C5BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C5BB7F

Part of subcall function 00C529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

GetTimeZoneInformation.KERNEL32 ref: 00C5BB91
WideCharToMultiByte.KERNEL32(00000000,?,00CF121C,000000FF,?,0000003F,?,?), ref: 00C5BC09
WideCharToMultiByte.KERNEL32(00000000,?,00CF1270,000000FF,?,0000003F,?,?,?,00CF121C,000000FF,?,0000003F,?,?), ref: 00C5BC36

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 548d9b9ee6f770e920fdf240e448cb82bb43162da4bdcdd9263f2362ce8172ec
Instruction ID: 61d37b4f719b9ea3d4fbfbe998b371154a3a3b422c984720b774294b21e0ba42
Opcode Fuzzy Hash: 548d9b9ee6f770e920fdf240e448cb82bb43162da4bdcdd9263f2362ce8172ec
Instruction Fuzzy Hash: 0731A075904205DFCB11DFA9DC80A7DBFB8BF45321B18426AE860E72B1D7309E84DB59

Function 00C9CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00C9CE89
GetLastError.KERNEL32(?,00000000), ref: 00C9CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00C9CEFE

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: af15bc6064841c33725ec2c6a7ef2836821a56a594f761ea00915949a51429f4
Instruction ID: 358549eb394765b9d9d9fb1904bf37359ab8212f07cdec5d7764e6c9e23326cf
Opcode Fuzzy Hash: af15bc6064841c33725ec2c6a7ef2836821a56a594f761ea00915949a51429f4
Instruction Fuzzy Hash: CA21ACB1900705EBEF20DFA6C988BABB7FCEB50354F10442EE556D2151E770EE049B60

Function 00C88298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C882AA

Strings

|, xrefs: 00C882DA
(, xrefs: 00C882F0

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 769b2ba6d4499f89d74b3cf58376369943eca99d86ecfe1c802ac626d21541e3
Instruction ID: aadd2488830441c9da988579c04702c6c563a502a193c116ac143f20cc3ed3e9
Opcode Fuzzy Hash: 769b2ba6d4499f89d74b3cf58376369943eca99d86ecfe1c802ac626d21541e3
Instruction Fuzzy Hash: 9C324474A006059FCB28DF19C080A6AB7F0FF48714B51C46EE5AADB7A1EB70E981CB44

Function 00C95C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C95CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00C95D17
FindClose.KERNEL32(?), ref: 00C95D5F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 8685d429b7195cadc6bcb7c32ffe2a3f9a8473835bd6c9396477f02ba2f120b8
Instruction ID: 5edeeec4ed9fa6ce936d1447d8b6542a1a791b511c6d73e0666b6a92978a406c
Opcode Fuzzy Hash: 8685d429b7195cadc6bcb7c32ffe2a3f9a8473835bd6c9396477f02ba2f120b8
Instruction Fuzzy Hash: 93519B756046019FCB14DF28D498E9AB7E4FF49314F14855EE96A8B3A2CB30ED04CF91

Function 00C52622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C5271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C52724
UnhandledExceptionFilter.KERNEL32(?), ref: 00C52731

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2ec032e04ecfa874febb1222ecbc25bb1462c83660be26ead833702efef1d8aa
Instruction ID: 028b54ce5e5dbbdbf29b72ea1357bf8aa73367211727cdb3e9c49dfd6f146731
Opcode Fuzzy Hash: 2ec032e04ecfa874febb1222ecbc25bb1462c83660be26ead833702efef1d8aa
Instruction Fuzzy Hash: C631B5759512189BCB21DF64DC89BDDB7B8BF08310F5042EAE81CA7261E7309F859F45

Function 00C951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C951DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C95238
SetErrorMode.KERNEL32(00000000), ref: 00C952A1

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 5e95f689703b5201e28b96decfa185f94b68a36a3c9723d02de07bab0bf92edc
Instruction ID: ee8ec7c4e8fe9a533462a42ac4c92bc129091adfdd0d252140c5e874c7ef6b9a
Opcode Fuzzy Hash: 5e95f689703b5201e28b96decfa185f94b68a36a3c9723d02de07bab0bf92edc
Instruction Fuzzy Hash: 26312B75A005189FDB00DF94D8C8FADBBB4FF49314F088099E805AB3A2DB31E955CB91

Function 00C816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C40668
Part of subcall function 00C3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C40685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C8170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C8173A
GetLastError.KERNEL32 ref: 00C8174A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f9d6b64cce4228af9bcc66db1816209dc0e350fed4fc87bd098a4c0a78c2a1af
Instruction ID: 5a5590c9bb744ea93af5dabc4f21ce1736fd7c45d3b2a1143578d187d9f51fd3
Opcode Fuzzy Hash: f9d6b64cce4228af9bcc66db1816209dc0e350fed4fc87bd098a4c0a78c2a1af
Instruction Fuzzy Hash: 0C118CB2814204AFD718AF54ECCAE6BB7FDEB44714B24852EF46657241EB70BC428B24

Function 00C8D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C8D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C8D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C8D650

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 50fbb46830de56c1610e44bfc3927d1cc662a50055d7cf42f8b12bf9eb4f29a1
Instruction ID: 5a46af2c27cf20829518f116d0419c84d2d248ea2503833dfaa7254f87b7bc8f
Opcode Fuzzy Hash: 50fbb46830de56c1610e44bfc3927d1cc662a50055d7cf42f8b12bf9eb4f29a1
Instruction Fuzzy Hash: 4B118E71E05228BFDB108F99EC84FAFBBBCEB45B60F108121F914E7290D2704E018BA1

Function 00C81663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C8168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C816A1
FreeSid.ADVAPI32(?), ref: 00C816B1

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: eec323f532a4060f87dcd852e5fec477da19fad1689be02f6aee7abfe41a0d29
Instruction ID: aa5a43da593d179594c08dde017ff1f3b19bff824a81b5205b766e9106359d0b
Opcode Fuzzy Hash: eec323f532a4060f87dcd852e5fec477da19fad1689be02f6aee7abfe41a0d29
Instruction Fuzzy Hash: FCF0F471950309FBDB00EFE4DC89AAEBBBCFB08604F504565E901E2181E774AA448B64

Function 00C7D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C7D28C

Strings

X64, xrefs: 00C7D2A8

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 40c1891590afac56330587f3f284239971901cffa3a356c46bf4469b16930aa7
Instruction ID: e1481560613215082f417bc752369256121110e4da0c30b2f14debc2e06a7b0a
Opcode Fuzzy Hash: 40c1891590afac56330587f3f284239971901cffa3a356c46bf4469b16930aa7
Instruction Fuzzy Hash: B7D0CAB481112DEBCB94DBA0ECC8EDEB7BCBB14305F104292F50AA2000DB309A498F20

Function 00C4CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: f6b792da03e315db686ee15b51bc64fb3fa02d06511a77b31e53beb64903b9f1
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B6022B71E012199BDF54CFA9C8C06ADFBF1FF48314F25816AD929E7390D731AA418B94

Function 00C968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C96918
FindClose.KERNEL32(00000000), ref: 00C96961

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a440f43323a2d5bbfca95b6c242cebc856b47cee536993569612ee9ae34d85a7
Instruction ID: a9be70d1906cb954128dcde9f3adbca9e240b0a6ea878c2b04d8be4d800ebfc4
Opcode Fuzzy Hash: a440f43323a2d5bbfca95b6c242cebc856b47cee536993569612ee9ae34d85a7
Instruction Fuzzy Hash: 5C118E316042109FCB10DF69D4C8A1ABBE5EF89328F15C6A9E4698F6A2C730EC05CB91

Function 00C937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CA4891,?,?,00000035,?), ref: 00C937E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00CA4891,?,?,00000035,?), ref: 00C937F4

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1135d16c8a290d7366ea47ea6b834fc6f4aab82ec5248eb60a3f678bc7efc1bd
Instruction ID: e341a0d554e37b85acd3451c6e94b9900b3714d99a110f6f2af681913593c209
Opcode Fuzzy Hash: 1135d16c8a290d7366ea47ea6b834fc6f4aab82ec5248eb60a3f678bc7efc1bd
Instruction Fuzzy Hash: FEF0E5B07042282AEB2057A69C8DFEB3AAEEFC5761F000265F509D22D1DA609904C6B1

Function 00C8B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C8B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00C8B270

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 6e4a06822912a9c91cc580d7b3e75dc1b3633c3ffd97e68c721edc9e5954df45
Instruction ID: 0162936ae407561ee248a2574799c4e26b5026c6243b4c6dc2991f95548897e2
Opcode Fuzzy Hash: 6e4a06822912a9c91cc580d7b3e75dc1b3633c3ffd97e68c721edc9e5954df45
Instruction Fuzzy Hash: 37F06D7080424EABDF059FA0C805BEE7BB0FF04309F008009F961A5192C37986019F98

Function 00C810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C811FC), ref: 00C810D4
CloseHandle.KERNEL32(?,?,00C811FC), ref: 00C810E9

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6f8ee7e836a931f421f8917c589d2e2cd56c59d9e9e32bd7b1cfa84e731f4e63
Instruction ID: da93d3b60964e5af1a377107f5b1027ceb9e9925fb681ad663357c06da5e1139
Opcode Fuzzy Hash: 6f8ee7e836a931f421f8917c589d2e2cd56c59d9e9e32bd7b1cfa84e731f4e63
Instruction Fuzzy Hash: 49E04F32418600AFE7252B11FC09F7777E9EB04320F14892DF4A5804B1DB626C91EB50

Function 00C2CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00C70C40

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 055421b003ab7ce4a7e45e7cbbfff348e0138019f3638857d7663b55a478988b
Instruction ID: 6688bcce7e8e40a4d7bcd233f880f84b76081c9b523f98d121929670f847213e
Opcode Fuzzy Hash: 055421b003ab7ce4a7e45e7cbbfff348e0138019f3638857d7663b55a478988b
Instruction Fuzzy Hash: E932BC70900228DBCF14DF94E9C1BEDB7B5FF09304F208069E81AAB692D775AE45DB61

Function 00C5676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C56766,?,?,00000008,?,?,00C5FEFE,00000000), ref: 00C56998

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cb1a20373b4180e0e8520ee43e80bfb63bdf88f0e05788ca8bb2137a216b5671
Instruction ID: ab8a93f9c6b4b27bd9a3397eb9627a2bfed7094b422caa337aefac0e79e13a71
Opcode Fuzzy Hash: cb1a20373b4180e0e8520ee43e80bfb63bdf88f0e05788ca8bb2137a216b5671
Instruction Fuzzy Hash: 59B16C39610608DFD715CF28C486B657BE0FF05366F658658ECA9CF2A2C335DA89CB44

Function 00C3B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00C7851F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b3fb3b0b399346bc16ebf99983d8fb468b1599692f9469448b683b8fb60c1af4
Instruction ID: c011e6707b9cb54f86d6cae88ff386d943517fa9695ce8698df5a0033a78e055
Opcode Fuzzy Hash: b3fb3b0b399346bc16ebf99983d8fb468b1599692f9469448b683b8fb60c1af4
Instruction Fuzzy Hash: E3126E71A102299BCB14CF59C881BEEB7F5FF48710F14819AE959EB251EB309E85CF90

Function 00C9EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C9EABD

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5dc2836610b770781093453b354b2ccef52b02d779b84b67ad218db6d0bacb6c
Instruction ID: f8d8da63c6e6abc1fb7972e076a891f97b9c96546aaa66a32b4201ce8a15a29e
Opcode Fuzzy Hash: 5dc2836610b770781093453b354b2ccef52b02d779b84b67ad218db6d0bacb6c
Instruction Fuzzy Hash: D8E048312002159FD710EF59D444E5AFBD9AF58760F048426FC45C7761DB70EC419B90

Function 00C409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C403EE), ref: 00C409DA

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: aa0283e641509bdf74ce434271c80280cd313de376ccd186498ed92d6a0df92a
Instruction ID: bd0c8c19261875eda3ce74e09d5253bcbc698bb0c1ebf99b39a403d232361144
Opcode Fuzzy Hash: aa0283e641509bdf74ce434271c80280cd313de376ccd186498ed92d6a0df92a
Instruction Fuzzy Hash:

Function 00C4781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C4798B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e26b7a5c077455ebd52cf364c24e6211c50b405f44687ccb70857df0f4c5fc04
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 35518B71A0C7455BDF388579895D7BF2789BB22300F180B09E8A2EB2C2C715DF09E356

Function 00C56DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af88cc12de7b34de2a8711ff12e426c5647a03f9722f5944dfe352091476fb20
Instruction ID: 5f352ce7b04a20ffc1280cd3052b9f68403f9bfa395a1fc0b2eae6535eba3b2f
Opcode Fuzzy Hash: af88cc12de7b34de2a8711ff12e426c5647a03f9722f5944dfe352091476fb20
Instruction Fuzzy Hash: 5B321326D29F014DD7239634D822339A249AFB73C6F15D737EC2AB59A6EF28C5C34100

Function 00C3CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929805c733b7b72954014c8614dbd92e2dea039d56b02cac0e034cfc0ad07d1b
Instruction ID: c3598c2985832d650e171b84cd28db2fa53089f8e756518892307528ae60ad3e
Opcode Fuzzy Hash: 929805c733b7b72954014c8614dbd92e2dea039d56b02cac0e034cfc0ad07d1b
Instruction Fuzzy Hash: 51321631A001578BDF28DF29D4D467D7BA1EB45310F28C56EE86EAB291D730DE82EB41

Function 00C27920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79823baf9fd41c7052383d1783553c785571064b31f8ba43e9f4d6bb7f41f95a
Instruction ID: 112cb640ac639a3821146153e0296109534a1a64af24e15efc8e73ca792f5c90
Opcode Fuzzy Hash: 79823baf9fd41c7052383d1783553c785571064b31f8ba43e9f4d6bb7f41f95a
Instruction Fuzzy Hash: FD22D170A0061ADFDF14CF65D8C1AAEB3F1FF44300F204629E816A7691EB36AE55DB50

Function 00C291C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488c1d991ff5b70d602ae9660d9797bafc099922582b9c5d9245664a10aaf64b
Instruction ID: ed17a798c2b28bd2ad0fe451bb5d38b4203a230da30ebc1aacbe9d3a061424c1
Opcode Fuzzy Hash: 488c1d991ff5b70d602ae9660d9797bafc099922582b9c5d9245664a10aaf64b
Instruction Fuzzy Hash: 8E02C6B0E00219EFDB14DF55D881AAEBBB1FF44304F108569E8169B291EB31EE21DB95

Function 00C59EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22edf8e84cf75026e75dee9201259378458b12dc2cdf4cbf294dd66f67ba0741
Instruction ID: ad125024d3cfb9dde10cb0c5a086dd1fdf59f8eec2aff12f10e2998b83ae33b7
Opcode Fuzzy Hash: 22edf8e84cf75026e75dee9201259378458b12dc2cdf4cbf294dd66f67ba0741
Instruction Fuzzy Hash: 66B1E120D2AF814DD3239639D83133AB65CAFBB6D5F95D71BFC2674D62EB2286834140

Function 00C41C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 4289f811252e586c442959e26ff96629a15dcc7f4c5c3db5e0ddbc3abdcdebec
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 739157766080E34ADB2A467E857407EFFE17A523B131E079DDCF2CA1C5FE249A94D620

Function 00C41F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 38a74a2d61e377475189b1c43643274c3373840a8c110d7544842017a7716bee
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 63917A726090E349EB2D467A857503DFFE16A923A135E079DF8F2CB1C5EE24CA58D620

Function 00C419B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: e5bed8bbf9892df857f66a3537b1942588a479d0fa2b37dcad05525218cd36f0
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 619115722090E34EDB6D467A857443DFFE1AA923A131E079DDCF2CA1C5FE24D694E620

Function 00C47A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03301619bf102c4c31924df29fa0706d223576eb907da8fb87dd865a831e32c8
Instruction ID: 8eecf0d18269045bfdc80102f2619767fed662bb5b4729de1dc25fbc3dbe7458
Opcode Fuzzy Hash: 03301619bf102c4c31924df29fa0706d223576eb907da8fb87dd865a831e32c8
Instruction Fuzzy Hash: 9061787160874997EE349A288D95BBE2398FF41700F201B1EFDA3DB281DB119F46E356

Function 00C47CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebc6e359fac7bd68019a1189440f013adbfeaa65ac0abcce308b523f081befc
Instruction ID: 4f4c5225925e5167411102475d76c8c4a3908fbe518ccd74249a75ccf051b3d5
Opcode Fuzzy Hash: 2ebc6e359fac7bd68019a1189440f013adbfeaa65ac0abcce308b523f081befc
Instruction Fuzzy Hash: 3961CD31E2C7496BDE389A284D95BBF2398FF42704F100B59E953DB281DB12EF429355

Function 00C41706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e7bb34e96758302fd2ee4ab78053c77e06ca7fbbe204b17b794f7f89d45c2518
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E58143726090E349DB6D467A857443EFFE17A923A131E079DDCF2CA1C1EE249794E620

Function 00C92046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f9c06b2eaf597d5e1dff16273f6ddcad019c6b2fa2be0825164468f6364f34
Instruction ID: d5db6a420af4e0c4c8aff40f692e7c443d20d291a4807759e68605b031481d1a
Opcode Fuzzy Hash: 41f9c06b2eaf597d5e1dff16273f6ddcad019c6b2fa2be0825164468f6364f34
Instruction Fuzzy Hash: B221B7326206158BDB28CF79C82377E73E5A754320F25862EE4A7C37D1DE35A904CB80

Function 00CA2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CA2B30
DeleteObject.GDI32(00000000), ref: 00CA2B43
DestroyWindow.USER32 ref: 00CA2B52
GetDesktopWindow.USER32 ref: 00CA2B6D
GetWindowRect.USER32(00000000), ref: 00CA2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00CA2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00CA2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2CF8
GetClientRect.USER32(00000000,?), ref: 00CA2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CA2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2D80
GlobalLock.KERNEL32(00000000), ref: 00CA2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2D98
GlobalUnlock.KERNEL32(00000000), ref: 00CA2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2DA8
GlobalFree.KERNEL32(00000000), ref: 00CA2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CBFC38,00000000), ref: 00CA2DDB
GlobalFree.KERNEL32(00000000), ref: 00CA2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00CA2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00CA2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CA303F

Strings

DISPLAY, xrefs: 00CA2EA2
AutoIt v3, xrefs: 00CA2CF2
static, xrefs: 00CA2D3A, 00CA2E91
, xrefs: 00CA2FC5

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 05373507ae50097d76d9901a45658923f050770df3a1c021f1416162a9afb8d2
Instruction ID: 80680eb1f7ccaca0920cb35189871ba3c7e19a93823494cc42f721aabe1994a0
Opcode Fuzzy Hash: 05373507ae50097d76d9901a45658923f050770df3a1c021f1416162a9afb8d2
Instruction Fuzzy Hash: F0025971900215EFDB14DFA8DC89FAE7BB9EB49714F048258F915AB2A1CB74ED01CB60

Function 00CB70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CB712F
GetSysColorBrush.USER32(0000000F), ref: 00CB7160
GetSysColor.USER32(0000000F), ref: 00CB716C
SetBkColor.GDI32(?,000000FF), ref: 00CB7186
SelectObject.GDI32(?,?), ref: 00CB7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00CB71C0
GetSysColor.USER32(00000010), ref: 00CB71C8
CreateSolidBrush.GDI32(00000000), ref: 00CB71CF
FrameRect.USER32(?,?,00000000), ref: 00CB71DE
DeleteObject.GDI32(00000000), ref: 00CB71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00CB7230
FillRect.USER32(?,?,?), ref: 00CB7262
GetWindowLongW.USER32(?,000000F0), ref: 00CB7284

Part of subcall function 00CB73E8: GetSysColor.USER32(00000012), ref: 00CB7421
Part of subcall function 00CB73E8: SetTextColor.GDI32(?,?), ref: 00CB7425
Part of subcall function 00CB73E8: GetSysColorBrush.USER32(0000000F), ref: 00CB743B
Part of subcall function 00CB73E8: GetSysColor.USER32(0000000F), ref: 00CB7446
Part of subcall function 00CB73E8: GetSysColor.USER32(00000011), ref: 00CB7463
Part of subcall function 00CB73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CB7471
Part of subcall function 00CB73E8: SelectObject.GDI32(?,00000000), ref: 00CB7482
Part of subcall function 00CB73E8: SetBkColor.GDI32(?,00000000), ref: 00CB748B
Part of subcall function 00CB73E8: SelectObject.GDI32(?,?), ref: 00CB7498
Part of subcall function 00CB73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00CB74B7
Part of subcall function 00CB73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CB74CE
Part of subcall function 00CB73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00CB74DB

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6c98bdbae2a36a262c42a6bd30d3c63a22ea42aca93f5f3b561f4e40ac35b44b
Instruction ID: 6763ea0928cade1d4b35e73fbc1f2f8eee5abc912f45319c4163a050e82cbac4
Opcode Fuzzy Hash: 6c98bdbae2a36a262c42a6bd30d3c63a22ea42aca93f5f3b561f4e40ac35b44b
Instruction Fuzzy Hash: 50A16272008301EFD7119F64DC88B9F7BA9FB89321F100B19F9A2A61E1D775E944DB62

Function 00C38D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C38E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C76AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C76AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C76F43

Part of subcall function 00C38F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C38BE8,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C38FC5

SendMessageW.USER32(?,00001053), ref: 00C76F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C76F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C76FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C76FB7

Strings

0, xrefs: 00C76DCF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 867e201817f4a852ab1dc0d27c05360b67177d2885f2c7b502ac153e9a9d5f92
Instruction ID: 07d4e03ee13605e330eba78d62ce2efbef1f9f3ae27dd12be3afaf78d2301f2b
Opcode Fuzzy Hash: 867e201817f4a852ab1dc0d27c05360b67177d2885f2c7b502ac153e9a9d5f92
Instruction Fuzzy Hash: 6F12BB34200A01DFDB25CF24C884BBABBA5FB45300F188569F4A9CB261CB71EE56DF91

Function 00CA2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00CA273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CA286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00CA28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00CA28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00CA2900
GetClientRect.USER32(00000000,?), ref: 00CA290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00CA2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CA2964
GetStockObject.GDI32(00000011), ref: 00CA2974
SelectObject.GDI32(00000000,00000000), ref: 00CA2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00CA2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA2991
DeleteDC.GDI32(00000000), ref: 00CA299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CA29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00CA29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00CA2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CA2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00CA2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00CA2A77
GetStockObject.GDI32(00000011), ref: 00CA2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CA2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00CA2A97

Strings

DISPLAY, xrefs: 00CA295A
msctls_progress32, xrefs: 00CA2A13
AutoIt v3, xrefs: 00CA28F8
static, xrefs: 00CA294F, 00CA2A71

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 7cc5195de98ba1708fc7d1447f172274beb0887f0e97211b8d58528416bafee9
Instruction ID: ff625f897ba4f6fb7362bcc1560f1e52849bf965bfec4780bfe0e229f6c12ec4
Opcode Fuzzy Hash: 7cc5195de98ba1708fc7d1447f172274beb0887f0e97211b8d58528416bafee9
Instruction Fuzzy Hash: 1FB14C71A00215AFEB14DFA8DC89FAE7BA9EB49714F044214F915EB2A0D774ED40CBA0

Function 00C94ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C94AED
GetDriveTypeW.KERNEL32(?,00CBCB68,?,\\.\,00CBCC08), ref: 00C94BCA
SetErrorMode.KERNEL32(00000000,00CBCB68,?,\\.\,00CBCC08), ref: 00C94D36

Strings

Fibre, xrefs: 00C94CAD
CDROM, xrefs: 00C94BFB
ATA, xrefs: 00C94C98
1394, xrefs: 00C94C9F
Fixed, xrefs: 00C94C09
RAMDisk, xrefs: 00C94BF4
\\.\, xrefs: 00C94B3F
SATA, xrefs: 00C94CD0
SCSI, xrefs: 00C94C8A
SSD, xrefs: 00C94C4A
Network, xrefs: 00C94C02
FileBackedVirtual, xrefs: 00C94CEC
Virtual, xrefs: 00C94CE5
Removable, xrefs: 00C94C10, 00C94C15
RAID, xrefs: 00C94CBB
Unknown, xrefs: 00C94BED, 00C94C83
PhysicalDrive, xrefs: 00C94B76
ATAPI, xrefs: 00C94C91
USB, xrefs: 00C94CB4
SSA, xrefs: 00C94CA6
SAS, xrefs: 00C94CC9
MMC, xrefs: 00C94CDE
iSCSI, xrefs: 00C94CC2

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5725293d00c18a7a7c1e5b10ca3f19447e384483a4114afb7dc226ff72c86c91
Instruction ID: 0f70e9dbe8b57f45167982328543ebe32d2a04f26e3f4e21c499ace9497b06cd
Opcode Fuzzy Hash: 5725293d00c18a7a7c1e5b10ca3f19447e384483a4114afb7dc226ff72c86c91
Instruction Fuzzy Hash: 0361D330705246DFCF0CDF26CA8AD6CB7A1EB18384B244465F806AB691DB35EF52EB41

Function 00CB73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CB7421
SetTextColor.GDI32(?,?), ref: 00CB7425
GetSysColorBrush.USER32(0000000F), ref: 00CB743B
GetSysColor.USER32(0000000F), ref: 00CB7446
CreateSolidBrush.GDI32(?), ref: 00CB744B
GetSysColor.USER32(00000011), ref: 00CB7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CB7471
SelectObject.GDI32(?,00000000), ref: 00CB7482
SetBkColor.GDI32(?,00000000), ref: 00CB748B
SelectObject.GDI32(?,?), ref: 00CB7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00CB74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CB74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00CB74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CB752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CB7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00CB7572
DrawFocusRect.USER32(?,?), ref: 00CB757D
GetSysColor.USER32(00000011), ref: 00CB758E
SetTextColor.GDI32(?,00000000), ref: 00CB7596
DrawTextW.USER32(?,00CB70F5,000000FF,?,00000000), ref: 00CB75A8
SelectObject.GDI32(?,?), ref: 00CB75BF
DeleteObject.GDI32(?), ref: 00CB75CA
SelectObject.GDI32(?,?), ref: 00CB75D0
DeleteObject.GDI32(?), ref: 00CB75D5
SetTextColor.GDI32(?,?), ref: 00CB75DB
SetBkColor.GDI32(?,?), ref: 00CB75E5

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1a6818be75bb607f9c0ebae570a1df275114890f2c7ec87290ca15e3aac33a50
Instruction ID: 20cf75c44a81bc563354d02f77af8cf44a48bf81b3cf44fd010bafcb6d0a614f
Opcode Fuzzy Hash: 1a6818be75bb607f9c0ebae570a1df275114890f2c7ec87290ca15e3aac33a50
Instruction Fuzzy Hash: 55615D72904218AFDB119FA8DC89FEE7FB9EB48320F114215F915BB2A1D7709940DFA0

Function 00CB0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CB1128
GetDesktopWindow.USER32 ref: 00CB113D
GetWindowRect.USER32(00000000), ref: 00CB1144
GetWindowLongW.USER32(?,000000F0), ref: 00CB1199
DestroyWindow.USER32(?), ref: 00CB11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CB11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CB120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CB121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00CB1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00CB1245
IsWindowVisible.USER32(00000000), ref: 00CB12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00CB12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00CB12D0
GetWindowRect.USER32(00000000,?), ref: 00CB12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00CB130E
GetMonitorInfoW.USER32(00000000,?), ref: 00CB1328
CopyRect.USER32(?,?), ref: 00CB133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00CB13AA

Strings

0, xrefs: 00CB10D3
tooltips_class32, xrefs: 00CB11E6
(, xrefs: 00CB131B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: ff77bd33a09adb557a3b3d0015aa99fc1de21a5bf04e4fffc872e99412033211
Instruction ID: 133745b4d97684306c2ccbed0fe638ed8bf630beb84c90e2fd869450eada558d
Opcode Fuzzy Hash: ff77bd33a09adb557a3b3d0015aa99fc1de21a5bf04e4fffc872e99412033211
Instruction Fuzzy Hash: 71B1BC71608351AFD710DF64D884BAEBBE4FF88300F448A18F9999B2A1D770ED44CB92

Function 00C38891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C38968
GetSystemMetrics.USER32(00000007), ref: 00C38970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C3899B
GetSystemMetrics.USER32(00000008), ref: 00C389A3
GetSystemMetrics.USER32(00000004), ref: 00C389C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C389E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C389F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C38A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C38A3C
GetClientRect.USER32(00000000,000000FF), ref: 00C38A5A
GetStockObject.GDI32(00000011), ref: 00C38A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C38A81

Part of subcall function 00C3912D: GetCursorPos.USER32(?), ref: 00C39141
Part of subcall function 00C3912D: ScreenToClient.USER32(00000000,?), ref: 00C3915E
Part of subcall function 00C3912D: GetAsyncKeyState.USER32(00000001), ref: 00C39183
Part of subcall function 00C3912D: GetAsyncKeyState.USER32(00000002), ref: 00C3919D

SetTimer.USER32(00000000,00000000,00000028,00C390FC), ref: 00C38AA8

Strings

AutoIt v3 GUI, xrefs: 00C38A20

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 1a5f85c73879ec34414aa14d8ea0446f4a7dd4959f5d3396f3e12ddebe8176a3
Instruction ID: 96c890380553018ba293ea5b77a02b66985bd857c9401373b97ded5ecea6d791
Opcode Fuzzy Hash: 1a5f85c73879ec34414aa14d8ea0446f4a7dd4959f5d3396f3e12ddebe8176a3
Instruction Fuzzy Hash: 7FB18971A00209EFDF14DFA8CC85BAE3BB5FB48314F158229FA15AB2D0DB74A944CB51

Function 00C80D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C81114
Part of subcall function 00C810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81120
Part of subcall function 00C810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C8112F
Part of subcall function 00C810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81136
Part of subcall function 00C810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C80DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C80E29
GetLengthSid.ADVAPI32(?), ref: 00C80E40
GetAce.ADVAPI32(?,00000000,?), ref: 00C80E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C80E96
GetLengthSid.ADVAPI32(?), ref: 00C80EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C80EB5
HeapAlloc.KERNEL32(00000000), ref: 00C80EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C80EDD
CopySid.ADVAPI32(00000000), ref: 00C80EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C80F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C80F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C80F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80F6E
HeapFree.KERNEL32(00000000), ref: 00C80F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80F7E
HeapFree.KERNEL32(00000000), ref: 00C80F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C80F8E
HeapFree.KERNEL32(00000000), ref: 00C80F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00C80FA1
HeapFree.KERNEL32(00000000), ref: 00C80FA8

Part of subcall function 00C81193: GetProcessHeap.KERNEL32(00000008,00C80BB1,?,00000000,?,00C80BB1,?), ref: 00C811A1
Part of subcall function 00C81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C80BB1,?), ref: 00C811A8
Part of subcall function 00C81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C80BB1,?), ref: 00C811B7

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 33729d71279b9992f7cdb0b25b11b038ec60a5e90c2c01c744ee3cf2706b237d
Instruction ID: 30b0b40e70ebefb2fc2b3cde3b141167f637d71775c2f4fe55a144157145661c
Opcode Fuzzy Hash: 33729d71279b9992f7cdb0b25b11b038ec60a5e90c2c01c744ee3cf2706b237d
Instruction Fuzzy Hash: DE715E7190020AABDF60EFA4DC45FAEBBB8BF05344F148215FA69E7191D7319A19CB60

Function 00CAC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CAC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CBCC08,00000000,?,00000000,?,?), ref: 00CAC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CAC5A4
_wcslen.LIBCMT ref: 00CAC5F4
_wcslen.LIBCMT ref: 00CAC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00CAC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CAC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CAC84D
RegCloseKey.ADVAPI32(?), ref: 00CAC881
RegCloseKey.ADVAPI32(00000000), ref: 00CAC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CAC960

Strings

REG_MULTI_SZ, xrefs: 00CAC6F5
REG_DWORD, xrefs: 00CAC804
REG_BINARY, xrefs: 00CAC913
REG_SZ, xrefs: 00CAC644
REG_QWORD, xrefs: 00CAC8C3
REG_EXPAND_SZ, xrefs: 00CAC5CD

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 0d1bf30d0f14babd096edd05eff935a3bc27a39a9066d09313cc7da7b1d3a847
Instruction ID: 3be928bac921eed2e83c4acdb380a4e375307c754058b90f5fa8ede1c0e23533
Opcode Fuzzy Hash: 0d1bf30d0f14babd096edd05eff935a3bc27a39a9066d09313cc7da7b1d3a847
Instruction Fuzzy Hash: F41289356042119FC714DF28D881B2AB7E5FF89718F04896CF89A9B7A2DB31ED41DB81

Function 00CB091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CB09C6
_wcslen.LIBCMT ref: 00CB0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CB0A54
_wcslen.LIBCMT ref: 00CB0A8A
_wcslen.LIBCMT ref: 00CB0B06
_wcslen.LIBCMT ref: 00CB0B81

Part of subcall function 00C3F9F2: _wcslen.LIBCMT ref: 00C3F9FD

Part of subcall function 00C82BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C82BFA

Strings

SELECT, xrefs: 00CB0D11
EXISTS, xrefs: 00CB0B7C, 00CB0B97
COLLAPSE, xrefs: 00CB0B01, 00CB0B1C
EXPAND, xrefs: 00CB0BF8
GETSELECTED, xrefs: 00CB0C4E
UNCHECK, xrefs: 00CB0D3E
CHECK, xrefs: 00CB0A85, 00CB0AA0
GETTOTALCOUNT, xrefs: 00CB09F2, 00CB0A17
ISCHECKED, xrefs: 00CB0CE1
GETITEMCOUNT, xrefs: 00CB0C1E
GETTEXT, xrefs: 00CB0C97

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 8756ab4958433502898067741aa5d945329a211fc316b0c026160be37ab2af2e
Instruction ID: c589489f2d5f3879c93d705dcbee70ee78273fd66a94384f5679011326dc10bf
Opcode Fuzzy Hash: 8756ab4958433502898067741aa5d945329a211fc316b0c026160be37ab2af2e
Instruction Fuzzy Hash: ADE19D316083518FCB14DF25C49096BB7E1BF98314F24895DF8A69B7A2D730EE46DB81

Function 00CAC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CAB6AE,?,?), ref: 00CAC9B5
_wcslen.LIBCMT ref: 00CAC9F1
_wcslen.LIBCMT ref: 00CACA68
_wcslen.LIBCMT ref: 00CACA9E
_wcslen.LIBCMT ref: 00CACAF9
_wcslen.LIBCMT ref: 00CACB2F
_wcslen.LIBCMT ref: 00CACB7F

Strings

HKU, xrefs: 00CACBF0
HKCU, xrefs: 00CACBCE
HKEY_CURRENT_CONFIG, xrefs: 00CACB79, 00CACB7E
HKEY_LOCAL_MACHINE, xrefs: 00CACA62, 00CACA67
HKEY_CLASSES_ROOT, xrefs: 00CACAF3, 00CACAF8
HKEY_USERS, xrefs: 00CACBDF
HKCR, xrefs: 00CACB29, 00CACB2E
HKLM, xrefs: 00CACA98, 00CACA9D
HKCC, xrefs: 00CACBAC
HKEY_CURRENT_USER, xrefs: 00CACBBD

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 5f4e618ae655796142ec9a26427599e486eff2c5ea348c9a18d6ca6962443d2d
Instruction ID: 3c86888373cedcbd01f5560016a2b1e787bdb04c089953c7d8803affd19b12b1
Opcode Fuzzy Hash: 5f4e618ae655796142ec9a26427599e486eff2c5ea348c9a18d6ca6962443d2d
Instruction Fuzzy Hash: EC71D73260416B8BCF20DE7DD9D16BE3395AB6275CF250528F87697284E631CE45E3A0

Function 00CB833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CB835A
_wcslen.LIBCMT ref: 00CB836E
_wcslen.LIBCMT ref: 00CB8391
_wcslen.LIBCMT ref: 00CB83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CB83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CB361A,?), ref: 00CB844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CB8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CB84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CB8501
FreeLibrary.KERNEL32(?), ref: 00CB850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CB851D
DestroyIcon.USER32(?), ref: 00CB852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CB8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CB8555

Strings

.dll, xrefs: 00CB83AB
.icl, xrefs: 00CB8368
.exe, xrefs: 00CB8388

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 13c11a5c74ad04c4abf3342c7a55b20744ac06309765ec49a6128f53f8976d7d
Instruction ID: 1809a429d07cc3f9acaf789b43c2df1cd825003fdddc45797542a24f98a2990a
Opcode Fuzzy Hash: 13c11a5c74ad04c4abf3342c7a55b20744ac06309765ec49a6128f53f8976d7d
Instruction Fuzzy Hash: 8F61DF71500215BEEB24DF64CC81BFE77ACBB08B11F104609F825E61D1DF74AA88EBA0

Function 00C27778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 00C2785F, 00C278B1
Bad directive syntax error, xrefs: 00C6519A
', xrefs: 00C65169
Unterminated group of comments, xrefs: 00C6528C
#ce, xrefs: 00C278ED
Cannot parse #include, xrefs: 00C65279
#pragma compile, xrefs: 00C277D3
", xrefs: 00C65153
#notrayicon, xrefs: 00C277E7
#include-once, xrefs: 00C2782F
#requireadmin, xrefs: 00C277FF
#OnAutoItStartRegister, xrefs: 00C27817
#cs, xrefs: 00C27873, 00C278C5
#comments-end, xrefs: 00C278D9
#include, xrefs: 00C27847

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 641144d76f265852a1144890e1cadf8027ea974689fa2cf6a2d51256ebcc2e74
Instruction ID: d3e730c23d3cf22af369daef542dc27fefc4b9cad09b02c0f45d8da9bb49c38b
Opcode Fuzzy Hash: 641144d76f265852a1144890e1cadf8027ea974689fa2cf6a2d51256ebcc2e74
Instruction Fuzzy Hash: C8812771A04225BBDF21AF61ECC2FAE37B8BF15700F144124F914AB592EB70DA45D7A1

Function 00C93E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C93EF8
_wcslen.LIBCMT ref: 00C93F03
_wcslen.LIBCMT ref: 00C93F5A
_wcslen.LIBCMT ref: 00C93F98
GetDriveTypeW.KERNEL32(?), ref: 00C93FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C9401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C94059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C94087

Strings

close cd wait, xrefs: 00C94072
wait, xrefs: 00C94044
open , xrefs: 00C93FE5
set cd door , xrefs: 00C94028
type cdaudio alias cd wait, xrefs: 00C94001
open, xrefs: 00C93F54, 00C93F59
closed, xrefs: 00C93F08, 00C93F2D, 00C93F46, 00C93F7E, 00C93F97
close, xrefs: 00C93EFE, 00C93F18

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 795a852053eaf8d8ab599be3681154967ac997e1c1a538a21389cf20838ed2d9
Instruction ID: 82a4bbd308d53944f55ab0f4c7b808855533778403c95d009f174fe97bd5e5f8
Opcode Fuzzy Hash: 795a852053eaf8d8ab599be3681154967ac997e1c1a538a21389cf20838ed2d9
Instruction Fuzzy Hash: 9271E1726043119FCB10EF24C88596EB7F4EFA8754F10492DF8A597261EB30EE46DB91

Function 00C85A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C85A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C85A40
SetWindowTextW.USER32(?,?), ref: 00C85A57
GetDlgItem.USER32(?,000003EA), ref: 00C85A6C
SetWindowTextW.USER32(00000000,?), ref: 00C85A72
GetDlgItem.USER32(?,000003E9), ref: 00C85A82
SetWindowTextW.USER32(00000000,?), ref: 00C85A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C85AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C85AC3
GetWindowRect.USER32(?,?), ref: 00C85ACC
_wcslen.LIBCMT ref: 00C85B33
SetWindowTextW.USER32(?,?), ref: 00C85B6F
GetDesktopWindow.USER32 ref: 00C85B75
GetWindowRect.USER32(00000000), ref: 00C85B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C85BD3
GetClientRect.USER32(?,?), ref: 00C85BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00C85C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C85C2F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 38d9bde30aee976cd693cb6ba673956108913a5f5f4eaa778e06a513b10334f1
Instruction ID: 4ec441390a1a65f93575b8df882b3f439ab5b3717f413c284ad8ebb7ff0f6b9a
Opcode Fuzzy Hash: 38d9bde30aee976cd693cb6ba673956108913a5f5f4eaa778e06a513b10334f1
Instruction Fuzzy Hash: E2716E31900B05AFDB20EFA9CE85FAEBBF5FF48708F104618E552A25A0D7B5E944CB54

Function 00C9FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00C9FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00C9FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00C9FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00C9FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00C9FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00C9FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00C9FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00C9FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00C9FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00C9FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00C9FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00C9FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00C9FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00C9FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00C9FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00C9FECC
GetCursorInfo.USER32(?), ref: 00C9FEDC
GetLastError.KERNEL32 ref: 00C9FF1E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: f6a9ae9295ee838accd0f946c3462f1c7eef133bfa8f2ddb90ad6f6d0cc0d569
Instruction ID: 94e4499d186984d404ffdc90b0dd4266907504c04ad6c65975ed41f563f00807
Opcode Fuzzy Hash: f6a9ae9295ee838accd0f946c3462f1c7eef133bfa8f2ddb90ad6f6d0cc0d569
Instruction Fuzzy Hash: 954152B0D08319AADB10DFBA8CC995EBFE8FF04354B50452AF11DE7281DB78A901CE91

Function 00C400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C400C6

Part of subcall function 00C400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00CF070C,00000FA0,126EEA38,?,?,?,?,00C623B3,000000FF), ref: 00C4011C
Part of subcall function 00C400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C623B3,000000FF), ref: 00C40127
Part of subcall function 00C400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C623B3,000000FF), ref: 00C40138
Part of subcall function 00C400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C4014E
Part of subcall function 00C400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C4015C
Part of subcall function 00C400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C4016A
Part of subcall function 00C400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C40195
Part of subcall function 00C400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C401A0

___scrt_fastfail.LIBCMT ref: 00C400E7

Part of subcall function 00C400A3: __onexit.LIBCMT ref: 00C400A9

Strings

kernel32.dll, xrefs: 00C40133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C40122
SleepConditionVariableCS, xrefs: 00C40154
WakeAllConditionVariable, xrefs: 00C40162
InitializeConditionVariable, xrefs: 00C40148

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: fa4bc962eb273e97a645b669898204f0743fb4a689e7e24b07c520b3f1949a67
Instruction ID: c787a1a05d713cce0fbe2e04b6fe9bc0c7553ade277dd48abee28188ed43eee1
Opcode Fuzzy Hash: fa4bc962eb273e97a645b669898204f0743fb4a689e7e24b07c520b3f1949a67
Instruction Fuzzy Hash: 6121C933A847106BD7116BB4AC86B6E7398FB45F51F20063EFE11A6292DF749C008A91

Function 00C830F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C8318D
_wcslen.LIBCMT ref: 00C831F8

Strings

CLASSNN, xrefs: 00C831F3, 00C83204
TEXT, xrefs: 00C8347C
NAME, xrefs: 00C83335, 00C83346
INSTANCE, xrefs: 00C83453
CLASS, xrefs: 00C83188, 00C831A5
REGEXPCLASS, xrefs: 00C83255, 00C83266

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 74382f99938ee55919c7b9d8d8130859ceb3945a64ce1f8ad067404851304f3c
Instruction ID: 418567503c22e9dda550c5e80cff4974daf12772c414a0dacd3cca091f4c586e
Opcode Fuzzy Hash: 74382f99938ee55919c7b9d8d8130859ceb3945a64ce1f8ad067404851304f3c
Instruction Fuzzy Hash: 84E11731A00696ABCF18AF78C8517EDFBB0BF54B18F149129E466B7240DB30AF859794

Function 00C944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00CBCC08), ref: 00C94527
_wcslen.LIBCMT ref: 00C9453B
_wcslen.LIBCMT ref: 00C94599
_wcslen.LIBCMT ref: 00C945F4
_wcslen.LIBCMT ref: 00C9463F
_wcslen.LIBCMT ref: 00C946A7

Part of subcall function 00C3F9F2: _wcslen.LIBCMT ref: 00C3F9FD

GetDriveTypeW.KERNEL32(?,00CE6BF0,00000061), ref: 00C94743

Strings

cdrom, xrefs: 00C9458F, 00C94594
network, xrefs: 00C9469D, 00C946A2
fixed, xrefs: 00C94635, 00C9463A
removable, xrefs: 00C945EA, 00C945EF
ramdisk, xrefs: 00C946F1
all, xrefs: 00C94531, 00C94536
unknown, xrefs: 00C94708

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 6cd3a84d2063bd64ae9e55bb9ce1fd179c693a3d5df1f4fe63692fd18371cdd8
Instruction ID: b74bef0c27bb746c59c4da241310d4fc2f50b1694257bd69b7681bacbb6990cb
Opcode Fuzzy Hash: 6cd3a84d2063bd64ae9e55bb9ce1fd179c693a3d5df1f4fe63692fd18371cdd8
Instruction Fuzzy Hash: 1CB134716083029FCB18DF28C894E6EB7E5BFA5760F10491DF0A6C7291D730DA46CBA2

Function 00CA3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CBCC08), ref: 00CA40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CA40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00CBCC08), ref: 00CA40F2
FreeLibrary.KERNEL32(00000000,?,00CBCC08), ref: 00CA413E
StringFromGUID2.OLE32(?,?,00000028,?,00CBCC08), ref: 00CA41A8
SysFreeString.OLEAUT32(00000009), ref: 00CA4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CA42C8
SysFreeString.OLEAUT32(?), ref: 00CA42F2

Strings

kernel32.dll, xrefs: 00CA40B6
GetModuleHandleExW, xrefs: 00CA40C7

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: a3d6f475007f54a3151fc4035c9c73b5e086b025e015865dda956a4f722c5a2b
Instruction ID: 0333dd5440d23463b609415f5ef9f0facf93faeaa07fec93f5f1efe98de46a5d
Opcode Fuzzy Hash: a3d6f475007f54a3151fc4035c9c73b5e086b025e015865dda956a4f722c5a2b
Instruction Fuzzy Hash: 16124F75A00116EFDB18DF54C884EAEB7B5FF89318F248098F9159B251D771EE42CBA0

Function 00C2326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00CF1990), ref: 00C62F8D
GetMenuItemCount.USER32(00CF1990), ref: 00C6303D
GetCursorPos.USER32(?), ref: 00C63081
SetForegroundWindow.USER32(00000000), ref: 00C6308A
TrackPopupMenuEx.USER32(00CF1990,00000000,?,00000000,00000000,00000000), ref: 00C6309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C630A9

Strings

0, xrefs: 00C2327D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 6449976ea692486ddd92cbceb10dd40473546062dc96118720855d7afc3aead6
Instruction ID: b5f4355b998ac3f9727d7046f4ab989f57a8699fa8acc1db8075b197c358cb07
Opcode Fuzzy Hash: 6449976ea692486ddd92cbceb10dd40473546062dc96118720855d7afc3aead6
Instruction Fuzzy Hash: 7F713A30640656BEEB319F65DCC9FAABF69FF04324F200216F5246A1E1C7B1AE14D751

Function 00CB6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00CB6DEB

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CB6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CB6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CB6E94
DestroyWindow.USER32(?), ref: 00CB6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C20000,00000000), ref: 00CB6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CB6EFD
GetDesktopWindow.USER32 ref: 00CB6F16
GetWindowRect.USER32(00000000), ref: 00CB6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CB6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CB6F4D

Part of subcall function 00C39944: GetWindowLongW.USER32(?,000000EB), ref: 00C39952

Strings

0, xrefs: 00CB6D98
tooltips_class32, xrefs: 00CB6E58, 00CB6EDD

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: b17c0806ab0aca397e542d5d007c13d3b19de138c71c44c9c0d97779a05b2c46
Instruction ID: 521a7cc510dc17704c36d3b56075bbfcb2c7aeae782f3367723b5034012c1ffa
Opcode Fuzzy Hash: b17c0806ab0aca397e542d5d007c13d3b19de138c71c44c9c0d97779a05b2c46
Instruction Fuzzy Hash: 01716575504284AFDB21CF68D888FBABBE9EB89304F08051DF99997261C774EA05DB12

Function 00CB911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

DragQueryPoint.SHELL32(?,?), ref: 00CB9147

Part of subcall function 00CB7674: ClientToScreen.USER32(?,?), ref: 00CB769A
Part of subcall function 00CB7674: GetWindowRect.USER32(?,?), ref: 00CB7710
Part of subcall function 00CB7674: PtInRect.USER32(?,?,00CB8B89), ref: 00CB7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00CB91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CB91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CB91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CB9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00CB923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CB9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00CB9277
DragFinish.SHELL32(?), ref: 00CB927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CB9371

Strings

@GUI_DROPID, xrefs: 00CB929E
@GUI_DRAGID, xrefs: 00CB92E9
@GUI_DRAGFILE, xrefs: 00CB9320

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: c8fae5093901cf0dc23d6fcce69ba39f8dff7a3f7bd6200d39f8eea78b9ef463
Instruction ID: 4b8e4a0a60e5eee8c7dab1de0c9a4d9b1ff37034336facebacd97d713e5f21b5
Opcode Fuzzy Hash: c8fae5093901cf0dc23d6fcce69ba39f8dff7a3f7bd6200d39f8eea78b9ef463
Instruction Fuzzy Hash: 03615C71108301AFD701DF64DC85EAFBBE8EF99750F000A2DF595931A1DB709A49DB52

Function 00C9C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C9C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C9C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C9C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C9C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C9C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C9C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C9C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C9C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C9C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C9C5F0
InternetCloseHandle.WININET(00000000), ref: 00C9C5FB

Strings

, xrefs: 00C9C575

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 94c8973795cfbd06fb02c4685ae392dd25a850c56b24b8124b071a5c431075d2
Instruction ID: d4b462e46767f5a2243277ed4331e0d5de7c98368ed0219a89f1acaf4e69d41c
Opcode Fuzzy Hash: 94c8973795cfbd06fb02c4685ae392dd25a850c56b24b8124b071a5c431075d2
Instruction Fuzzy Hash: 895129B1600608BFEB219F65C9C8BBB7BFCFB08754F004519F956D6250DB34EA44AB61

Function 00CB856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00CB8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00CB85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00CB85AD
CloseHandle.KERNEL32(00000000), ref: 00CB85BA
GlobalLock.KERNEL32(00000000), ref: 00CB85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CB85D7
GlobalUnlock.KERNEL32(00000000), ref: 00CB85E0
CloseHandle.KERNEL32(00000000), ref: 00CB85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CB85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CBFC38,?), ref: 00CB8611
GlobalFree.KERNEL32(00000000), ref: 00CB8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00CB8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CB8671
DeleteObject.GDI32(00000000), ref: 00CB8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CB86AF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1fea1aee250b5ae3dd23b6120a55a55a4b3e71205f552110173114745fb88d5d
Instruction ID: 2b8de416996de828d150d9e47eb9d5cf8278d487819d0dd5b6f8d2d1164d646b
Opcode Fuzzy Hash: 1fea1aee250b5ae3dd23b6120a55a55a4b3e71205f552110173114745fb88d5d
Instruction Fuzzy Hash: 98410975600205AFDB119FA5DC88FAE7BBCEF89B11F104159F915E7260DB709A05CB60

Function 00C914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C91502
VariantCopy.OLEAUT32(?,?), ref: 00C9150B
VariantClear.OLEAUT32(?), ref: 00C91517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C915FB
VarR8FromDec.OLEAUT32(?,?), ref: 00C91657
VariantInit.OLEAUT32(?), ref: 00C91708
SysFreeString.OLEAUT32(?), ref: 00C9178C
VariantClear.OLEAUT32(?), ref: 00C917D8
VariantClear.OLEAUT32(?), ref: 00C917E7
VariantInit.OLEAUT32(00000000), ref: 00C91823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C91625
Default, xrefs: 00C916AF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 5373c5f0b078f93b5379f358e495ae353a483ab2b9925baa2447a749f6f819cf
Instruction ID: da466ba107a1c18f1dd2c70a2903df38b0f8eb784b8f2cc7c59c8cfd2896d783
Opcode Fuzzy Hash: 5373c5f0b078f93b5379f358e495ae353a483ab2b9925baa2447a749f6f819cf
Instruction Fuzzy Hash: 77D10531A00116DBDF009F66D88EB7DB7B5BF44700F1A845AF846ABA90DB30DD42EB61

Function 00CAB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00CAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CAB6AE,?,?), ref: 00CAC9B5
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CAC9F1
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA68
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CAB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CAB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00CAB80A
RegCloseKey.ADVAPI32(?), ref: 00CAB87E
RegCloseKey.ADVAPI32(?), ref: 00CAB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00CAB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CAB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00CAB922
FreeLibrary.KERNEL32(00000000), ref: 00CAB983
RegCloseKey.ADVAPI32(00000000), ref: 00CAB994

Strings

advapi32.dll, xrefs: 00CAB8ED
RegDeleteKeyExW, xrefs: 00CAB8FE

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: af7a5bb9d88d826cc94836e2ddc40d891d7f060dfb0de84de9d39e08b3b5a3f6
Instruction ID: 2ebbd25ea09866067d65afb8e5a2aa0562d0c5de5d8878e5ba3be517e517ca58
Opcode Fuzzy Hash: af7a5bb9d88d826cc94836e2ddc40d891d7f060dfb0de84de9d39e08b3b5a3f6
Instruction Fuzzy Hash: 57C18B30208202AFD714DF28D494F2ABBE5BF85308F14855CF4AA8B6A3CB75ED45CB91

Function 00CA255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CA25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CA25E8
CreateCompatibleDC.GDI32(?), ref: 00CA25F4
SelectObject.GDI32(00000000,?), ref: 00CA2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CA266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CA26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CA26D0
SelectObject.GDI32(?,?), ref: 00CA26D8
DeleteObject.GDI32(?), ref: 00CA26E1
DeleteDC.GDI32(?), ref: 00CA26E8
ReleaseDC.USER32(00000000,?), ref: 00CA26F3

Strings

(, xrefs: 00CA268D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: bec741ab764b5dd855f882a3f66ae5555f3888c63c040fc6d401381f80a6d9a0
Instruction ID: c1fb33b4de0411e3172fdc15589c61132be18a7a51eeb33345f2b7d7d011e448
Opcode Fuzzy Hash: bec741ab764b5dd855f882a3f66ae5555f3888c63c040fc6d401381f80a6d9a0
Instruction Fuzzy Hash: 8661E275D0021AEFCF04CFA8D984EAEBBB5FF48314F208529E955A7250D770A941DFA0

Function 00C5DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00C5DAA1

Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D659
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D66B
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D67D
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D68F
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6A1
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6B3
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6C5
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6D7
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6E9
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D6FB
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D70D
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D71F
Part of subcall function 00C5D63C: _free.LIBCMT ref: 00C5D731

_free.LIBCMT ref: 00C5DA96

Part of subcall function 00C529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

_free.LIBCMT ref: 00C5DAB8
_free.LIBCMT ref: 00C5DACD
_free.LIBCMT ref: 00C5DAD8
_free.LIBCMT ref: 00C5DAFA
_free.LIBCMT ref: 00C5DB0D
_free.LIBCMT ref: 00C5DB1B
_free.LIBCMT ref: 00C5DB26
_free.LIBCMT ref: 00C5DB5E
_free.LIBCMT ref: 00C5DB65
_free.LIBCMT ref: 00C5DB82
_free.LIBCMT ref: 00C5DB9A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 12e6638aabe8b724da97c46a5a956aaf6a6aea27cbc480688573a489686c5d65
Instruction ID: 98bf967c841a294ae68ad0f7e3d3cfc61be9c9ff64cd0948d4a82f0e9ff190af
Opcode Fuzzy Hash: 12e6638aabe8b724da97c46a5a956aaf6a6aea27cbc480688573a489686c5d65
Instruction Fuzzy Hash: 83316F396043049FDB31AA39E845B9677E9FF11312F114419F86AE7291DF31ADC8E728

Function 00C8365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C8369C
_wcslen.LIBCMT ref: 00C836A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C83797
GetClassNameW.USER32(?,?,00000400), ref: 00C8380C
GetDlgCtrlID.USER32(?), ref: 00C8385D
GetWindowRect.USER32(?,?), ref: 00C83882
GetParent.USER32(?), ref: 00C838A0
ScreenToClient.USER32(00000000), ref: 00C838A7
GetClassNameW.USER32(?,?,00000100), ref: 00C83921
GetWindowTextW.USER32(?,?,00000400), ref: 00C8395D

Strings

%s%u, xrefs: 00C83734

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 14644a6ca51950138c8386d9270087a09652f23526aab1fe75c8dec877ea0ab8
Instruction ID: 80e35009e4e4e7cbf2376e5048f4090f9feee18c43fed37c4fbd988a10a9bbf6
Opcode Fuzzy Hash: 14644a6ca51950138c8386d9270087a09652f23526aab1fe75c8dec877ea0ab8
Instruction Fuzzy Hash: 5C91E671204746AFD719EF24C885FAAF7A8FF44718F005629F9A9C2190DB30EB45CB95

Function 00C84954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00C84994
GetWindowTextW.USER32(?,?,00000400), ref: 00C849DA
_wcslen.LIBCMT ref: 00C849EB
CharUpperBuffW.USER32(?,00000000), ref: 00C849F7
_wcsstr.LIBVCRUNTIME ref: 00C84A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C84A64
GetWindowTextW.USER32(?,?,00000400), ref: 00C84A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C84AE6
GetClassNameW.USER32(?,?,00000400), ref: 00C84B20
GetWindowRect.USER32(?,?), ref: 00C84B8B

Strings

ThumbnailClass, xrefs: 00C84A6F, 00C84AF1

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 0f41eaf5b202e61bb29b2e7737135912c80fe6029aa6b43f8e54452e80aa253f
Instruction ID: b31217c6463ee1b59dca2a95f5aa8b390f570e1d4a85be068b885f44fcf33fa5
Opcode Fuzzy Hash: 0f41eaf5b202e61bb29b2e7737135912c80fe6029aa6b43f8e54452e80aa253f
Instruction Fuzzy Hash: 7291BF311042069FDB18EF14C985FBA77E8FF84318F04856AFD959A096EB30EE45CBA5

Function 00C8BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00CF1990,000000FF,00000000,00000030), ref: 00C8BFAC
SetMenuItemInfoW.USER32(00CF1990,00000004,00000000,00000030), ref: 00C8BFE1
Sleep.KERNEL32(000001F4), ref: 00C8BFF3
GetMenuItemCount.USER32(?), ref: 00C8C039
GetMenuItemID.USER32(?,00000000), ref: 00C8C056
GetMenuItemID.USER32(?,-00000001), ref: 00C8C082
GetMenuItemID.USER32(?,?), ref: 00C8C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C8C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C8C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C8C145

Strings

0, xrefs: 00C8BF3D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 5bb50c41239e7a27492abd4a25638e3ac1a30c24a58e2a3949845b17883fc43e
Instruction ID: fc9072ffa612c28161d8a4a1c682797ecf97410ef8714b2828cb965910930373
Opcode Fuzzy Hash: 5bb50c41239e7a27492abd4a25638e3ac1a30c24a58e2a3949845b17883fc43e
Instruction Fuzzy Hash: 92619FB090025AAFDF21EF64DCC8FAE7BB8EB05348F140115E921A3292C735AE44DB75

Function 00CACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CACC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00CACC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CACD48

Part of subcall function 00CACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CACCAA
Part of subcall function 00CACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00CACCBD
Part of subcall function 00CACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CACCCF
Part of subcall function 00CACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CACD05
Part of subcall function 00CACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CACD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CACCF3

Strings

advapi32.dll, xrefs: 00CACCB8
RegDeleteKeyExW, xrefs: 00CACCC9

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3c894264d521e0d374281fe0929cda2eaa91c67fd3ef7ac8773c8503dfa24cc4
Instruction ID: 0b2a76349d94703d75b2729aa5716a3022ca081e6e60d2ca1f72992507d6dacc
Opcode Fuzzy Hash: 3c894264d521e0d374281fe0929cda2eaa91c67fd3ef7ac8773c8503dfa24cc4
Instruction Fuzzy Hash: 17318E7190112ABBDB209B55DCC8FFFBB7CEF16758F000265F916E2240DB749A459AB0

Function 00C93D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C93D40
_wcslen.LIBCMT ref: 00C93D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C93D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C93DBE
RemoveDirectoryW.KERNEL32(?), ref: 00C93DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C93E55
CloseHandle.KERNEL32(00000000), ref: 00C93E60
CloseHandle.KERNEL32(00000000), ref: 00C93E6B

Strings

\, xrefs: 00C93D77
\??\%s, xrefs: 00C93D5B
:, xrefs: 00C93D82

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1108a67f9853bce7c90593cd0d3ca972b0f5caf7e895ad5957aa843b4f7fea1b
Instruction ID: 369f168465a81dc34bafe762a7e431c160b4f91144093f0797cfe8feda4f04aa
Opcode Fuzzy Hash: 1108a67f9853bce7c90593cd0d3ca972b0f5caf7e895ad5957aa843b4f7fea1b
Instruction Fuzzy Hash: 4E319EB6A14249ABDB219FA0DC89FEF37BCEF88700F1041B5F619D6160EB7497448B24

Function 00C8E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C8E6B4

Part of subcall function 00C3E551: timeGetTime.WINMM(?,?,00C8E6D4), ref: 00C3E555

Sleep.KERNEL32(0000000A), ref: 00C8E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C8E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C8E727
SetActiveWindow.USER32 ref: 00C8E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C8E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C8E773
Sleep.KERNEL32(000000FA), ref: 00C8E77E
IsWindow.USER32 ref: 00C8E78A
EndDialog.USER32(00000000), ref: 00C8E79B

Strings

BUTTON, xrefs: 00C8E719

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e751979a428bc6245d7503509f512ad7ec5fd4944d365bccfb2daf216c92e334
Instruction ID: 6e9a50df8c48f90935c4d660259bca45b13b8a73973902909f6306b6ba212771
Opcode Fuzzy Hash: e751979a428bc6245d7503509f512ad7ec5fd4944d365bccfb2daf216c92e334
Instruction Fuzzy Hash: 86216DB0200644AFEB106F60ECC9F3E3B69E754B4DF111525F811C21B1DBB1AC04EB2A

Function 00C8E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C8EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C8EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C8EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C8EAA7

Strings

close PlayMe, xrefs: 00C8EA6E, 00C8EA9B
alias PlayMe, xrefs: 00C8EA36
open , xrefs: 00C8EA0C
play PlayMe wait, xrefs: 00C8EA91
play PlayMe, xrefs: 00C8EAA2
status PlayMe mode, xrefs: 00C8EA58

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: e08197e1cfc7366606a240a7b835b5a477d3c1794327e3047344211725aabdda
Instruction ID: 126b6e2cbb86363023c8b064fbaec6438a81ccff142f0e71385fd7698aeec1a1
Opcode Fuzzy Hash: e08197e1cfc7366606a240a7b835b5a477d3c1794327e3047344211725aabdda
Instruction Fuzzy Hash: B11137316A02B979D724F766DC4ADFF6A7CEBD1F44F400435B411A20D1DE705A45D6B0

Function 00C89F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C8A012
SetKeyboardState.USER32(?), ref: 00C8A07D
GetAsyncKeyState.USER32(000000A0), ref: 00C8A09D
GetKeyState.USER32(000000A0), ref: 00C8A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00C8A0E3
GetKeyState.USER32(000000A1), ref: 00C8A0F4
GetAsyncKeyState.USER32(00000011), ref: 00C8A120
GetKeyState.USER32(00000011), ref: 00C8A12E
GetAsyncKeyState.USER32(00000012), ref: 00C8A157
GetKeyState.USER32(00000012), ref: 00C8A165
GetAsyncKeyState.USER32(0000005B), ref: 00C8A18E
GetKeyState.USER32(0000005B), ref: 00C8A19C

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5c9d9c2c87bf5d05273b9135caa17c4f21922c832d1da2aecdc68b08d16c96cb
Instruction ID: fe08d9c3b6220888ab726e00f7c7ca1adb1bdbbd1dcdd33fdcae32b5ec5f7ce0
Opcode Fuzzy Hash: 5c9d9c2c87bf5d05273b9135caa17c4f21922c832d1da2aecdc68b08d16c96cb
Instruction Fuzzy Hash: 7651EB309047886AFB35FBA048147FEAFB49F12348F0C459AD5D2571C2EA64AF4CC76A

Function 00C85CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C85CE2
GetWindowRect.USER32(00000000,?), ref: 00C85CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C85D59
GetDlgItem.USER32(?,00000002), ref: 00C85D69
GetWindowRect.USER32(00000000,?), ref: 00C85D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C85DCF
GetDlgItem.USER32(?,000003E9), ref: 00C85DDD
GetWindowRect.USER32(00000000,?), ref: 00C85DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C85E31
GetDlgItem.USER32(?,000003EA), ref: 00C85E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C85E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C85E67

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b2243d9406abace523d4e7c4d531cf3bca236fbb29c0b166b8eec40aef8705da
Instruction ID: 23d0432077e33ef5bcf258d98c3ebf32dc41094ab10741f82274008b40aed4b8
Opcode Fuzzy Hash: b2243d9406abace523d4e7c4d531cf3bca236fbb29c0b166b8eec40aef8705da
Instruction Fuzzy Hash: 2151FE71A00605AFDF18DF68DD89BAEBBB9FB48305F148229F915E7290D7709E04CB54

Function 00C38BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C38F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C38BE8,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C38FC5

DestroyWindow.USER32(?), ref: 00C38C81
KillTimer.USER32(00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C38D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00C76973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C769A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C38BBA,00000000,?), ref: 00C769B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C38BBA,00000000), ref: 00C769D4
DeleteObject.GDI32(00000000), ref: 00C769E6

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 6143e2a10d17f012ebe92821676ee71ac6d15b9258222bfb5f8ed1f433bb5e7e
Instruction ID: 06a65041483b4d27f76de5ece1c864988f8af3adcf188b41a68549134a245599
Opcode Fuzzy Hash: 6143e2a10d17f012ebe92821676ee71ac6d15b9258222bfb5f8ed1f433bb5e7e
Instruction Fuzzy Hash: BC61AF30511B00DFCB259F25E948B3977F1FB40322F189518F456A75A0CB75AE84DFA1

Function 00C39838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C39944: GetWindowLongW.USER32(?,000000EB), ref: 00C39952

GetSysColor.USER32(0000000F), ref: 00C39862

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 957aa97301b12fdf881485864e14a479992ef39060193df0a65684a787e207b1
Instruction ID: e37c5105d7cca0abd11901240d30f12bd4c862d9c108820122c9f02f8ea0eb66
Opcode Fuzzy Hash: 957aa97301b12fdf881485864e14a479992ef39060193df0a65684a787e207b1
Instruction Fuzzy Hash: 8741A031114644AFDB205F389C88BBE3BA5EB46330F144715F9B6972E1C7B19D41DB12

Function 00C896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C89717
LoadStringW.USER32(00000000,?,00C6F7F8,00000001), ref: 00C89720

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C89742
LoadStringW.USER32(00000000,?,00C6F7F8,00000001), ref: 00C89745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C89866

Strings

^ ERROR, xrefs: 00C897FB
Error: , xrefs: 00C8981D
Line %d (File "%s"):, xrefs: 00C8978F
Line %d:, xrefs: 00C897A0
%s (%d) : ==> %s: %s %s, xrefs: 00C8984A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: b099190c0e988f7c2df2594e45a09ebf75c586a5e02f18f7c0cc1180d137a4ab
Instruction ID: 556b7384e936b6f72cb834a1eae9b461bcf8029a9d9a6f89ec8e00ebd938a355
Opcode Fuzzy Hash: b099190c0e988f7c2df2594e45a09ebf75c586a5e02f18f7c0cc1180d137a4ab
Instruction Fuzzy Hash: 56414C72800219ABCB04FBE0ED86EFEB778EF55344F140465F505720A2EA356F49EB61

Function 00C806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C807A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C807BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C807DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C80804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C8082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C80837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C8083C

Strings

SOFTWARE\Classes\, xrefs: 00C8070E
\CLSID, xrefs: 00C80724
\IPC$, xrefs: 00C80784

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 12409158685413d0b11645c3fccc111691f343c827af37d1e0ea7d70f38d7fcf
Instruction ID: 71ce4a8c52c4dbd3c3feeb69be66025c861a10ee9a6df28697453dd63d017c93
Opcode Fuzzy Hash: 12409158685413d0b11645c3fccc111691f343c827af37d1e0ea7d70f38d7fcf
Instruction Fuzzy Hash: 27411472C10229ABCF21EBA4EC859EDB778FF44354F144129E911A31A1EB309E48DBA0

Function 00CB3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CB403B
CreateCompatibleDC.GDI32(00000000), ref: 00CB4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CB4055
SelectObject.GDI32(00000000,00000000), ref: 00CB405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CB4068
DeleteDC.GDI32(00000000), ref: 00CB4072
GetWindowLongW.USER32(?,000000EC), ref: 00CB407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00CB4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00CB409E

Strings

static, xrefs: 00CB3FD3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c4e8d5110acb5795bf8d0a0f7ea3f46852a637a93033812019cbf7688ff0d279
Instruction ID: aa98bb29457e5aaf70b722d382ef839364f441eb0c67086d7b982af6b1abd634
Opcode Fuzzy Hash: c4e8d5110acb5795bf8d0a0f7ea3f46852a637a93033812019cbf7688ff0d279
Instruction Fuzzy Hash: CF316C32505219ABDF21AFA8DC49FEE3B68EF0D320F110311FA65A61A1C775D910DBA4

Function 00CA3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CA3C5C
CoInitialize.OLE32(00000000), ref: 00CA3C8A
CoUninitialize.OLE32 ref: 00CA3C94
_wcslen.LIBCMT ref: 00CA3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00CA3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00CA3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CA3F0E
CoGetObject.OLE32(?,00000000,00CBFB98,?), ref: 00CA3F2D
SetErrorMode.KERNEL32(00000000), ref: 00CA3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CA3FC4
VariantClear.OLEAUT32(?), ref: 00CA3FD8

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: e22cc1e85b8df4965a99fe1a9c361a79525cc0eec7445faa290cb73956fddc97
Instruction ID: 7a485d9bdf53d75990904957e5c50a8c13ee1122c8fb4e8e7012a556d175d59e
Opcode Fuzzy Hash: e22cc1e85b8df4965a99fe1a9c361a79525cc0eec7445faa290cb73956fddc97
Instruction Fuzzy Hash: DBC15671A083469FC700DF68C89492BBBE9FF8A748F10495DF99A9B250D731EE05CB52

Function 00C97A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C97AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C97B8F
SHGetDesktopFolder.SHELL32(?), ref: 00C97BA3
CoCreateInstance.OLE32(00CBFD08,00000000,00000001,00CE6E6C,?), ref: 00C97BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C97C74
CoTaskMemFree.OLE32(?,?), ref: 00C97CCC
SHBrowseForFolderW.SHELL32(?), ref: 00C97D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C97D7A
CoTaskMemFree.OLE32(00000000), ref: 00C97D81
CoTaskMemFree.OLE32(00000000), ref: 00C97DD6
CoUninitialize.OLE32 ref: 00C97DDC

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: d15eb4dfd39f74e42fa899db8d81073114dd8de4c7d0e611961b315126565975
Instruction ID: 935f9d019360dc34da580cee8a7b5db24336ee7e965d27b7cbc5a39aa464a14d
Opcode Fuzzy Hash: d15eb4dfd39f74e42fa899db8d81073114dd8de4c7d0e611961b315126565975
Instruction Fuzzy Hash: 70C11A75A04119AFCB14DFA4C888DAEBBF9FF48304F1485A9F8199B661D731EE41CB90

Function 00CB541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CB5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CB5515
CharNextW.USER32(00000158), ref: 00CB5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CB5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CB559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CB55AC

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 171265ca075cd3ff81838647a61ae4bc57fa5fa72fa68f8ef04b49d3dbc60d1b
Instruction ID: a4e733e9c3d38d0fc243ba9b99321d6249b13efb6e2273f210fd43c4016db581
Opcode Fuzzy Hash: 171265ca075cd3ff81838647a61ae4bc57fa5fa72fa68f8ef04b49d3dbc60d1b
Instruction Fuzzy Hash: 7E616770900608AFDF209FA5CC84FFE7BB9EB09725F148145FA25AB290D7749A81DB61

Function 00C7FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C7FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00C7FB08
VariantInit.OLEAUT32(?), ref: 00C7FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C7FB3A
VariantCopy.OLEAUT32(?,?), ref: 00C7FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C7FBA1
VariantClear.OLEAUT32(?), ref: 00C7FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C7FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C7FBCC
VariantClear.OLEAUT32(?), ref: 00C7FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C7FBE9

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5ae40e189b7797e8a5bf7faa2e0e62ec0bf30e842aa3e60a02912952073b3c7d
Instruction ID: 312337c0c38e1d2f811c8888c907e5f9b38adaa46e94a5e74fdef1044b81bb56
Opcode Fuzzy Hash: 5ae40e189b7797e8a5bf7faa2e0e62ec0bf30e842aa3e60a02912952073b3c7d
Instruction Fuzzy Hash: D2414435900219DFCB00DF64D894ABDBBB9EF48354F008569E955A7251C730AA46DFA0

Function 00C89C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C89CA1
GetAsyncKeyState.USER32(000000A0), ref: 00C89D22
GetKeyState.USER32(000000A0), ref: 00C89D3D
GetAsyncKeyState.USER32(000000A1), ref: 00C89D57
GetKeyState.USER32(000000A1), ref: 00C89D6C
GetAsyncKeyState.USER32(00000011), ref: 00C89D84
GetKeyState.USER32(00000011), ref: 00C89D96
GetAsyncKeyState.USER32(00000012), ref: 00C89DAE
GetKeyState.USER32(00000012), ref: 00C89DC0
GetAsyncKeyState.USER32(0000005B), ref: 00C89DD8
GetKeyState.USER32(0000005B), ref: 00C89DEA

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7092df86446bbb86b85acfe307340f79cc582dd0f7ae6e591ab70c55b6da5fde
Instruction ID: 291c42765231436366c020864988e30506c2471fd3fdafd3a56a5456cb35cbf4
Opcode Fuzzy Hash: 7092df86446bbb86b85acfe307340f79cc582dd0f7ae6e591ab70c55b6da5fde
Instruction Fuzzy Hash: 944195346047C96DFF31A664C8443B5BEA0EB1134CF0C805ADAD6565C2DBB59BC8C7AA

Function 00CA055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CA05BC
inet_addr.WSOCK32(?), ref: 00CA061C
gethostbyname.WSOCK32(?), ref: 00CA0628
IcmpCreateFile.IPHLPAPI ref: 00CA0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CA06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CA06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00CA07B9
WSACleanup.WSOCK32 ref: 00CA07BF

Strings

Ping, xrefs: 00CA0676

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e40078f077766c0d04cd4d81db6c092ecdaddfee4e2630583e3cbb7337b6c6a4
Instruction ID: 8aea2cc625a203019d38260957b1682af7c793d0942899df6f582a7248c9c806
Opcode Fuzzy Hash: e40078f077766c0d04cd4d81db6c092ecdaddfee4e2630583e3cbb7337b6c6a4
Instruction Fuzzy Hash: E2918D356042029FD720DF19D489F1ABBE0AF4A358F2485A9F46ADB6A2C730FD45CF91

Function 00CA8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00CA8CF3

Part of subcall function 00C88E54: _wcslen.LIBCMT ref: 00C88E77

_wcslen.LIBCMT ref: 00CA8D4E
_wcslen.LIBCMT ref: 00CA8D9C
_wcslen.LIBCMT ref: 00CA8DDC
_wcslen.LIBCMT ref: 00CA8E6E

Strings

none, xrefs: 00CA8E65, 00CA8E6A
stdcall, xrefs: 00CA8DD6, 00CA8DDB
cdecl, xrefs: 00CA8D48, 00CA8D4D
winapi, xrefs: 00CA8D96, 00CA8D9B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 8b40d4b23f64768e216ec99479368aa78e9cccf5799913f81cc0697a9bfaa20f
Instruction ID: ed524daadb9d99bcb93b866d96ab5244e873975d1f17157eeaf9b24bc6a11a09
Opcode Fuzzy Hash: 8b40d4b23f64768e216ec99479368aa78e9cccf5799913f81cc0697a9bfaa20f
Instruction Fuzzy Hash: FB51B275A00117DBCF14DF68C9409BEB7A5BF66728B204229E426E72C4DF30DE48D790

Function 00CA372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00CA3774
CoUninitialize.OLE32 ref: 00CA377F
CoCreateInstance.OLE32(?,00000000,00000017,00CBFB78,?), ref: 00CA37D9
IIDFromString.OLE32(?,?), ref: 00CA384C
VariantInit.OLEAUT32(?), ref: 00CA38E4
VariantClear.OLEAUT32(?), ref: 00CA3936

Strings

Failed to create object, xrefs: 00CA37E4, 00CA389A
Invalid parameter, xrefs: 00CA3865
NULL Pointer assignment, xrefs: 00CA381E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 17cfa17114bda60047f12e8d8ffb55ceb6bf5c0672d4ddabb7f4996a7d41ed5e
Instruction ID: f8ac361755493e765eba72c224ae481e437a38880799d9ca72a44e024b8e0fd5
Opcode Fuzzy Hash: 17cfa17114bda60047f12e8d8ffb55ceb6bf5c0672d4ddabb7f4996a7d41ed5e
Instruction Fuzzy Hash: 5E61E170608342AFD310DF65D898F6AB7E4EF4A708F10091EF9959B291C774EE48CB92

Function 00C93388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C933CF

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C933F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00C93504
"%s" (%d) : ==> %s:, xrefs: 00C93522
Error: , xrefs: 00C934D1
Line %d (File "%s"):, xrefs: 00C93443, 00C9345C
Incorrect parameters to object property !, xrefs: 00C934AB
^ ERROR , xrefs: 00C9349E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 2a85b96faa88ed20203f028d460c4ac96eaee2777cf62fc332e4c87b05b4ccb4
Instruction ID: 89d67aa84c3c43dcc2df64077b82a2787e0a6b38213b8788ccc70d1790d75720
Opcode Fuzzy Hash: 2a85b96faa88ed20203f028d460c4ac96eaee2777cf62fc332e4c87b05b4ccb4
Instruction Fuzzy Hash: 86519A72900259ABDF15EBA0ED46EFEB778EF18340F144065F405720A2EB316F58EB61

Function 00C8B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C8B5FC
_wcslen.LIBCMT ref: 00C8B608
_wcslen.LIBCMT ref: 00C8B64D
_wcslen.LIBCMT ref: 00C8B68C
_wcslen.LIBCMT ref: 00C8B6C7

Strings

EXISTS, xrefs: 00C8B686, 00C8B68B
REMOVE, xrefs: 00C8B602, 00C8B607
KEYS, xrefs: 00C8B647, 00C8B64C
APPEND, xrefs: 00C8B6C1, 00C8B6C6

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 66cf86fe18b150adf535456a2b1eae32aa2e870aa48c26b0bfc4bf2fa93dfe03
Instruction ID: 89acb396111e1b9b9c59bfa175aae280de60c382b7ff9ffbeaf0a2d01db211f8
Opcode Fuzzy Hash: 66cf86fe18b150adf535456a2b1eae32aa2e870aa48c26b0bfc4bf2fa93dfe03
Instruction Fuzzy Hash: BB41A432A101279ACB247F7D88905BEB7A5BF60798B254129F435D7284F731CE81D794

Function 00C95393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C953A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C95416
GetLastError.KERNEL32 ref: 00C95420
SetErrorMode.KERNEL32(00000000,READY), ref: 00C954A7

Strings

READONLY, xrefs: 00C95452
READY, xrefs: 00C95460, 00C95468
NOTREADY, xrefs: 00C9544B
INVALID, xrefs: 00C95459
UNKNOWN, xrefs: 00C95444

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4fd0c2a3a39839699bfc4ac1ac993afd859018c70e92410a550eb5ed20e70500
Instruction ID: 3e661bfd007ff7c9f8755df69ee057df30a2a4b36b83b806e0d3f26b0ef8558d
Opcode Fuzzy Hash: 4fd0c2a3a39839699bfc4ac1ac993afd859018c70e92410a550eb5ed20e70500
Instruction Fuzzy Hash: 7931D075A006049FCF52DF69C888BAEBBB4FF54305F148069E416DB292DB30DE82CB90

Function 00CB3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00CB3C79
SetMenu.USER32(?,00000000), ref: 00CB3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CB3D10
IsMenu.USER32(?), ref: 00CB3D24
CreatePopupMenu.USER32 ref: 00CB3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CB3D5B
DrawMenuBar.USER32 ref: 00CB3D63

Strings

F, xrefs: 00CB3D4E
0, xrefs: 00CB3C54

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: e18038617d40727f61ae35341ab9800c2e64d2861b2e6fdce0e75afde42449db
Instruction ID: 0503c7cb8b1a68dca8f8df7d711a9d2f3eacc52b7d3a737e77f487d8c8a6600e
Opcode Fuzzy Hash: e18038617d40727f61ae35341ab9800c2e64d2861b2e6fdce0e75afde42449db
Instruction Fuzzy Hash: 70418778A01209EFDB24CFA4D888BEE7BB5FF59350F140129F956A7360D770AA14DB90

Function 00C81EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C81F64
GetDlgCtrlID.USER32 ref: 00C81F6F
GetParent.USER32 ref: 00C81F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C81F8E
GetDlgCtrlID.USER32(?), ref: 00C81F97
GetParent.USER32(?), ref: 00C81FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C81FAE

Strings

ComboBox, xrefs: 00C81EEC
ListBox, xrefs: 00C81F21

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 865ce91cb52471000397afd7187d85720660fa72595a2fb01ea9bce07c66270f
Instruction ID: 1e09d5854ecea650d9b6a9a6fddc23aacedfe39dde8737e192f9103c84a6a55c
Opcode Fuzzy Hash: 865ce91cb52471000397afd7187d85720660fa72595a2fb01ea9bce07c66270f
Instruction Fuzzy Hash: 7421C274E00214BBCF04AFA0DC85EEEBBB8EF09354F040215FA61672D1DB745905DB64

Function 00C81FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00C82043
GetDlgCtrlID.USER32 ref: 00C8204E
GetParent.USER32 ref: 00C8206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C8206D
GetDlgCtrlID.USER32(?), ref: 00C82076
GetParent.USER32(?), ref: 00C8208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C8208D

Strings

ComboBox, xrefs: 00C81FCD
ListBox, xrefs: 00C82002

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 08c18a318623fc94e1c31106319741834715e2e548f0f46531ea2116790328da
Instruction ID: f414ccf583ffd6c59411584aaab69047b538de2754cb36ecceb01dcf867b6b18
Opcode Fuzzy Hash: 08c18a318623fc94e1c31106319741834715e2e548f0f46531ea2116790328da
Instruction Fuzzy Hash: 2421A1B5E00218BBCF10BFA0DC89FEEBBB8EF09344F004116B951A71A1DB755915EB64

Function 00CB3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CB3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CB3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00CB3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CB3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CB3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CB3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CB3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CB3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CB3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CB3C13

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 1de8ee6d98eec10aeb1869292dd9b6b82c4fbdab4e1029d8a15efb90af0f1016
Instruction ID: 2d3811d4a9126d16be6f247543df47f7312bd22c84ceaeb0372b148a74f92713
Opcode Fuzzy Hash: 1de8ee6d98eec10aeb1869292dd9b6b82c4fbdab4e1029d8a15efb90af0f1016
Instruction Fuzzy Hash: D5617975A00288AFDB10DFA8CC81FEE77B8EB09710F140199FA15A72A1D770AE45DB50

Function 00C8B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C8B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B165
GetWindowThreadProcessId.USER32(00000000), ref: 00C8B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C8B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C8A1E1,?,00000001), ref: 00C8B21D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a2cb8d413fe8b82804418f325515e8bb1096c12c4975cc5f0e0a434b618c3cac
Instruction ID: 17d763ca71d212e6e262ca8e47475cddcf4d0f9ba9459d19b3b3f7220df34e72
Opcode Fuzzy Hash: a2cb8d413fe8b82804418f325515e8bb1096c12c4975cc5f0e0a434b618c3cac
Instruction Fuzzy Hash: 703180B5500204BFDB10AF64DC88FBD7BA9BB51319F104116FA15D7190DBB8AE40CF69

Function 00C52C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C52C94

Part of subcall function 00C529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

_free.LIBCMT ref: 00C52CA0
_free.LIBCMT ref: 00C52CAB
_free.LIBCMT ref: 00C52CB6
_free.LIBCMT ref: 00C52CC1
_free.LIBCMT ref: 00C52CCC
_free.LIBCMT ref: 00C52CD7
_free.LIBCMT ref: 00C52CE2
_free.LIBCMT ref: 00C52CED
_free.LIBCMT ref: 00C52CFB

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9f5925d2634d728156da5c27dd0d8cd3628cde83164d2659813fdc1dd0e0e53b
Instruction ID: 475d4439ecaff2a83591c0f78b651abd765da17238fe8a82fb61854a4e436bb1
Opcode Fuzzy Hash: 9f5925d2634d728156da5c27dd0d8cd3628cde83164d2659813fdc1dd0e0e53b
Instruction Fuzzy Hash: D311A47A100108AFCB02EF54D882CDD3BA5FF16351F5144A5FE48AF322DA31EE94AB94

Function 00C97DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C97FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00C97FC1
GetFileAttributesW.KERNEL32(?), ref: 00C97FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C98005
SetCurrentDirectoryW.KERNEL32(?), ref: 00C98017
SetCurrentDirectoryW.KERNEL32(?), ref: 00C98060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C980B0

Strings

*.*, xrefs: 00C98066

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7eed7f3ac911d5fcb845a17e8eeae6875b8fec6c8bbb3700e153d79d0bb954bb
Instruction ID: 3ecb994b092f22caaa36d416c6b3050faef87061c7df8efdbe6fc527eb3e8baf
Opcode Fuzzy Hash: 7eed7f3ac911d5fcb845a17e8eeae6875b8fec6c8bbb3700e153d79d0bb954bb
Instruction Fuzzy Hash: 1B81B1715182419FCF20EF55C888AAEB3E8BF89310F144D6EF895D7250EB34DE498B52

Function 00C25BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C25C7A

Part of subcall function 00C25D0A: GetClientRect.USER32(?,?), ref: 00C25D30
Part of subcall function 00C25D0A: GetWindowRect.USER32(?,?), ref: 00C25D71
Part of subcall function 00C25D0A: ScreenToClient.USER32(?,?), ref: 00C25D99

GetDC.USER32 ref: 00C646F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C64708
SelectObject.GDI32(00000000,00000000), ref: 00C64716
SelectObject.GDI32(00000000,00000000), ref: 00C6472B
ReleaseDC.USER32(?,00000000), ref: 00C64733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C647C4

Strings

U, xrefs: 00C64693

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 8189253f17f5a3d04637a1ec66b9aee3043ca7ac69506612e1448e955a189878
Instruction ID: c477a644dfbec6314441404d75c1e6d8822da729e65c2d8880a3e66f55294443
Opcode Fuzzy Hash: 8189253f17f5a3d04637a1ec66b9aee3043ca7ac69506612e1448e955a189878
Instruction Fuzzy Hash: 7771BC31400205DFCF398F64C9C4ABA7BB5FF4A360F184269FD665A2A6D7319A41DF60

Function 00C9359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C935E4

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

LoadStringW.USER32(00CF2390,?,00000FFF,?), ref: 00C9360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00C93724
"%s" (%d) : ==> %s:, xrefs: 00C93742
^ ERROR, xrefs: 00C936C9
Error: , xrefs: 00C936EF
Line %d (File "%s"):, xrefs: 00C9366B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 9fc4ea60aad681e230c0c93c37be3610821bbf63813d22821ec0d91070e7722d
Instruction ID: 1073e612bd997d89c26381f627256ef5283069313e4ed13fe2899b9d3cabd3ac
Opcode Fuzzy Hash: 9fc4ea60aad681e230c0c93c37be3610821bbf63813d22821ec0d91070e7722d
Instruction Fuzzy Hash: AE517B7290025AABCF14EBE0DC86EEEBB78EF14344F084125F505724A1EB305B99EB61

Function 00C9C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C9C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C9C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C9C2CA
GetLastError.KERNEL32 ref: 00C9C322
SetEvent.KERNEL32(?), ref: 00C9C336
InternetCloseHandle.WININET(00000000), ref: 00C9C341

Strings

, xrefs: 00C9C2BB

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 126f9ace626a41a8e899b250aca631845a88db60397ea8ff2f4fd22ebc0df087
Instruction ID: 3aaefd0fcdae68b1ac0dfc4014ea53ed24d70bd59fcc983aa111d73cebb9ce6c
Opcode Fuzzy Hash: 126f9ace626a41a8e899b250aca631845a88db60397ea8ff2f4fd22ebc0df087
Instruction Fuzzy Hash: 75314BB1600608AFDB219FA58CC8BAB7AFCFB49744F14851EF456E2211DB34DE049B61

Function 00C8989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C63AAF,?,?,Bad directive syntax error,00CBCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C898BC
LoadStringW.USER32(00000000,?,00C63AAF,?), ref: 00C898C3

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C89987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00C898F1
Error: , xrefs: 00C89955
Line %d (File "%s"):, xrefs: 00C8992D
Line %d:, xrefs: 00C89912
., xrefs: 00C8996D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d52f94a9fdc818700f8efd7d78f01628dccaa0ee9f850a049ffbd233664687a1
Instruction ID: 6d76e7114af3bc9ea09e794ddf34a2dc454046cb4dcf7789129c07ad83b100df
Opcode Fuzzy Hash: d52f94a9fdc818700f8efd7d78f01628dccaa0ee9f850a049ffbd233664687a1
Instruction Fuzzy Hash: D6218031D5025EABCF11EF90DC46EEE7739FF28304F084469F519620A2EB719618EB11

Function 00C8209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C820AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00C820C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C8214D

Strings

largeicons, xrefs: 00C820E1
smallicons, xrefs: 00C82115
list, xrefs: 00C8212F
SHELLDLL_DefView, xrefs: 00C820CC
details, xrefs: 00C820FB

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 0c1808f8af3cdab1def5f7389e1b5f4c9342918b70b0b5eb11f349dbe5a6bea3
Instruction ID: dc067fa5594b420f903aeaccf0c3dfdddc4a83aa3f3903e1036fe3ee6ea1508e
Opcode Fuzzy Hash: 0c1808f8af3cdab1def5f7389e1b5f4c9342918b70b0b5eb11f349dbe5a6bea3
Instruction Fuzzy Hash: 8C110676688706BAF6157221DC0EEAF379CEB0432CF301126FB05A50D1FEA16D016718

Function 00C58D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba81cfff1d31877cd52e83deef2367fef1cf9592a3e266038255bdcf270dd48f
Instruction ID: b9ec7c85bbae5aba758a9002e1b8993248a181f93a31e7a7833589753f77459c
Opcode Fuzzy Hash: ba81cfff1d31877cd52e83deef2367fef1cf9592a3e266038255bdcf270dd48f
Instruction Fuzzy Hash: 4DC1E278904249EFCF21DFA8C841BADBBB0FF4D311F144199E825A7292C7748A89CB65

Function 00C5CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C5CEB7
_free.LIBCMT ref: 00C5CF22
_free.LIBCMT ref: 00C5CF48
_free.LIBCMT ref: 00C5CF71
_free.LIBCMT ref: 00C5CFA9
_free.LIBCMT ref: 00C5CFDA
_free.LIBCMT ref: 00C5D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00C5D09C
_free.LIBCMT ref: 00C5D0B5

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 25514bd597fdc84317225b3df39ff6ce46edfdd5a0dbe34fe06d2e128bdc7c22
Instruction ID: 666fd567b1bf1079b4264ef13d4931217a7b4cfb50573cba79b68fc1b289d38d
Opcode Fuzzy Hash: 25514bd597fdc84317225b3df39ff6ce46edfdd5a0dbe34fe06d2e128bdc7c22
Instruction Fuzzy Hash: EB614579904300AFDB21AFF4D8C1B6E7BE5AF01722F14026DFC11A7282D6319AC9D799

Function 00CB50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00CB5186
ShowWindow.USER32(?,00000000), ref: 00CB51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00CB51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00CB51D1

Part of subcall function 00CB6FBA: DeleteObject.GDI32(00000000), ref: 00CB6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00CB520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CB521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CB524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00CB5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00CB5296

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 7e51287f106a520c57f53a6449854ae331c2918cb7da501b65925c2d9e431662
Instruction ID: 3dfb4f195d79f793b2ebee0268d8f8bf5834106c8340b4b8f765b85cedf736ee
Opcode Fuzzy Hash: 7e51287f106a520c57f53a6449854ae331c2918cb7da501b65925c2d9e431662
Instruction Fuzzy Hash: 1651A330A52A08FFEF249F69DC4ABDD3B65FB05321F144112F525962E0C7B5AE80DB41

Function 00C38B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C76890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C768A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C768B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C768D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C768F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C38874,00000000,00000000,00000000,000000FF,00000000), ref: 00C76901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C7691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C38874,00000000,00000000,00000000,000000FF,00000000), ref: 00C7692D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a50def95b58a68e41ffe438ac3a5736c23e6b89579a29ba555e8b72d164634f2
Instruction ID: e26b536befb2e89e2ba51560b69fb3a8dc937c86fafaf9f25e3b63fbd1760317
Opcode Fuzzy Hash: a50def95b58a68e41ffe438ac3a5736c23e6b89579a29ba555e8b72d164634f2
Instruction Fuzzy Hash: 67518B7061070AEFDB20CF25CC95FAABBB5EB48364F144518F956972E0DB70EA50DB50

Function 00C9C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C9C182
GetLastError.KERNEL32 ref: 00C9C195
SetEvent.KERNEL32(?), ref: 00C9C1A9

Part of subcall function 00C9C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C9C272
Part of subcall function 00C9C253: GetLastError.KERNEL32 ref: 00C9C322
Part of subcall function 00C9C253: SetEvent.KERNEL32(?), ref: 00C9C336
Part of subcall function 00C9C253: InternetCloseHandle.WININET(00000000), ref: 00C9C341

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ff403cb43d23a92f3d6ac5773857f680b423e023c01e6a47b4699844e464bdbd
Instruction ID: f3bf25ccea99aca2c773b88b372b4e4420a845acc1474b4daa45a846775d18a5
Opcode Fuzzy Hash: ff403cb43d23a92f3d6ac5773857f680b423e023c01e6a47b4699844e464bdbd
Instruction Fuzzy Hash: F0318C71200A41AFDF259FA5DC88B6ABBF8FF58300B10451DF96682620DB30E914ABA0

Function 00C825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C83A57
Part of subcall function 00C83A3D: GetCurrentThreadId.KERNEL32 ref: 00C83A5E
Part of subcall function 00C83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C825B3), ref: 00C83A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C825BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C825DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C825DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C825E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C82601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C82605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C8260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C82623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C82627

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 8b60f0044c24a9a80dac2c1e5dfdf1da568775b189d7d2aaa794c7286ff0e2ed
Instruction ID: 40ae556efb14eca111ccbf6d9eb20dbf36d6da401440cdbb5423888bb1a5cfd9
Opcode Fuzzy Hash: 8b60f0044c24a9a80dac2c1e5dfdf1da568775b189d7d2aaa794c7286ff0e2ed
Instruction Fuzzy Hash: 8F01BC70290610BBFB2067699CCAF9D3F59DB5EB16F100102F358AF0E1C9F224449AAA

Function 00C81803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C81449,?,?,00000000), ref: 00C8180C
HeapAlloc.KERNEL32(00000000,?,00C81449,?,?,00000000), ref: 00C81813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C81449,?,?,00000000), ref: 00C81828
GetCurrentProcess.KERNEL32(?,00000000,?,00C81449,?,?,00000000), ref: 00C81830
DuplicateHandle.KERNEL32(00000000,?,00C81449,?,?,00000000), ref: 00C81833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C81449,?,?,00000000), ref: 00C81843
GetCurrentProcess.KERNEL32(00C81449,00000000,?,00C81449,?,?,00000000), ref: 00C8184B
DuplicateHandle.KERNEL32(00000000,?,00C81449,?,?,00000000), ref: 00C8184E
CreateThread.KERNEL32(00000000,00000000,00C81874,00000000,00000000,00000000), ref: 00C81868

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ba3a6985519ce7059cc40244e91f796abc8a1126bf9a81d608339a3d01acc36f
Instruction ID: c7e58f9a43465c68fdf24034495d76dcfa2807b22fa1b7784328f02c2be779f6
Opcode Fuzzy Hash: ba3a6985519ce7059cc40244e91f796abc8a1126bf9a81d608339a3d01acc36f
Instruction Fuzzy Hash: 1401BFB5240304BFE710AFA5DC8DF5F3BACEB89B11F414521FA05EB1A1C6709810CB20

Function 00CAA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00C8D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C8D501
Part of subcall function 00C8D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C8D50F
Part of subcall function 00C8D4DC: CloseHandle.KERNELBASE(00000000), ref: 00C8D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CAA16D
GetLastError.KERNEL32 ref: 00CAA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CAA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CAA268
GetLastError.KERNEL32(00000000), ref: 00CAA273
CloseHandle.KERNEL32(00000000), ref: 00CAA2C4

Strings

SeDebugPrivilege, xrefs: 00CAA18F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: be2326d68f3b2201478c21e157453866573c39abbcce535f3b7e2ea1aba80178
Instruction ID: 6c11b5a72e2c708ef6521ce9b3cba037201537a083e78c2093832165c70c5b10
Opcode Fuzzy Hash: be2326d68f3b2201478c21e157453866573c39abbcce535f3b7e2ea1aba80178
Instruction Fuzzy Hash: 77618E70204242AFD720DF19C494F1ABBE1AF4531CF14859CE46A8BBA3C772ED45CB92

Function 00CB3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CB3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00CB393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CB3954
_wcslen.LIBCMT ref: 00CB3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CB39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CB39F4

Strings

SysListView32, xrefs: 00CB38F7

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: cad4ef81cc0c0b332aaa56952bd3d1e28dd194797d47dd7501210d1c03cb9139
Instruction ID: 590a7383bf4e4869b3eaa1117359884fb30506b35153bc3245496f30b202788f
Opcode Fuzzy Hash: cad4ef81cc0c0b332aaa56952bd3d1e28dd194797d47dd7501210d1c03cb9139
Instruction Fuzzy Hash: DA41A571A00258ABEF219FA4CC45FEE77A9EF18350F140526F954E7281D7B19E80DB90

Function 00C8BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C8BCFD
IsMenu.USER32(00000000), ref: 00C8BD1D
CreatePopupMenu.USER32 ref: 00C8BD53
GetMenuItemCount.USER32(016C64E0), ref: 00C8BDA4
InsertMenuItemW.USER32(016C64E0,?,00000001,00000030), ref: 00C8BDCC

Strings

0, xrefs: 00C8BCA8
2, xrefs: 00C8BD37

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 6f4e4a6a41d45ddead3b14ce12eb7347b0c532abc1c2d7bd961d424cceeb9d64
Instruction ID: 3de101d3e3036f6e64d2a50301c9c2d70aeeefc31850b9fff6e424b6607944ec
Opcode Fuzzy Hash: 6f4e4a6a41d45ddead3b14ce12eb7347b0c532abc1c2d7bd961d424cceeb9d64
Instruction Fuzzy Hash: 5A51A070600205EBDF20EFA9D8C4BAEBBF4BF45318F14421AF46197295D770AE45CB69

Function 00C8C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C8C913

Strings

blank, xrefs: 00C8C895
question, xrefs: 00C8C8CC
warning, xrefs: 00C8C8FC
info, xrefs: 00C8C8B4
stop, xrefs: 00C8C8E4

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 72ce99cf580c15dcb8e3bc92f7be8e03472230cac520bb337c5cdca487cb5d89
Instruction ID: f1efa5eba0a6b45b29a3c9c6bbc0f6fe8fc5244b51eb826c37dfb631b4a5c77c
Opcode Fuzzy Hash: 72ce99cf580c15dcb8e3bc92f7be8e03472230cac520bb337c5cdca487cb5d89
Instruction Fuzzy Hash: 45112B32689706BAA7047B159CC2DAE279CEF2536CB20007BF500A62C2E7745E40637D

Function 00C8DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C8DE42
gethostname.WSOCK32(?,00000100), ref: 00C8DE5C
gethostbyname.WSOCK32(?), ref: 00C8DE69
inet_ntoa.WSOCK32(?), ref: 00C8DEAB
_strcat.LIBCMT ref: 00C8DEB9
WSACleanup.WSOCK32 ref: 00C8DEDE

Strings

0.0.0.0, xrefs: 00C8DE87

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 08030148ed4100546f4b28a757af44b60c9025005a1471413f74e945968e9501
Instruction ID: 3a189c6961229dcf1632c25c9e7f2d0b452b92a4074fa2b525061c0b304edd7d
Opcode Fuzzy Hash: 08030148ed4100546f4b28a757af44b60c9025005a1471413f74e945968e9501
Instruction Fuzzy Hash: C2115971900114AFCB24BB20DC4AFEE37ACEF10315F1001B9F146AA0D1EF719A819B64

Function 00CB9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

GetSystemMetrics.USER32(0000000F), ref: 00CB9FC7
GetSystemMetrics.USER32(0000000F), ref: 00CB9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CBA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CBA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CBA263
ShowWindow.USER32(00000003,00000000), ref: 00CBA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00CBA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CBA2CA

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 5275b22d094b8cc553dc720b25528cc21dc2ee997f695ab1bb341b48fc3bb65e
Instruction ID: 1df0b9feaf004147c0fedb983580c88e2365516dc00d973cc334246d321b1cfc
Opcode Fuzzy Hash: 5275b22d094b8cc553dc720b25528cc21dc2ee997f695ab1bb341b48fc3bb65e
Instruction Fuzzy Hash: 5CB17931600215DBDF14CF68C9C57EE7BB2FF44711F098069ED99AB295DB31AA40CB52

Function 00C8ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C8ED2A
_wcslen.LIBCMT ref: 00C8ED3B
_wcslen.LIBCMT ref: 00C8ED79
_wcslen.LIBCMT ref: 00C8EDAF
_wcslen.LIBCMT ref: 00C8EDDF
_wcslen.LIBCMT ref: 00C8EDEF
_wcslen.LIBCMT ref: 00C8EE2B
_wcslen.LIBCMT ref: 00C8EE5A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: e18a6b724dc1fffb1ae1350a55d4194a82ffd188a2c275b3e9c99370bef244ca
Instruction ID: 7a40bdabe331e384dd52ef5cfb12b9d20c5dae186db1634e31cd3bd1c8657882
Opcode Fuzzy Hash: e18a6b724dc1fffb1ae1350a55d4194a82ffd188a2c275b3e9c99370bef244ca
Instruction Fuzzy Hash: 51418065C1021876CB21FBB4C88AACFB7ACBF45710F508562E518F3121FB34E656D3AA

Function 00C3F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00C3F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00C7F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00C7F454

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: dd15b91559f3562e8af21066e60ddca2e6371ca629758afff0c5d11897d6c1f1
Instruction ID: 58c7a4a0aa701df1d0d58157b2ec289248fdf2ccc1cb8ac0405ef8a2c3115c17
Opcode Fuzzy Hash: dd15b91559f3562e8af21066e60ddca2e6371ca629758afff0c5d11897d6c1f1
Instruction Fuzzy Hash: 1D410D31924740BBC7358B2DC8C877E7B91AF56324F148D3CE09B56660C671AA83D751

Function 00CB2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CB2D1B
GetDC.USER32(00000000), ref: 00CB2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00CB2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CB2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CB2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CB5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00CB2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CB2DE1

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6a1bd92460d976b4e6b8d53ebe58826b5556d85967f0ef44718fb4a08316dc57
Instruction ID: c71d0bd30a13bbee39730a5068bed730f2e30956d4e561b2a6910cfd45f14afb
Opcode Fuzzy Hash: 6a1bd92460d976b4e6b8d53ebe58826b5556d85967f0ef44718fb4a08316dc57
Instruction Fuzzy Hash: 64317A72201214BFEB218F64DC8AFEB3BADEF49715F044155FE08AA291C6B59C51CBB4

Function 00C85622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C85637
_memcmp.LIBVCRUNTIME ref: 00C85659
_memcmp.LIBVCRUNTIME ref: 00C85671
_memcmp.LIBVCRUNTIME ref: 00C85684
_memcmp.LIBVCRUNTIME ref: 00C8569E
_memcmp.LIBVCRUNTIME ref: 00C856B1
_memcmp.LIBVCRUNTIME ref: 00C856C9
_memcmp.LIBVCRUNTIME ref: 00C856E4

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bef7f36de8066bbe6393575b13be2d1f5e65c0c30aa53da5ac1e92a044fb8c2e
Instruction ID: e7fa8825f1aa7decfa2e1c48e233f09c50b3fb936d39f33be4a2e2debf4110be
Opcode Fuzzy Hash: bef7f36de8066bbe6393575b13be2d1f5e65c0c30aa53da5ac1e92a044fb8c2e
Instruction Fuzzy Hash: FA21A461650A09BBD6147A218E82FFB335CBF20399F584034FD059A781F7A1EE5193AD

Function 00CA4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00CA5007
NULL Pointer assignment, xrefs: 00CA502E, 00CA5383

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 7013c0cc2dda550348c4590a2f0553bab0dc564cc44bc445e085c419f6c3171e
Instruction ID: d61a21e56877c4bb47108df6e7632494c154abe8d63588842c7a8b8514707875
Opcode Fuzzy Hash: 7013c0cc2dda550348c4590a2f0553bab0dc564cc44bc445e085c419f6c3171e
Instruction Fuzzy Hash: 35D1B271A0060BAFDF10CFA8C881BAEB7B5BF49348F14C569E915AB291E770DE45CB50

Function 00C61522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00C615CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C61651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C616E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C616FB

Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C61777
__freea.LIBCMT ref: 00C617A2
__freea.LIBCMT ref: 00C617AE

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 10370e0a818836004b91d03f673f3ea5f17e080379ed6dfd96a95ab12f7d197b
Instruction ID: 5dc09338d0bfeac252390a12958333360c6e9e26592b31845ae39c1eeb6caed2
Opcode Fuzzy Hash: 10370e0a818836004b91d03f673f3ea5f17e080379ed6dfd96a95ab12f7d197b
Instruction Fuzzy Hash: 6B91AF72E002169ADB308E75C8C1AEEBBB5EF49312F1C4659EC12E7191DB35DE44DBA0

Function 00CA4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CA4648
VariantInit.OLEAUT32(?), ref: 00CA4749
VariantClear.OLEAUT32(?), ref: 00CA4753
VariantClear.OLEAUT32(?), ref: 00CA47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00CA472C
Null Object assignment in FOR..IN loop, xrefs: 00CA45D8, 00CA4706, 00CA47BE

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 5744afae2cb0145ce29f8b46b6d9b3d700af75fd85ad0d9ed1f04cfd1c997533
Instruction ID: 1e14d2780d22aef0f2675d75f0b83b769de82f3a099f7a56586d5f4910d8598a
Opcode Fuzzy Hash: 5744afae2cb0145ce29f8b46b6d9b3d700af75fd85ad0d9ed1f04cfd1c997533
Instruction Fuzzy Hash: 2A919371A00216ABDF24CFA5D884FAE77B8EF86718F108559F515EB281D7B09A41CFA0

Function 00C91187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C9125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C91284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C912A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C912D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C9135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C913C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C91430

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: e91b13e2ee52b69c61b5e3f80d9cc19e5335cc44d57d2736162cb350fb6aea29
Instruction ID: 06013543f7294e20975c4f192fe1d5af1aceb7f22a9b8eaeedb620516fb24a91
Opcode Fuzzy Hash: e91b13e2ee52b69c61b5e3f80d9cc19e5335cc44d57d2736162cb350fb6aea29
Instruction Fuzzy Hash: 7791F275A0021AAFDF00DF94C88ABBEB7B5FF44310F194429E910EB291D774EA41DB90

Function 00C3948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2a359caa0e51528e68789725d87d414bf0367bba96ee7ee7471012d88899bbaf
Instruction ID: 25d24148f3bc6943af56a7674fc69419cae7b4bd5c87a74ef0dc406d3955c8f7
Opcode Fuzzy Hash: 2a359caa0e51528e68789725d87d414bf0367bba96ee7ee7471012d88899bbaf
Instruction Fuzzy Hash: 1F911671D00219EFCB11CFA9CC84AEEBBB8FF49320F148659E515B7251D774AA82DB60

Function 00CA3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CA396B
CharUpperBuffW.USER32(?,?), ref: 00CA3A7A
_wcslen.LIBCMT ref: 00CA3A8A
VariantClear.OLEAUT32(?), ref: 00CA3C1F

Part of subcall function 00C90CDF: VariantInit.OLEAUT32(00000000), ref: 00C90D1F
Part of subcall function 00C90CDF: VariantCopy.OLEAUT32(?,?), ref: 00C90D28
Part of subcall function 00C90CDF: VariantClear.OLEAUT32(?), ref: 00C90D34

Strings

AUTOIT.ERROR, xrefs: 00CA3A80, 00CA3A85
Incorrect Parameter format, xrefs: 00CA39A6, 00CA3BA1

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 7b7dfc0cdc27d3c7198945677849a58e8ac8d17e909df7b5897a50b56b3e4a42
Instruction ID: 72a9c54ba6e5a729a392d8903d15118c6dc79bd38e6e0dc7af23a8d2815d5973
Opcode Fuzzy Hash: 7b7dfc0cdc27d3c7198945677849a58e8ac8d17e909df7b5897a50b56b3e4a42
Instruction Fuzzy Hash: CA919A746083469FC704EF68C49096AB7E5FF89318F14892DF89A9B351DB30EE05DB92

Function 00CA4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00C8000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?,?,00C8035E), ref: 00C8002B
Part of subcall function 00C8000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80046
Part of subcall function 00C8000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80054
Part of subcall function 00C8000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?), ref: 00C80064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00CA4C51
_wcslen.LIBCMT ref: 00CA4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00CA4DCF
CoTaskMemFree.OLE32(?), ref: 00CA4DDA

Strings

NULL Pointer assignment, xrefs: 00CA4E23, 00CA4E52

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: eeab4ee4bdf6f295ecb1473041e2db946d2e3f82c608d5bb3f7b98ac55bd617f
Instruction ID: 9e888029353b678da4c9c4d9958810fde2a8873635867dc9ab318f196c59a9ca
Opcode Fuzzy Hash: eeab4ee4bdf6f295ecb1473041e2db946d2e3f82c608d5bb3f7b98ac55bd617f
Instruction Fuzzy Hash: 88912671D0022DEFDF14DFA4D881AEEB7B8BF49314F108169E915A7291EB709A44DF60

Function 00CB20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CB2183
GetMenuItemCount.USER32(00000000), ref: 00CB21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CB21DD
_wcslen.LIBCMT ref: 00CB2213
GetMenuItemID.USER32(?,?), ref: 00CB224D
GetSubMenu.USER32(?,?), ref: 00CB225B

Part of subcall function 00C83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C83A57
Part of subcall function 00C83A3D: GetCurrentThreadId.KERNEL32 ref: 00C83A5E
Part of subcall function 00C83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C825B3), ref: 00C83A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CB22E3

Part of subcall function 00C8E97B: Sleep.KERNEL32 ref: 00C8E9F3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: b00f8b5224d24c3dd9df0fc4f1fa820ae77e78cd852f2cce907ea712b0042eaf
Instruction ID: f82c55b7e94a6a8c3175c7479c75d5c7df81f6a71c46d134ebdbb7eda143548c
Opcode Fuzzy Hash: b00f8b5224d24c3dd9df0fc4f1fa820ae77e78cd852f2cce907ea712b0042eaf
Instruction Fuzzy Hash: 72719175E00215AFCB10DFA9C885AEEB7F5EF48320F108459E826EB351D734EE429B91

Function 00CB7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016C6530), ref: 00CB7F37
IsWindowEnabled.USER32(016C6530), ref: 00CB7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00CB801E
SendMessageW.USER32(016C6530,000000B0,?,?), ref: 00CB8051
IsDlgButtonChecked.USER32(?,?), ref: 00CB8089
GetWindowLongW.USER32(016C6530,000000EC), ref: 00CB80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CB80C3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 018e507425cdce6aba77556511df4c77aa56dd7d0a3d72a89b8191042466983a
Instruction ID: a66d0516bfd26e2021c76f2d4149dfc4045f212b00425df69e728319c95ae82c
Opcode Fuzzy Hash: 018e507425cdce6aba77556511df4c77aa56dd7d0a3d72a89b8191042466983a
Instruction Fuzzy Hash: 4A71AE34609204AFEF209F94C884FFABBB9EF49340F140559FD65972A1CB31AE45DB24

Function 00C8AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C8AEF9
GetKeyboardState.USER32(?), ref: 00C8AF0E
SetKeyboardState.USER32(?), ref: 00C8AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C8AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C8AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C8AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C8B020

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: be7004bac885188845bf3309c529bc3d80066976d5adc85cada2ddb8dc546804
Instruction ID: 79c149c97e03f907b4b4f65dc23031dd1e43e2e8ff0f83f3ed9b51a18e39e2ad
Opcode Fuzzy Hash: be7004bac885188845bf3309c529bc3d80066976d5adc85cada2ddb8dc546804
Instruction Fuzzy Hash: F25103F06047D13DFB36A2748C45BBBBEA95B06308F08858AF2E9454C2D3D8AED4D759

Function 00C8ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C8AD19
GetKeyboardState.USER32(?), ref: 00C8AD2E
SetKeyboardState.USER32(?), ref: 00C8AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C8ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C8ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C8AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C8AE38

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f246c993cedf010b928891080552d2f41f4c76e805bc6cd9e952e2ec2c1528bd
Instruction ID: 23044cdd6cd0a04a669df5c750bfb84f15a13e42bcd13b1429a87aa5a0dde1bc
Opcode Fuzzy Hash: f246c993cedf010b928891080552d2f41f4c76e805bc6cd9e952e2ec2c1528bd
Instruction Fuzzy Hash: 75512AA05047D13DFB3363348C85B7ABE985B06309F08898AF1E5868C2C394ED94E75A

Function 00C5542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00C63CD6,?,?,?,?,?,?,?,?,00C55BA3,?,?,00C63CD6,?,?), ref: 00C55470
__fassign.LIBCMT ref: 00C554EB
__fassign.LIBCMT ref: 00C55506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C63CD6,00000005,00000000,00000000), ref: 00C5552C
WriteFile.KERNEL32(?,00C63CD6,00000000,00C55BA3,00000000,?,?,?,?,?,?,?,?,?,00C55BA3,?), ref: 00C5554B
WriteFile.KERNEL32(?,?,00000001,00C55BA3,00000000,?,?,?,?,?,?,?,?,?,00C55BA3,?), ref: 00C55584

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9b622a2616059f8140783b82c6b0630c0cb964ae184d8ca7d6bb54ab141eb04e
Instruction ID: 817ec145bb7d238a50bdbd988008dd76080019b1772c78e83c7561b94d331252
Opcode Fuzzy Hash: 9b622a2616059f8140783b82c6b0630c0cb964ae184d8ca7d6bb54ab141eb04e
Instruction Fuzzy Hash: 455107B59006499FCB10CFA8D891BEEBBF9EF18301F14411AF955E7291E730DA85CB64

Function 00C42D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C42D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C42D53
_ValidateLocalCookies.LIBCMT ref: 00C42DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C42E0C
_ValidateLocalCookies.LIBCMT ref: 00C42E61

Strings

csm, xrefs: 00C42DF6

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 777162e1a9e29bc6b5e3c18b56ce1448f000ae5022c7882befbeaf6f7fed058b
Instruction ID: 734d3e05bba83fa0471af0813c72340929434d72df4fe6b771dac37410ee5829
Opcode Fuzzy Hash: 777162e1a9e29bc6b5e3c18b56ce1448f000ae5022c7882befbeaf6f7fed058b
Instruction Fuzzy Hash: 8D41B234E00249EBCF10DF69CC86A9EBBB5BF44324F548165F825AB392D731AA05CBD0

Function 00CA10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CA307A
Part of subcall function 00CA304E: _wcslen.LIBCMT ref: 00CA309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CA1112
WSAGetLastError.WSOCK32 ref: 00CA1121
WSAGetLastError.WSOCK32 ref: 00CA11C9
closesocket.WSOCK32(00000000), ref: 00CA11F9

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b385e8ac237ea3493b801d76e34689cda3b1ee48d0d7a7a526456d6c34a24047
Instruction ID: a5a48dcd7e8db27acad2ad9c834fc8ccbc0cdc3003ead16a936a3826087911db
Opcode Fuzzy Hash: b385e8ac237ea3493b801d76e34689cda3b1ee48d0d7a7a526456d6c34a24047
Instruction Fuzzy Hash: 04410531600215AFDB109F54D884BAEB7E9EF46368F188159FE15AB292C770EE41CBE0

Function 00C8CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C8CF22,?), ref: 00C8DDFD

Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C8CF22,?), ref: 00C8DE16

lstrcmpiW.KERNEL32(?,?), ref: 00C8CF45
MoveFileW.KERNEL32(?,?), ref: 00C8CF7F
_wcslen.LIBCMT ref: 00C8D005
_wcslen.LIBCMT ref: 00C8D01B
SHFileOperationW.SHELL32(?), ref: 00C8D061

Strings

\*.*, xrefs: 00C8CFF3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 33864b0ce03ecbb73b3f78c3fe39ff13d5385fbdad79a670f8e267196b6a45ab
Instruction ID: ec851b21ca98f5d8de4db1b373d88b5bbd3a9b6fbf38f9b9a3629751a93c2f3a
Opcode Fuzzy Hash: 33864b0ce03ecbb73b3f78c3fe39ff13d5385fbdad79a670f8e267196b6a45ab
Instruction Fuzzy Hash: F94142719052185FDF12FBA4D9C1ADEB7B8AF18384F1000E6E605EB142EB34AB44DF64

Function 00CB2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00CB2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00CB2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00CB2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00CB2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00CB2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00CB2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CB2F0B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: dfe2adee70f4252a8a1ebc0ca0af840716d7cfacc9d7056c111c27fcebed74a0
Instruction ID: b773c070c3dd81be481303d0d5673783dd881a86863e7c892a9c5563b647ba69
Opcode Fuzzy Hash: dfe2adee70f4252a8a1ebc0ca0af840716d7cfacc9d7056c111c27fcebed74a0
Instruction Fuzzy Hash: 4231F230644290EFDB218F59DC84FA937E5EB9A721F190164F9118B2B1CBB1EE40DB51

Function 00C87726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C87769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C8778F
SysAllocString.OLEAUT32(00000000), ref: 00C87792
SysAllocString.OLEAUT32(?), ref: 00C877B0
SysFreeString.OLEAUT32(?), ref: 00C877B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00C877DE
SysAllocString.OLEAUT32(?), ref: 00C877EC

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9d0f234ca50fde75fb11ff9bdbd60c8ce108c2f4bd6d20b39e6d5bb985e1127c
Instruction ID: ba4dd7e2ac651319be5aabdf89f64f56cbe4f870b502e1f591294d158b0bff94
Opcode Fuzzy Hash: 9d0f234ca50fde75fb11ff9bdbd60c8ce108c2f4bd6d20b39e6d5bb985e1127c
Instruction Fuzzy Hash: 7E21C476604219AFDF11EFA8CC88EBF73ACEB09768B148625F914DB150E670DD41CB64

Function 00C877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C87842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C87868
SysAllocString.OLEAUT32(00000000), ref: 00C8786B
SysAllocString.OLEAUT32 ref: 00C8788C
SysFreeString.OLEAUT32 ref: 00C87895
StringFromGUID2.OLE32(?,?,00000028), ref: 00C878AF
SysAllocString.OLEAUT32(?), ref: 00C878BD

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7d5b7babf84c19b4b604a9d8cfe34f61b88fab011873ad7c3c87764b9b40f6c1
Instruction ID: 81f0c56ade281ecec909af2e6a17aa281accd95b5e1c76c2b895da5a2c83ab8e
Opcode Fuzzy Hash: 7d5b7babf84c19b4b604a9d8cfe34f61b88fab011873ad7c3c87764b9b40f6c1
Instruction Fuzzy Hash: 74217731608104AFDB10AFA9DC88EBA77ECEB09764B108225F915DB2E1E674DD41CB78

Function 00C904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C904F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C9052E

Strings

nul, xrefs: 00C90567

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 25482ccf42341fd1376964e22218eeaa6db31b8675d4ddaa4643318e5559c703
Instruction ID: 0d0c56e262bad4b07d5f85011f993a57a3ee5089444e860e165eadcd6fc1ebee
Opcode Fuzzy Hash: 25482ccf42341fd1376964e22218eeaa6db31b8675d4ddaa4643318e5559c703
Instruction Fuzzy Hash: AE215A75500305AFDF209F69D849B9A7BA8AF44B64F714A29E8B1E62E0D7709A40CF24

Function 00C905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C905C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C90601

Strings

nul, xrefs: 00C90639

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c90c62a8fb0311744f27c4b592f609754ecd3fe115c9a244ce69c7e55e561dd5
Instruction ID: 2b1bd377f3759cd1f754cf6fbf5df1e47d2dfcffb5228585d74c9917071e9448
Opcode Fuzzy Hash: c90c62a8fb0311744f27c4b592f609754ecd3fe115c9a244ce69c7e55e561dd5
Instruction Fuzzy Hash: 36213D755003059FDF209F699848A9A77A8AF95B25F300B19FCB1E72E0D7709A60CB20

Function 00CB40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C2600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C2604C
Part of subcall function 00C2600E: GetStockObject.GDI32(00000011), ref: 00C26060
Part of subcall function 00C2600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C2606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CB4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CB411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CB412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CB4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CB4145

Strings

Msctls_Progress32, xrefs: 00CB40E3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: fbacac303d39f4192a24773a1fad3606a4cc7d34fd85d09893180e8a083bb309
Instruction ID: a9f89588de6ba830235d910e587e3bcaf50dc2f61fa1ae16de9eeb24fc2b388e
Opcode Fuzzy Hash: fbacac303d39f4192a24773a1fad3606a4cc7d34fd85d09893180e8a083bb309
Instruction Fuzzy Hash: 4611B2B2150219BEEF119F65CC85EEB7F6DEF08798F014111FA18A2090CA729C21DBA4

Function 00C5D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C5D7A3: _free.LIBCMT ref: 00C5D7CC

_free.LIBCMT ref: 00C5D82D

Part of subcall function 00C529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

_free.LIBCMT ref: 00C5D838
_free.LIBCMT ref: 00C5D843
_free.LIBCMT ref: 00C5D897
_free.LIBCMT ref: 00C5D8A2
_free.LIBCMT ref: 00C5D8AD
_free.LIBCMT ref: 00C5D8B8

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 66ba420e65a1cf823148204d515842b2114572188afea480502a81a2c306e6ff
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: DF11B135540B04AAD531BFB0CC07FCB7BDCEF19342F400824BA9AE6992CA24B5896654

Function 00C8DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C8DA74
LoadStringW.USER32(00000000), ref: 00C8DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C8DA91
LoadStringW.USER32(00000000), ref: 00C8DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C8DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C8DAB9

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 737da4218315c4ee19ae2d14e7367e58b65cd84e957ecab61dfd978f7c1917f1
Instruction ID: e1e19340adbcf361551ba28f83b119c2777deb050517fed3a7d9481aa1a63ef5
Opcode Fuzzy Hash: 737da4218315c4ee19ae2d14e7367e58b65cd84e957ecab61dfd978f7c1917f1
Instruction Fuzzy Hash: 8D0162F29402087FE711ABA49DC9FFB376CE708705F400591B706E2081EA749E844F74

Function 00C9096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(016BF028,016BF028), ref: 00C9097B
EnterCriticalSection.KERNEL32(016BF008,00000000), ref: 00C9098D
TerminateThread.KERNEL32(?,000001F6), ref: 00C9099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00C909A9
CloseHandle.KERNEL32(?), ref: 00C909B8
InterlockedExchange.KERNEL32(016BF028,000001F6), ref: 00C909C8
LeaveCriticalSection.KERNEL32(016BF008), ref: 00C909CF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 1ca8d29a572ae3b7ff8c76547e4d65170e758091c5f4f47da2260b7b83d0dcdb
Instruction ID: fff644f1f1e00a205ed09ee00d4dfdbafb0d2cc3055f575070397b793bdfeb5a
Opcode Fuzzy Hash: 1ca8d29a572ae3b7ff8c76547e4d65170e758091c5f4f47da2260b7b83d0dcdb
Instruction Fuzzy Hash: 34F01932442A12ABDB455FA4EECCBDABA29BF01702F502226F202908A1C7749975CF91

Function 00C25D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C25D30
GetWindowRect.USER32(?,?), ref: 00C25D71
ScreenToClient.USER32(?,?), ref: 00C25D99
GetClientRect.USER32(?,?), ref: 00C25ED7
GetWindowRect.USER32(?,?), ref: 00C25EF8

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: b2d628629851a71abe5f436a9866d2b5a3d1b085cc691245937b099c67b91e87
Instruction ID: 7417e87ca0848837d54a78f6b5668353b15c20f217c3c9ad36fddc0b7ada4003
Opcode Fuzzy Hash: b2d628629851a71abe5f436a9866d2b5a3d1b085cc691245937b099c67b91e87
Instruction Fuzzy Hash: 11B17874A00B4ADBDB24CFA9C4807EEB7F1FF58310F14851AE8A9D7690DB34AA51DB50

Function 00C501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C500BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C500D6
__allrem.LIBCMT ref: 00C500ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C5010B
__allrem.LIBCMT ref: 00C50122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C50140

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 1204c1b6e124a4d6e77624994844cdb107d0186a3f21ac1fad389749a2a5002b
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: DB81087AA00B069BE7209F68CC42B6F77E8AF41325F24413EFC21D6681E770DA899755

Function 00CA1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00CA101C,00000000,?,?,00000000), ref: 00CA3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CA1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CA1DE1
WSAGetLastError.WSOCK32 ref: 00CA1DF2
inet_ntoa.WSOCK32(?), ref: 00CA1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00CA1EDB
_strlen.LIBCMT ref: 00CA1F35

Part of subcall function 00C839E8: _strlen.LIBCMT ref: 00C839F2

Part of subcall function 00C26D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00C3CF58,?,?,?), ref: 00C26DBA
Part of subcall function 00C26D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00C3CF58,?,?,?), ref: 00C26DED

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 20c03d0499d1f374621394c777a535099f3629a521a6d8d1b63b2ae4c1bed675
Instruction ID: 7c123d7b6f48faf229b9c59efa8e02383a1eb20021eab94c230952da47968234
Opcode Fuzzy Hash: 20c03d0499d1f374621394c777a535099f3629a521a6d8d1b63b2ae4c1bed675
Instruction Fuzzy Hash: 58A10131504392AFC324DF60C895F2A77E5AF85318F58895CF8665B2E2CB31EE42CB91

Function 00C561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C482D9,00C482D9,?,?,?,00C5644F,00000001,00000001,8BE85006), ref: 00C56258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C5644F,00000001,00000001,8BE85006,?,?,?), ref: 00C562DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C563D8
__freea.LIBCMT ref: 00C563E5

Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852

__freea.LIBCMT ref: 00C563EE
__freea.LIBCMT ref: 00C56413

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a4be114f3b4f04106ab5a1719691d60858cbfbcc43726d09c3ef296ea3fc8b8c
Instruction ID: 54b887fd6fa2180423730db8a81e5e33e25cd9e73069f8a996c8404f625376ba
Opcode Fuzzy Hash: a4be114f3b4f04106ab5a1719691d60858cbfbcc43726d09c3ef296ea3fc8b8c
Instruction Fuzzy Hash: A0514276600206ABEB258F64CC81FAF7BA9EF40752F540228FD15D7150EB30DDC8D668

Function 00CABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00CAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CAB6AE,?,?), ref: 00CAC9B5
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CAC9F1
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA68
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CABCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CABD25
RegCloseKey.ADVAPI32(00000000), ref: 00CABD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CABD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CABDF3
RegCloseKey.ADVAPI32(?), ref: 00CABDFF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: f2efd284e346c2994e94b09368bbd337a3454490730d2f9c23a560ff5fc8800d
Instruction ID: 08228a92749da6389b8dec1a2391c65e22f42f665e77cfd887a1bdfb405cb1ca
Opcode Fuzzy Hash: f2efd284e346c2994e94b09368bbd337a3454490730d2f9c23a560ff5fc8800d
Instruction Fuzzy Hash: 8B819030608242EFD714DF24C895E2ABBE5FF85308F14896CF45A4B2A2DB31ED45DB92

Function 00C7F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00C7F7B9
SysAllocString.OLEAUT32(00000001), ref: 00C7F860
VariantCopy.OLEAUT32(00C7FA64,00000000), ref: 00C7F889
VariantClear.OLEAUT32(00C7FA64), ref: 00C7F8AD
VariantCopy.OLEAUT32(00C7FA64,00000000), ref: 00C7F8B1
VariantClear.OLEAUT32(?), ref: 00C7F8BB

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ffd6463bd33bd37c8259f0b014dfeb3569ba936c0386a2d0d62739c96d3e8651
Instruction ID: 990e37dac8d1bbf010a18450e8c51687961d76f34644beff303bfc776984eb10
Opcode Fuzzy Hash: ffd6463bd33bd37c8259f0b014dfeb3569ba936c0386a2d0d62739c96d3e8651
Instruction Fuzzy Hash: 7851A431510310AACF24AF66D8D5B69B3A4FF45310F24D46EE909EF291DB708D42DB66

Function 00C9910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00C994E5
_wcslen.LIBCMT ref: 00C99506
_wcslen.LIBCMT ref: 00C9952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00C99585

Strings

X, xrefs: 00C99412

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: fd485dbceda080c4067f52021018823d7994e3c101e415e4b163ef61f6bf7fc1
Instruction ID: 20f26777dacd9138a649f68ff72ee51f90cd663b514d1dcf9649090f1d9d4e05
Opcode Fuzzy Hash: fd485dbceda080c4067f52021018823d7994e3c101e415e4b163ef61f6bf7fc1
Instruction Fuzzy Hash: 3DE1B2315083519FCB24EF28D485B6AB7E4FF85310F04896DF8999B2A2DB31DD05CB92

Function 00C3920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

BeginPaint.USER32(?,?,?), ref: 00C39241
GetWindowRect.USER32(?,?), ref: 00C392A5
ScreenToClient.USER32(?,?), ref: 00C392C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C392D3
EndPaint.USER32(?,?,?,?,?), ref: 00C39321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C771EA

Part of subcall function 00C39339: BeginPath.GDI32(00000000), ref: 00C39357

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: adf8c78dc13431891a6aa79961793355daf014d0d4803785ac40ed104481342e
Instruction ID: a4705835bcde36f9d4a0b90625ac400f8eb97127c83331f0854cf097d2d16234
Opcode Fuzzy Hash: adf8c78dc13431891a6aa79961793355daf014d0d4803785ac40ed104481342e
Instruction Fuzzy Hash: 5341AC70104200EFD721DF25DCC4FBA7BB8EB45324F040269F9A9972B1C7B19945DBA2

Function 00C907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C9080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C90847
EnterCriticalSection.KERNEL32(?), ref: 00C90863
LeaveCriticalSection.KERNEL32(?), ref: 00C908DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C908F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C90921

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: a848b1c6f6dd14350f8bce68a64c9222e4a4432f662a62fb5ad3db17eb2b7c60
Instruction ID: b6f6c1e65d4c285d3e685e472c2a45b3fd74e5234dbae69bdfe51df2a36fc2ee
Opcode Fuzzy Hash: a848b1c6f6dd14350f8bce68a64c9222e4a4432f662a62fb5ad3db17eb2b7c60
Instruction Fuzzy Hash: 1A416871A00205EFDF14AF54DC85AAA77B8FF04300F2440A9ED00AA297DB30DE65DBA4

Function 00CB81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C7F3AB,00000000,?,?,00000000,?,00C7682C,00000004,00000000,00000000), ref: 00CB824C
EnableWindow.USER32(?,00000000), ref: 00CB8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CB82D1
ShowWindow.USER32(?,00000004), ref: 00CB82E5
EnableWindow.USER32(?,00000001), ref: 00CB830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CB832F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 825c9dc925f7c1c0182efeaf11900bb516e2e15922d6801eea108be3978c4236
Instruction ID: 4a80379c8908f9b9f9b210089d09961daea0fee67ef84f02f58cae23bdd6ba2b
Opcode Fuzzy Hash: 825c9dc925f7c1c0182efeaf11900bb516e2e15922d6801eea108be3978c4236
Instruction Fuzzy Hash: 27419434601644EFDF11CF15C899BE87BE4BB1A714F1842A9E9184F272CB71AE49CB52

Function 00C84C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C84C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C84CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C84CEA
_wcslen.LIBCMT ref: 00C84D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C84D10
_wcsstr.LIBVCRUNTIME ref: 00C84D1A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: fc76b48b56d3a8a9cf174e4fe7733225da0668320e0f4a440039f88e8e99da01
Instruction ID: 4656be4d90b0af2b7b4eb8087158d82014da3003959322e8cfc53af23865882e
Opcode Fuzzy Hash: fc76b48b56d3a8a9cf174e4fe7733225da0668320e0f4a440039f88e8e99da01
Instruction Fuzzy Hash: 79210872604211BBEB196B3AEC49F7F7BACDF45754F10803EF805CA191EA61DD0197A4

Function 00C9581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C23A97,?,?,00C22E7F,?,?,?,00000000), ref: 00C23AC2

_wcslen.LIBCMT ref: 00C9587B
CoInitialize.OLE32(00000000), ref: 00C95995
CoCreateInstance.OLE32(00CBFCF8,00000000,00000001,00CBFB68,?), ref: 00C959AE
CoUninitialize.OLE32 ref: 00C959CC

Strings

.lnk, xrefs: 00C95876, 00C958C1, 00C95985

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4b0946db0a68d778cf594eed7df4c750d4c3f99f9992e00af05e0b8fbe04b079
Instruction ID: e22d39b16fb5e12e03e240869af5bf18fad8fc768d51ed5b84a399aa9146ce26
Opcode Fuzzy Hash: 4b0946db0a68d778cf594eed7df4c750d4c3f99f9992e00af05e0b8fbe04b079
Instruction Fuzzy Hash: B4D164716047119FCB14DF28C488A2ABBE1FF89710F14896DF8999B361DB31ED46CB92

Function 00C8175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C80FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C80FCA
Part of subcall function 00C80FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C80FD6
Part of subcall function 00C80FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C80FE5
Part of subcall function 00C80FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C80FEC
Part of subcall function 00C80FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C81002

GetLengthSid.ADVAPI32(?,00000000,00C81335), ref: 00C817AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C817BA
HeapAlloc.KERNEL32(00000000), ref: 00C817C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C817DA
GetProcessHeap.KERNEL32(00000000,00000000,00C81335), ref: 00C817EE
HeapFree.KERNEL32(00000000), ref: 00C817F5

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 461e2410121c2f70899a3c652562ad7e41e8d14b9c031eb39232218fe05e4491
Instruction ID: 7cfab86b4829dc61cfed4071c72a26bfb71d5cccdcb666b337f77d58bf156137
Opcode Fuzzy Hash: 461e2410121c2f70899a3c652562ad7e41e8d14b9c031eb39232218fe05e4491
Instruction Fuzzy Hash: C411AC72500205FFDB10AFA8DC89BAE7BEDEB41359F18411DF881A7210C735AA45CB64

Function 00C814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C814FF
OpenProcessToken.ADVAPI32(00000000), ref: 00C81506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C81515
CloseHandle.KERNEL32(00000004), ref: 00C81520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C8154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C81563

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: ddc5305e40b9db596df9c2b3fdb167aafbecd34bc706a54a30e18f2bf6b562e1
Instruction ID: 51db26dc862fea9ff23dfbae7a1e2c3be45b2de6c767b7b7e4a2ba2341f1fefd
Opcode Fuzzy Hash: ddc5305e40b9db596df9c2b3fdb167aafbecd34bc706a54a30e18f2bf6b562e1
Instruction Fuzzy Hash: 88115972504209ABDF119F98ED89FDE7BADEF48718F088124FE15A2060C3758E61DB60

Function 00C43382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C43379,00C42FE5), ref: 00C43390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C4339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C433B7
SetLastError.KERNEL32(00000000,?,00C43379,00C42FE5), ref: 00C43409

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ecee6721194a9c5420c8892544ace85d73ad21b92701af42802b2389c108ea41
Instruction ID: c4eea27888a31e2114a075bdc8d7b112f357a0fa3e7d7e84051fe99241149b2c
Opcode Fuzzy Hash: ecee6721194a9c5420c8892544ace85d73ad21b92701af42802b2389c108ea41
Instruction Fuzzy Hash: 4E01D4336093A2BEA6292B757CC5BAF2EA4FB957797200229F530852F1EF114F036544

Function 00C52D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C55686,00C63CD6,?,00000000,?,00C55B6A,?,?,?,?,?,00C4E6D1,?,00CE8A48), ref: 00C52D78
_free.LIBCMT ref: 00C52DAB
_free.LIBCMT ref: 00C52DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C4E6D1,?,00CE8A48,00000010,00C24F4A,?,?,00000000,00C63CD6), ref: 00C52DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C4E6D1,?,00CE8A48,00000010,00C24F4A,?,?,00000000,00C63CD6), ref: 00C52DEC
_abort.LIBCMT ref: 00C52DF2

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9c0464613d2ccae15dedbf6a6573479cab6ee0190a1f5d47c54718cf470ab030
Instruction ID: 86dbce0b7ecbd49f5b152023c23c40247a3b84725771b1304143fe33be48a725
Opcode Fuzzy Hash: 9c0464613d2ccae15dedbf6a6573479cab6ee0190a1f5d47c54718cf470ab030
Instruction Fuzzy Hash: BBF0A43E504A0027C2122735AC46F5E26E9ABD37A3F244519FC34A21E2EF2489CEA168

Function 00CB8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C39693
Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396A2
Part of subcall function 00C39639: BeginPath.GDI32(?), ref: 00C396B9
Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CB8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00CB8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CB8A70
LineTo.GDI32(?,00000000,00000003), ref: 00CB8A80
EndPath.GDI32(?), ref: 00CB8A90
StrokePath.GDI32(?), ref: 00CB8AA0

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 072e375aa9d0e5509b3b769cf4533be92b086fad1b58be6c271eab74bdfd6f95
Instruction ID: 3875a33408708700cb102ed4ff8591a79e8b0c7f7285bc2b7f8f4cec42199d64
Opcode Fuzzy Hash: 072e375aa9d0e5509b3b769cf4533be92b086fad1b58be6c271eab74bdfd6f95
Instruction Fuzzy Hash: EC11C576400109FFEB129F94EC88FAE7F6DEB08354F048122BA599A1A1C7719E55DFA0

Function 00C851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C85218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C85229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C85230
ReleaseDC.USER32(00000000,00000000), ref: 00C85238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C8524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C85261

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8ba81f0e943880d26276a8ae79dbcd80dab63389c56c69099340ca5cfc8770e8
Instruction ID: c3434d36a12fc9dedc797d275c028cb886714c15cd83d2ca59f358335ea2cd9d
Opcode Fuzzy Hash: 8ba81f0e943880d26276a8ae79dbcd80dab63389c56c69099340ca5cfc8770e8
Instruction Fuzzy Hash: E2016275E00718BBEB10ABE99C89F5EBFB8EF48751F044165FA04A7281DA709D00CFA0

Function 00C21BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C21BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C21BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C21C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C21C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C21C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C21C22

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ffeb1182f14e4a45a2d66d06e94a39a89cb9b7c21d0db16fef00c89b947cb706
Instruction ID: 704efd70c65d88b3e04932edc29a776e81e5efe5fc46c7c9c06412d8aec0d335
Opcode Fuzzy Hash: ffeb1182f14e4a45a2d66d06e94a39a89cb9b7c21d0db16fef00c89b947cb706
Instruction Fuzzy Hash: 060167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00C8EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C8EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C8EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00C8EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C8EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C8EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C8EB75

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 55168f2f87710c6150d6b37b4a3d370785e376a7e3343969c130587beced3a62
Instruction ID: 264ca7c181da8c3a7205939ad5ea3ce53967bb88866d715157cd861d18d9d054
Opcode Fuzzy Hash: 55168f2f87710c6150d6b37b4a3d370785e376a7e3343969c130587beced3a62
Instruction Fuzzy Hash: 20F03A72240158BBE7215B629C4EFEF3B7CEFCAB11F000269FA11E1091E7A05A01C6B5

Function 00C77439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00C77452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C77469
GetWindowDC.USER32(?), ref: 00C77475
GetPixel.GDI32(00000000,?,?), ref: 00C77484
ReleaseDC.USER32(?,00000000), ref: 00C77496
GetSysColor.USER32(00000005), ref: 00C774B0

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 8fc0d965e852ce153a637f04b8677d35afb1f7ba3ecfe6dc61106b55b32e3a2f
Instruction ID: 7dd0c127fe53c8ab13057ea034f68682cd45671ef03f2303a91832c1d10dfc3d
Opcode Fuzzy Hash: 8fc0d965e852ce153a637f04b8677d35afb1f7ba3ecfe6dc61106b55b32e3a2f
Instruction Fuzzy Hash: 6E012431400219EFEB615FA4DC48BAE7BB6FB04321F654264F92AA21A1CB311E51EF61

Function 00C81874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C8187F
UnloadUserProfile.USERENV(?,?), ref: 00C8188B
CloseHandle.KERNEL32(?), ref: 00C81894
CloseHandle.KERNEL32(?), ref: 00C8189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C818A5
HeapFree.KERNEL32(00000000), ref: 00C818AC

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1937814c491f310dfce94804b11af9fabcb9a98d55a597651c2198325cc39676
Instruction ID: 3d0ed40f6cd388fde6f4f9e5b0b4d6c3040d4634f6f61a7f5dda520443dd3c1c
Opcode Fuzzy Hash: 1937814c491f310dfce94804b11af9fabcb9a98d55a597651c2198325cc39676
Instruction Fuzzy Hash: 6FE0C276004101BBDA015FA5ED4CB4EBB69FB59B22B508321F225A1070CB329420DB60

Function 00C8C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C8C6EE
_wcslen.LIBCMT ref: 00C8C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C8C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C8C7CA

Strings

0, xrefs: 00C8C6AF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 80b8da7df10bb3f85f8f8f5fb631dbbf7c2705258a2b2fb46cbc36f7dd65092e
Instruction ID: b1d13fe02fbcbae4711c023bf531008b19547a43ad5a23d264aa879322e6da09
Opcode Fuzzy Hash: 80b8da7df10bb3f85f8f8f5fb631dbbf7c2705258a2b2fb46cbc36f7dd65092e
Instruction Fuzzy Hash: CD51BF716143019BD754AF28C8C5B6B77E8AF49318F040A2DF9A5D31A0DB70DE04DB6A

Function 00CAAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00CAAEA3

Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625

GetProcessId.KERNEL32(00000000), ref: 00CAAF38
CloseHandle.KERNEL32(00000000), ref: 00CAAF67

Strings

<, xrefs: 00CAAE6B
@, xrefs: 00CAAE72

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: c89ea0ca2f0eb77663865524578f01d21114b6d5b2dd22b6675af845428a8c16
Instruction ID: 420956a3af846b1422a6071e3b0ce03a80321c2eddbd9f664b29274757692016
Opcode Fuzzy Hash: c89ea0ca2f0eb77663865524578f01d21114b6d5b2dd22b6675af845428a8c16
Instruction Fuzzy Hash: D9718D71A00226DFCB14DF94D484A9EBBF0FF09314F0484A9E856AB7A2C774EE45DB91

Function 00C8719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C87206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C8723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C8724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C872CF

Strings

DllGetClassObject, xrefs: 00C87242

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 8626f16b3ceddf59b46abf067799d27547c56d3f55f638253bf5aaea1336d9b7
Instruction ID: d5b0327e33027e95160419cd793e17905278c56e79f1119325ee889534c93e0b
Opcode Fuzzy Hash: 8626f16b3ceddf59b46abf067799d27547c56d3f55f638253bf5aaea1336d9b7
Instruction Fuzzy Hash: 8A419171604204EFDB15DF54C884B9A7BA9EF84318F2582ADBD05DF21AE7B0DE40CBA4

Function 00CB3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CB3E35
IsMenu.USER32(?), ref: 00CB3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CB3E92
DrawMenuBar.USER32 ref: 00CB3EA5

Strings

0, xrefs: 00CB3D89

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 2726f13dd9ce251c10ba3be92781daf299793c3b9ece2bd58accb1bb94bb52bf
Instruction ID: 723a0875e36b81cfef6f410394e85ef5233f00417bd0e0c17f795028d8d2dcf7
Opcode Fuzzy Hash: 2726f13dd9ce251c10ba3be92781daf299793c3b9ece2bd58accb1bb94bb52bf
Instruction Fuzzy Hash: 7A413875A01289EFDB20DF50D884AEABBB9FF49354F04412AF915AB250D730EE44DFA0

Function 00C81DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C81E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C81E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C81EA9

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

Strings

ComboBox, xrefs: 00C81DF0
ListBox, xrefs: 00C81E25

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 9fe1c0583deac720ca450e00f4da08d7cefc499378b221d8a3aebbf277d2d4da
Instruction ID: 190b53c57860b573a1d2c21e9f7f58d268fb9b74cfd176db29d972e718209322
Opcode Fuzzy Hash: 9fe1c0583deac720ca450e00f4da08d7cefc499378b221d8a3aebbf277d2d4da
Instruction Fuzzy Hash: 0321F371A00104ABDB14AB65EC89DFFB7BCEF45358F184129FC25A71E1DB744A0AA720

Function 00CAC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CAC9F1
_wcslen.LIBCMT ref: 00CACA68
_wcslen.LIBCMT ref: 00CACA9E
_wcslen.LIBCMT ref: 00CACAF9
_wcslen.LIBCMT ref: 00CACB2F
_wcslen.LIBCMT ref: 00CACB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00CACA62, 00CACA67
HKLM, xrefs: 00CACA98, 00CACA9D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 1cd8153ee64a202fd69177fd721fa6472cf709a6229e3cb2f0aa546dbbff6f38
Instruction ID: c79a7a57d5804740466f2573552b20ef4523437461035f2cf0f5a9f347ba602e
Opcode Fuzzy Hash: 1cd8153ee64a202fd69177fd721fa6472cf709a6229e3cb2f0aa546dbbff6f38
Instruction Fuzzy Hash: F731F77360056F4BCB20DF6DD9C01BE33919B62758F154029E865AB244EA70CF41F3A0

Function 00CB2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CB2F8D
LoadLibraryW.KERNEL32(?), ref: 00CB2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CB2FA9
DestroyWindow.USER32(?), ref: 00CB2FB1

Strings

SysAnimate32, xrefs: 00CB2F68

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: dcea72db2825194ad4f7ec727a141ad12504f1bfe48e89d3da448d58ab682c37
Instruction ID: ef1b9fd6872bc488d48e9b8832c1660ad87fb75d83f654c22765bab5adffea3e
Opcode Fuzzy Hash: dcea72db2825194ad4f7ec727a141ad12504f1bfe48e89d3da448d58ab682c37
Instruction Fuzzy Hash: D2218C71204225ABEF104FE4DC84FFB77B9EB59364F104628F960D6190D771DD51A760

Function 00C44D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C44D1E,00C528E9,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002), ref: 00C44D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C44DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C44D1E,00C528E9,?,00C44CBE,00C528E9,00CE88B8,0000000C,00C44E15,00C528E9,00000002,00000000), ref: 00C44DC3

Strings

mscoree.dll, xrefs: 00C44D86
CorExitProcess, xrefs: 00C44D98

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cffedbc6aaea02fc72162c64b9067c22c7d900c0c63523aa67cf7ab52288c137
Instruction ID: 3ef9e3f13c2ad85737da8d371171721b8a92b8cd12a6dfa89cd5f92035d3a3f4
Opcode Fuzzy Hash: cffedbc6aaea02fc72162c64b9067c22c7d900c0c63523aa67cf7ab52288c137
Instruction Fuzzy Hash: 00F04F35A40208BBDB159F94DC89BADBFF9FF44751F1001A8F90AA2260CB715A41DB90

Function 00C24E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C24EAE
FreeLibrary.KERNEL32(00000000,?,?,00C24EDD,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C24EA8
kernel32.dll, xrefs: 00C24E94

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: c5f2c85021aabc99e4f7f02e8ff8f2dfe8014a6d421370201af247701179a96a
Instruction ID: 901ca83ae5cfce3ee241049e18614def399806c5e381ebb96be0e521fb73f435
Opcode Fuzzy Hash: c5f2c85021aabc99e4f7f02e8ff8f2dfe8014a6d421370201af247701179a96a
Instruction Fuzzy Hash: A5E0CD36A027325BE2311729BC5CB5FA558AF81F62F060225FC10F3240DBA0CE0240B0

Function 00C24E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C24E74
FreeLibrary.KERNEL32(00000000,?,?,00C63CDE,?,00CF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C24E87

Strings

kernel32.dll, xrefs: 00C24E5B
Wow64RevertWow64FsRedirection, xrefs: 00C24E6E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5174a198e616a4289d098b1745ab0250853107833725d91125d1cbac01d7cfbe
Instruction ID: a5619f825b3202c7654cb2528b62bbfbad0e8ebf1541256f2a11a554996a19ee
Opcode Fuzzy Hash: 5174a198e616a4289d098b1745ab0250853107833725d91125d1cbac01d7cfbe
Instruction Fuzzy Hash: 4DD01236502632576A261B297C5CF8FAA18AF85B517060625F915B6124CF60CE0285E0

Function 00C92947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C92C05
DeleteFileW.KERNEL32(?), ref: 00C92C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C92C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C92CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C92CC0

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 853b446abe12834cc37f94fd1a448e071e13fd174f977eb2541f5a93fdf2a0db
Instruction ID: 8f92a7e2bd3797693fa224c90f3c0d2f7934701e2185a50d4c872ad6cbf7b6a5
Opcode Fuzzy Hash: 853b446abe12834cc37f94fd1a448e071e13fd174f977eb2541f5a93fdf2a0db
Instruction Fuzzy Hash: 61B14D72E00129ABDF25EFA4CC89EDEB7BDEF48350F1040A6F509E6141EA319E449F61

Function 00CAA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00CAA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CAA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CAA468
CloseHandle.KERNEL32(?), ref: 00CAA63D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8e6f28da96a23417c2b910714263f476e2c090cd8b119d9f540af2f4604bb05c
Instruction ID: ec09c4db732b0c6441e6fa26cac67dc63ae4671e9459b09d1ddbb43e268893ba
Opcode Fuzzy Hash: 8e6f28da96a23417c2b910714263f476e2c090cd8b119d9f540af2f4604bb05c
Instruction Fuzzy Hash: 6FA1A171604301AFD720DF28D886F2AB7E5AF88714F14881DF56A9B6D2D7B0ED41CB92

Function 00C8E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C8CF22,?), ref: 00C8DDFD

Part of subcall function 00C8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C8CF22,?), ref: 00C8DE16

Part of subcall function 00C8E199: GetFileAttributesW.KERNEL32(?,00C8CF95), ref: 00C8E19A

lstrcmpiW.KERNEL32(?,?), ref: 00C8E473
MoveFileW.KERNEL32(?,?), ref: 00C8E4AC
_wcslen.LIBCMT ref: 00C8E5EB
_wcslen.LIBCMT ref: 00C8E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C8E650

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 9e6ccad7b17ae10b1744d05f60225ec2a22b1fdf689d29d48c79238b2854f51b
Instruction ID: 0d7b04cf528491938c7e8f9b9c2b1d8296b9ecc82edb081d8ea9710c7b7d6fca
Opcode Fuzzy Hash: 9e6ccad7b17ae10b1744d05f60225ec2a22b1fdf689d29d48c79238b2854f51b
Instruction Fuzzy Hash: D25162B25083455BC734FBA0D8819DFB3ECAF85344F00492EF599D3191EF74A688976A

Function 00CAB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00CAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CAB6AE,?,?), ref: 00CAC9B5
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CAC9F1
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA68
Part of subcall function 00CAC998: _wcslen.LIBCMT ref: 00CACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CABAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CABB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CABB63
RegCloseKey.ADVAPI32(?,?), ref: 00CABBA6
RegCloseKey.ADVAPI32(00000000), ref: 00CABBB3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 65b3c7e08afc9e73e330d63865dafd95d972c6741cea6e20e3813cd6332642b7
Instruction ID: 0e51ba610f2c69ceff7108e5640af7435c938647d8611ec391168127b6003ac3
Opcode Fuzzy Hash: 65b3c7e08afc9e73e330d63865dafd95d972c6741cea6e20e3813cd6332642b7
Instruction Fuzzy Hash: F661A131208242AFD314DF64D490E2ABBE5FF85308F14856CF49A8B2A2DB31ED45DB92

Function 00C88BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C88BCD
VariantClear.OLEAUT32 ref: 00C88C3E
VariantClear.OLEAUT32 ref: 00C88C9D
VariantClear.OLEAUT32(?), ref: 00C88D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C88D3B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2261bc14d92bbf0f751a94d42746f91dff2d27ef3141a4ebddcdbc67b7e122fc
Instruction ID: 79db256667961928e3af625c272c57da4ed6100eeeaec7d2c61862a287287907
Opcode Fuzzy Hash: 2261bc14d92bbf0f751a94d42746f91dff2d27ef3141a4ebddcdbc67b7e122fc
Instruction Fuzzy Hash: B5518AB5A0021AEFCB10DF28C884AAAB7F8FF89314F11855AE915DB350E730E911CF94

Function 00C98AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C98BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C98BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C98C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C98C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C98C5F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f3214af57621dfdd147ec9f6779a9b901429a633dff84423e58a85ffc9d47aa4
Instruction ID: 1f6a759f03e27b13732a94f7a076f7e26aeac0697b75a2cae83ece984eb85130
Opcode Fuzzy Hash: f3214af57621dfdd147ec9f6779a9b901429a633dff84423e58a85ffc9d47aa4
Instruction Fuzzy Hash: 65515A35A002159FCF00DF64C884A6EBBF5FF49314F088468E849AB362CB31ED51DB90

Function 00CA8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00CA8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00CA8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CA8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00CA9032
FreeLibrary.KERNEL32(00000000), ref: 00CA9052

Part of subcall function 00C3F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C91043,?,753CE610), ref: 00C3F6E6
Part of subcall function 00C3F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C7FA64,00000000,00000000,?,?,00C91043,?,753CE610,?,00C7FA64), ref: 00C3F70D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 044190eb21e5ff67484744808899c1ff6d698d6fd9aee086071604373f0b6c54
Instruction ID: 95fb4ae09491532de56f239156d98b2db445f80c15e3c0d8ac890f92ded92e69
Opcode Fuzzy Hash: 044190eb21e5ff67484744808899c1ff6d698d6fd9aee086071604373f0b6c54
Instruction Fuzzy Hash: FC515E35600216DFC715DF58C4959ADBBF1FF4A318F0481A8E815AB762DB31EE85CB90

Function 00CB6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CB6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00CB6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CB6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C9AB79,00000000,00000000), ref: 00CB6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CB6CC7

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2364f42d8c6bff2af8aa53c012939faf70840343515a4c9584f07c3cab478535
Instruction ID: 8c29f325cf4171fc246e56ff97eb63392fdbef5253930a8cbb112eb0c425f808
Opcode Fuzzy Hash: 2364f42d8c6bff2af8aa53c012939faf70840343515a4c9584f07c3cab478535
Instruction Fuzzy Hash: DA41C335604104AFDB24CF68CC98FF97FA9EB09360F150268F9A5A72E0C775EE41DA90

Function 00C52051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C520C3
_free.LIBCMT ref: 00C520E3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e1dd813f3641a48ce2b5ab09fe81710fb601c21ddce7a51f57748d023ca6789c
Instruction ID: fa6b7377ab81cdf116e6791d22d187a618dc94ccb7abf54804f5678439df67c2
Opcode Fuzzy Hash: e1dd813f3641a48ce2b5ab09fe81710fb601c21ddce7a51f57748d023ca6789c
Instruction Fuzzy Hash: 59410436E002009FCB24DF78C980A5EB3F5EF8A310F154568E916EB392D731AE45DB84

Function 00C3912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C39141
ScreenToClient.USER32(00000000,?), ref: 00C3915E
GetAsyncKeyState.USER32(00000001), ref: 00C39183
GetAsyncKeyState.USER32(00000002), ref: 00C3919D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f2d612f701c97f06d2b8780d38e7cd092456866c84bf14511da0517f6a5ab381
Instruction ID: e74605a7a727a6151b12fb8545cd6f26cd1c114154e10a2975436e5db215fb13
Opcode Fuzzy Hash: f2d612f701c97f06d2b8780d38e7cd092456866c84bf14511da0517f6a5ab381
Instruction Fuzzy Hash: C7414D31A0861AFBDF159F64C848BEEB774FB05320F208329E429A7290C7746A54DF91

Function 00C93874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C938CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C93922
TranslateMessage.USER32(?), ref: 00C9394B
DispatchMessageW.USER32(?), ref: 00C93955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C93966

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: ab40de2c3a6090db0d6602c00e178db672a361a6a78d7fc7acdd916a4ab448dc
Instruction ID: 8577350ef7c361c7d814541fe9dc876dafab58491d0d1d0c1c820e59ae937fd9
Opcode Fuzzy Hash: ab40de2c3a6090db0d6602c00e178db672a361a6a78d7fc7acdd916a4ab448dc
Instruction Fuzzy Hash: C231A6705043C1DEEF35CB35984CBBA37A8AB15314F09056DE876D61E0E7B49B89CB12

Function 00C9CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00C9CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C9C21E,00000000), ref: 00C9CFF2

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 103e6522bba6842a957e520a7934c36295670adbf9705f2d309e80fde75bec9b
Instruction ID: d981a4ed833a411e63613fcaef027b6d30dc8d11ff99f16fbacfc34443f09247
Opcode Fuzzy Hash: 103e6522bba6842a957e520a7934c36295670adbf9705f2d309e80fde75bec9b
Instruction Fuzzy Hash: 5B312971A04605AFDF20DFE5C9C8AAFBBF9EB14355F10442EF516E2151EB30AE419B60

Function 00C81901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C81915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00C819C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00C819C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00C819DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C819E2

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 24ad7681d6d28e5a518b5a1aa97d9b77bc3f38d12625533356681e7e4bf75236
Instruction ID: de934a41853c575cfbf6008a010772be3037958bbea362d57ffe7479242bf160
Opcode Fuzzy Hash: 24ad7681d6d28e5a518b5a1aa97d9b77bc3f38d12625533356681e7e4bf75236
Instruction Fuzzy Hash: 2231AF71900219EFCB00DFA8C999BEE3BB9EB04319F144225FD61A72D1C7709A55CB90

Function 00CB5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CB5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CB579D
_wcslen.LIBCMT ref: 00CB57AF
_wcslen.LIBCMT ref: 00CB57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CB5816

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 220150989d3025ab98b05475f4c729d3e3c64e0b1c8f586f1ba61326e5e35396
Instruction ID: d95e334829557323ccd2026200534aa59b542bbd1e6368a1c8da26b15e82fca7
Opcode Fuzzy Hash: 220150989d3025ab98b05475f4c729d3e3c64e0b1c8f586f1ba61326e5e35396
Instruction Fuzzy Hash: 5D216075A04618EADB209FA5CC85BEE7BB8FF54724F108216F929EB1C0D7709A85CF50

Function 00CA0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CA0951
GetForegroundWindow.USER32 ref: 00CA0968
GetDC.USER32(00000000), ref: 00CA09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00CA09B0
ReleaseDC.USER32(00000000,00000003), ref: 00CA09E8

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: cb9e4b6263bf9a6f59439a046ed40ddb98e28c991965ba4a68bfe0ca01ea5896
Instruction ID: 3b8a1dacc6c7e91be5d177b28ab438985382047424de9241227c49206b8f2437
Opcode Fuzzy Hash: cb9e4b6263bf9a6f59439a046ed40ddb98e28c991965ba4a68bfe0ca01ea5896
Instruction Fuzzy Hash: 64218135600214AFD704EF69D889BAFBBE9EF49740F148168F85AA7752CB30AD04DB50

Function 00C5CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C5CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C5CDE9

Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C5CE0F
_free.LIBCMT ref: 00C5CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C5CE31

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8cca702594934c8e00a43ade5a8d66805a86334a83faf7dfe8c2212a9f6da9d9
Instruction ID: a1eaf97c756b08e9f063084f6969a596fd3b4dabe1391eb5e7688ae939a25b5d
Opcode Fuzzy Hash: 8cca702594934c8e00a43ade5a8d66805a86334a83faf7dfe8c2212a9f6da9d9
Instruction Fuzzy Hash: F701477A6013113F232116BA6CCEE7F7A6CDEC2BA23140229FD11D3200EAA08E4591B8

Function 00C39639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C39693
SelectObject.GDI32(?,00000000), ref: 00C396A2
BeginPath.GDI32(?), ref: 00C396B9
SelectObject.GDI32(?,00000000), ref: 00C396E2

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 01d79d2d89401c2bd767414774377aa2c63c6438f491ab09274717003f241725
Instruction ID: 80b4ae2ee391a818f498802a5a2857f0966baa072bc58bda4f513b4c0a75a7f6
Opcode Fuzzy Hash: 01d79d2d89401c2bd767414774377aa2c63c6438f491ab09274717003f241725
Instruction Fuzzy Hash: 7E216A30812205EBDB119F29EC597BD3BB8FB10325F184216F820A61B0D3F09A91CFD1

Function 00C85711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C85726
_memcmp.LIBVCRUNTIME ref: 00C85744
_memcmp.LIBVCRUNTIME ref: 00C85757
_memcmp.LIBVCRUNTIME ref: 00C8576F
_memcmp.LIBVCRUNTIME ref: 00C85787

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e51b6eee96deb609b295629cd9b944d3373404a860da93e7abb859755e491bc1
Instruction ID: 8bb9640f6008dfafbca6b85944314ccd121ca11750a7040626992fd0c23ad42d
Opcode Fuzzy Hash: e51b6eee96deb609b295629cd9b944d3373404a860da93e7abb859755e491bc1
Instruction Fuzzy Hash: C701B5A5661609BBE2186511DD82FFB735CAB21398F448034FD149B241F7A0EE9193A8

Function 00C52DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00C4F2DE,00C53863,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6), ref: 00C52DFD
_free.LIBCMT ref: 00C52E32
_free.LIBCMT ref: 00C52E59
SetLastError.KERNEL32(00000000,00C21129), ref: 00C52E66
SetLastError.KERNEL32(00000000,00C21129), ref: 00C52E6F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ddaa5e3e4a6d9bad15b1dc40b256b5b972320c69034cdd9f8463e92063c4407a
Instruction ID: f24b54db4efb4e0cc52687e385d848b0c1aab3b7f500771d7792f09c10d51a7e
Opcode Fuzzy Hash: ddaa5e3e4a6d9bad15b1dc40b256b5b972320c69034cdd9f8463e92063c4407a
Instruction Fuzzy Hash: 6A01FE3E10550067C61227756C87F6F16D99BD33A7F244129FC31A2293DFA49DCD5128

Function 00C8000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?,?,00C8035E), ref: 00C8002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?), ref: 00C80064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C7FF41,80070057,?,?), ref: 00C80070

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1e9447ea1817f109f5c86e7bde08b8ce4b2f814d7d975e9b1ca87d048f1c0d09
Instruction ID: 7d8332a6af61c0c82c3134e204095ce6ca8c1b8de23f9561fff56f4de46a8ae7
Opcode Fuzzy Hash: 1e9447ea1817f109f5c86e7bde08b8ce4b2f814d7d975e9b1ca87d048f1c0d09
Instruction Fuzzy Hash: 1601DB72600204BFDB506F68DC88BAE7BEDEF44396F244224F805D2210E776CE449BA0

Function 00C8E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00C8E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00C8E9A5
Sleep.KERNEL32(00000000), ref: 00C8E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00C8E9B7
Sleep.KERNEL32 ref: 00C8E9F3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 636e757794cfeaf8f44bf716827dfab26f3d2c41321166d4c4643ac45ea105d7
Instruction ID: 8aebc772cc028b41bdb66911ece180ede6dd95224caefbf24a29ebb0f28d84e6
Opcode Fuzzy Hash: 636e757794cfeaf8f44bf716827dfab26f3d2c41321166d4c4643ac45ea105d7
Instruction Fuzzy Hash: 70016931C01629DBCF00AFE9DC89BEDBB78FF08305F000656E952B2250CB709651CBA5

Function 00C810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C81114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C8112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C80B9B,?,?,?), ref: 00C81136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C8114D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 52c6cd12589608198fea65056eba3658f9205864f215dd97056ea64c49d7048e
Instruction ID: a5a96bfed977e70e1e3e8b5d1173b901074d89a05c9299d53b463c763e1e4c45
Opcode Fuzzy Hash: 52c6cd12589608198fea65056eba3658f9205864f215dd97056ea64c49d7048e
Instruction Fuzzy Hash: 00016975200205BFDB115FA8DC8DBAE3BAEEF893A4F240419FA41E3360DA31DD008B60

Function 00C80FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C80FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C80FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C80FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C80FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C81002

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b83bebce97224d677c9b0a4a941627420811ce93ebe289e3ab92dc7485d66f4d
Instruction ID: b9857c1b89ebd7ffa35d2dea853aa375aa2625471c154ad9379295789c3b9cee
Opcode Fuzzy Hash: b83bebce97224d677c9b0a4a941627420811ce93ebe289e3ab92dc7485d66f4d
Instruction Fuzzy Hash: FFF04975200301AFDB216FA8AC89F5A3BADEF89762F144525FA45D6251CA70DC518A60

Function 00C81014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C8102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C81036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C8104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81062

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 01ad53a931b0eef192c954e8e6c1a5570afdc72da632ebe925ad2212d4b7a7ac
Instruction ID: 41d9bfcbcbb42c1fe285f4225cde11ca0ae5ff8f382ed207c7f0c0f1b8b3b751
Opcode Fuzzy Hash: 01ad53a931b0eef192c954e8e6c1a5570afdc72da632ebe925ad2212d4b7a7ac
Instruction Fuzzy Hash: 8BF04975200301ABDB216FA8EC89F5B3BADEF89761F140525FA45D6250CA70DD518A60

Function 00C9030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90324
CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90331
CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C9033E
CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C9034B
CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90358
CloseHandle.KERNEL32(?,?,?,?,00C9017D,?,00C932FC,?,00000001,00C62592,?), ref: 00C90365

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e639e0d65164dd435dd071801506fdbb70ccd9281283453a171a4c96dd6d0c65
Instruction ID: 9d9a029a0a73f742030d0c069d8e41445c799f0015b8f0fda99a440b208366d5
Opcode Fuzzy Hash: e639e0d65164dd435dd071801506fdbb70ccd9281283453a171a4c96dd6d0c65
Instruction Fuzzy Hash: 4F01AE72800B159FCB30AF66D880816FBF9BF603153258A3FD1A652931C3B1AA58DF80

Function 00C5D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C5D752

Part of subcall function 00C529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

_free.LIBCMT ref: 00C5D764
_free.LIBCMT ref: 00C5D776
_free.LIBCMT ref: 00C5D788
_free.LIBCMT ref: 00C5D79A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b1fd1881c668d293e30926661fc738ab50a48054fdd12b7051d8dc920a1b9ef9
Instruction ID: 472eb8eb85b3daf3c88c5f24c546d970b07b7a774f6fa2600a3cec82fcb018fc
Opcode Fuzzy Hash: b1fd1881c668d293e30926661fc738ab50a48054fdd12b7051d8dc920a1b9ef9
Instruction Fuzzy Hash: D5F06236500348AB8635EB64F9C2E5A7BDDBB093527A40805F869EB646C730FCC48668

Function 00C85C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C85C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C85C6F
MessageBeep.USER32(00000000), ref: 00C85C87
KillTimer.USER32(?,0000040A), ref: 00C85CA3
EndDialog.USER32(?,00000001), ref: 00C85CBD

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 81451ff8501fb15d66fe3a44180c9e859300550bdea01e6097441f6124372be9
Instruction ID: 378738cdd5c124679f733f53a77ba13db381091ea2debcd477bd74601b7693f5
Opcode Fuzzy Hash: 81451ff8501fb15d66fe3a44180c9e859300550bdea01e6097441f6124372be9
Instruction Fuzzy Hash: B501A930540B14ABEB316B10DD8EFAA77B8BF04B05F001659B593A14E1DBF0AE84DF94

Function 00C522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C522BE

Part of subcall function 00C529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000), ref: 00C529DE
Part of subcall function 00C529C8: GetLastError.KERNEL32(00000000,?,00C5D7D1,00000000,00000000,00000000,00000000,?,00C5D7F8,00000000,00000007,00000000,?,00C5DBF5,00000000,00000000), ref: 00C529F0

_free.LIBCMT ref: 00C522D0
_free.LIBCMT ref: 00C522E3
_free.LIBCMT ref: 00C522F4
_free.LIBCMT ref: 00C52305

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4f2708820bac889967c55303abb1d2d8b47ee58090f29525164d7c59bc039b88
Instruction ID: e77823686d73591dcdfbc2d53df0d5c9147389195ab7d494ecc6f3c889c26f25
Opcode Fuzzy Hash: 4f2708820bac889967c55303abb1d2d8b47ee58090f29525164d7c59bc039b88
Instruction Fuzzy Hash: 09F0FB794111119B8612AF94BC41BED3BD5F7257627150506FC20E63B1C7310595EFDA

Function 00C395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C395D4
StrokeAndFillPath.GDI32(?,?,00C771F7,00000000,?,?,?), ref: 00C395F0
SelectObject.GDI32(?,00000000), ref: 00C39603
DeleteObject.GDI32 ref: 00C39616
StrokePath.GDI32(?), ref: 00C39631

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5aff354424f3d81019fbd99b098c32347a0eaa76bc3ba93d52a88806027d2414
Instruction ID: b2ae26f280753327c0760b03f8d42429fc2735982475f9f690f0949710afaf5b
Opcode Fuzzy Hash: 5aff354424f3d81019fbd99b098c32347a0eaa76bc3ba93d52a88806027d2414
Instruction Fuzzy Hash: D3F03C30006204EBDB126F69ED5C7BD3B75EB10322F088314F866550F0C7B08A91DFA2

Function 00C50F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C510F9
__freea.LIBCMT ref: 00C51117

Part of subcall function 00C51537: _free.LIBCMT ref: 00C5154F

Strings

a/p, xrefs: 00C511DE
am/pm, xrefs: 00C5117A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 82574e00880dfbee9c596d5d8bee4a0926eec8d9cc9061b189ab46b9947c0d23
Instruction ID: 8200fdc860db1ebf36e024221dc27c4da8a9ae564bc36e13b413b450d38a4c38
Opcode Fuzzy Hash: 82574e00880dfbee9c596d5d8bee4a0926eec8d9cc9061b189ab46b9947c0d23
Instruction Fuzzy Hash: C1D1F339900246DACB249F69C86DBBEB7B0FF05702F2C0159ED219B661D3359EC8CB59

Function 00CA7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C40242: EnterCriticalSection.KERNEL32(00CF070C,00CF1884,?,?,00C3198B,00CF2518,?,?,?,00C212F9,00000000), ref: 00C4024D
Part of subcall function 00C40242: LeaveCriticalSection.KERNEL32(00CF070C,?,00C3198B,00CF2518,?,?,?,00C212F9,00000000), ref: 00C4028A

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C400A3: __onexit.LIBCMT ref: 00C400A9

__Init_thread_footer.LIBCMT ref: 00CA7BFB

Part of subcall function 00C401F8: EnterCriticalSection.KERNEL32(00CF070C,?,?,00C38747,00CF2514), ref: 00C40202
Part of subcall function 00C401F8: LeaveCriticalSection.KERNEL32(00CF070C,?,00C38747,00CF2514), ref: 00C40235

Strings

Variable must be of type 'Object'., xrefs: 00CA7C3A
5, xrefs: 00CA7C78
G, xrefs: 00CA7C7F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 21473136b287775067cde9d8210a9ac02d3cee173639a1f3f22673a1a8440701
Instruction ID: e57555218613fc021f4ea0d3c51cb577b50df93a4dc0164ed5a8aa3d0557da14
Opcode Fuzzy Hash: 21473136b287775067cde9d8210a9ac02d3cee173639a1f3f22673a1a8440701
Instruction Fuzzy Hash: 2091AC70A0420AEFCB14EF94D891DBDB7B1FF4A308F108159F8169B292DB71AE45DB51

Function 00C82716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C8B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C821D0,?,?,00000034,00000800,?,00000034), ref: 00C8B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C82760

Part of subcall function 00C8B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C8B3F8

Part of subcall function 00C8B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C8B355
Part of subcall function 00C8B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C82194,00000034,?,?,00001004,00000000,00000000), ref: 00C8B365
Part of subcall function 00C8B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C82194,00000034,?,?,00001004,00000000,00000000), ref: 00C8B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C827CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C8281A

Strings

@, xrefs: 00C82832

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 1e2cba21dfdfd25aeef0149a4273950440a0e8e37135c695d476f6ef76b61441
Instruction ID: 08a186a50396027fcbce642f3c923d29e2735ecdc3354602cbb11d1e35219dc0
Opcode Fuzzy Hash: 1e2cba21dfdfd25aeef0149a4273950440a0e8e37135c695d476f6ef76b61441
Instruction Fuzzy Hash: 35413C72900218BFDB10EBA4CD86BEEBBB8AF09304F004059FA55B7191DB706E45DBA0

Function 00C5172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00C51769
_free.LIBCMT ref: 00C51834
_free.LIBCMT ref: 00C5183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00C51760, 00C51767, 00C51796, 00C517CE

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 45f80e817b811bbb32b91ca53948c0ba399a16164ff13af3e638104d1be3a88a
Instruction ID: 583e65ce548ff54fba9f8a4f5f60501bbe8621e0f3a07fcb54ebec54ba36e82b
Opcode Fuzzy Hash: 45f80e817b811bbb32b91ca53948c0ba399a16164ff13af3e638104d1be3a88a
Instruction Fuzzy Hash: F631C279A00218EFCB21DF99DC88FAEBBFCEB89351B184166FC1097211D6704E84DB94

Function 00C8C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C8C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00C8C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CF1990,016C64E0), ref: 00C8C395

Strings

0, xrefs: 00C8C2DF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 8ab16d83ec5ca79354d68259b71b27f9285d27aad7b228416bed62541359ffb1
Instruction ID: b72f24847629e6b305b1a0d47d9ae9d2a6eeb05f77d4d9b7955477161648c0b4
Opcode Fuzzy Hash: 8ab16d83ec5ca79354d68259b71b27f9285d27aad7b228416bed62541359ffb1
Instruction Fuzzy Hash: 3141A2312043019FD720EF25D8C5B9ABBE4EF85318F14861EF9A5972E1D730E905DB66

Function 00CB4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CBCC08,00000000,?,?,?,?), ref: 00CB44AA
GetWindowLongW.USER32 ref: 00CB44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CB44D7

Strings

SysTreeView32, xrefs: 00CB447C

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 57bd664e60bafdf1bbca4f9119d64188bedea955091b65b8d762964f95f35ef2
Instruction ID: 527ff18724a87e3c11300896e12dca0dddf150471d4104942baf8b13b8912c54
Opcode Fuzzy Hash: 57bd664e60bafdf1bbca4f9119d64188bedea955091b65b8d762964f95f35ef2
Instruction Fuzzy Hash: 33319C31214605AFDF248E78DC85FEA7BA9EB08334F204725F975921E1DB70ED649B60

Function 00CA304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CA3077,?,?), ref: 00CA3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CA307A
_wcslen.LIBCMT ref: 00CA309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00CA3106

Strings

255.255.255.255, xrefs: 00CA3095, 00CA309A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 6addc51691c43af53b4c76a80cdd3a42362e1279a362843241e59db925a2058e
Instruction ID: 2de59981f65b42272864d5c29bbd33ab3535122dbaa740f17704e8e095da5d9f
Opcode Fuzzy Hash: 6addc51691c43af53b4c76a80cdd3a42362e1279a362843241e59db925a2058e
Instruction Fuzzy Hash: 9931C4392042869FCB10CF69C595E6977F0EF56318F248059F9258B392DB32DF41C760

Function 00CB3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CB3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CB3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CB3F78

Strings

SysMonthCal32, xrefs: 00CB3F0B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e580e0477e8daa585ffbfdd660ffeaf7b9fd1194ecc2afcfb4aa25d40b515eb5
Instruction ID: 89df45c748bb144209af6cb3cfa6d6887f8e87aabd9266f8001e49b56be91f1f
Opcode Fuzzy Hash: e580e0477e8daa585ffbfdd660ffeaf7b9fd1194ecc2afcfb4aa25d40b515eb5
Instruction Fuzzy Hash: CC21AB32600259BBDF218E90CC86FEE3B79EB48714F110254FA156B1D0D6B1AD50DBA0

Function 00CB4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CB4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CB4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CB471A

Strings

msctls_updown32, xrefs: 00CB4684

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 01c85fcc463ab991ca5e8c81fa428e274b227124f3b762aed33eb63613da82c5
Instruction ID: fb368d12f8501018889586659e63a619366b764a6627a8665868bbd6d9d0378d
Opcode Fuzzy Hash: 01c85fcc463ab991ca5e8c81fa428e274b227124f3b762aed33eb63613da82c5
Instruction Fuzzy Hash: D62171B5604208AFDB14DF64DCC1EBB37ADEF5A3A4F040159FA10AB251CB71ED11DA60

Function 00C895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C8961D

Strings

#notrayicon, xrefs: 00C895B7
#requireadmin, xrefs: 00C895D9
#OnAutoItStartRegister, xrefs: 00C895F3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: d59bee7467cc168963d84c1428e1f0493ec51d588f7c3b5099f4e52eb4bb5d3f
Instruction ID: 1152486669d2a52b377487f02c82876c91d3aa8f13a0bd50849e79c8a1dd4eaf
Opcode Fuzzy Hash: d59bee7467cc168963d84c1428e1f0493ec51d588f7c3b5099f4e52eb4bb5d3f
Instruction Fuzzy Hash: C8213832204520A6C331BA259C02FBB7398EF51308F18403AF95997141FB719E46D399

Function 00CB37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CB3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CB3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CB3876

Strings

Listbox, xrefs: 00CB380F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a7cd9d8943bb04b182764855278e56525f904bda9befebf13b865ed8064555e4
Instruction ID: b7141bd8571c175f061d30fc9cef9b0d462b647c4626a3deba368136910b3ef9
Opcode Fuzzy Hash: a7cd9d8943bb04b182764855278e56525f904bda9befebf13b865ed8064555e4
Instruction Fuzzy Hash: 8D21AC72610258BBEB218E55DC85FFB376EEF89750F118125F910AB190CA729D5287A0

Function 00C949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C94A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C94A5C
SetErrorMode.KERNEL32(00000000,?,?,00CBCC08), ref: 00C94AD0

Strings

%lu, xrefs: 00C94A6F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 755af88ccea3dac25f414996c642bd0847bdaaa6476e82a6de67784ff28f4b5f
Instruction ID: b632729fcaa4ebdc4184192042ab5c95c59fee3dce088eb547f63f51305c0578
Opcode Fuzzy Hash: 755af88ccea3dac25f414996c642bd0847bdaaa6476e82a6de67784ff28f4b5f
Instruction Fuzzy Hash: 3A316171A00108AFDB10DF54C885EAE7BF8EF04308F1440A5F905EB252DB71EE46DB61

Function 00CB41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CB424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CB4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CB4271

Strings

msctls_trackbar32, xrefs: 00CB4226

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a1d256d1c7f38e378317aa344228323ccf7a3333c03e1cfab9c414f3548f7d53
Instruction ID: bcb9a6ce6161802c9a92494900e5c4034272600b286a1d5d70e3f33ce662992f
Opcode Fuzzy Hash: a1d256d1c7f38e378317aa344228323ccf7a3333c03e1cfab9c414f3548f7d53
Instruction Fuzzy Hash: EA11E371244248BEEF205E29CC06FEB3BACEF95B54F010124FA55E2091D671DC11EB60

Function 00C82F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C26B57: _wcslen.LIBCMT ref: 00C26B6A

Part of subcall function 00C82DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C82DC5
Part of subcall function 00C82DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C82DD6
Part of subcall function 00C82DA7: GetCurrentThreadId.KERNEL32 ref: 00C82DDD
Part of subcall function 00C82DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C82DE4

GetFocus.USER32 ref: 00C82F78

Part of subcall function 00C82DEE: GetParent.USER32(00000000), ref: 00C82DF9

GetClassNameW.USER32(?,?,00000100), ref: 00C82FC3
EnumChildWindows.USER32(?,00C8303B), ref: 00C82FEB

Strings

%s%d, xrefs: 00C82FFF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 4df6a50dfb6eada78930b0ba2ea5f56304c966a66f1e646d8a95c937842ec579
Instruction ID: 41d9cab23e5ebb749590e3a49f4440735d70c767bc3a0e836db79ad679b33f41
Opcode Fuzzy Hash: 4df6a50dfb6eada78930b0ba2ea5f56304c966a66f1e646d8a95c937842ec579
Instruction Fuzzy Hash: 9011AF756002056BCF157F609CC9FEE3B6AAF94708F04507AF9099B292DF309A49EB74

Function 00CB5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CB58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CB58EE
DrawMenuBar.USER32(?), ref: 00CB58FD

Strings

0, xrefs: 00CB588F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: b807dcc48ef2ec3e3ed0a72a27781c4013c2510bce355c6f97ff5404a49c19cb
Instruction ID: 8c7c32a27510901495fea4f848f7abf45b36d843634f89af67fc8c7856fffd32
Opcode Fuzzy Hash: b807dcc48ef2ec3e3ed0a72a27781c4013c2510bce355c6f97ff5404a49c19cb
Instruction Fuzzy Hash: D9016D31900218EFDB219F11DC44BEEBBB8FB45360F1484AAE859D6151DB308A85EF21

Function 00C7D3AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00C7D3BF
FreeLibrary.KERNEL32 ref: 00C7D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00C7D3B9
X64, xrefs: 00C7D2A8

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 4f360fb60c375a765bd7dabaacd5fba00b2e8016ffd9f0bf44cb49cd81e5cdf2
Instruction ID: f8c8f8edde692fb23ea9a624a1dc6307a306955fbe819955db18398b6bb70c52
Opcode Fuzzy Hash: 4f360fb60c375a765bd7dabaacd5fba00b2e8016ffd9f0bf44cb49cd81e5cdf2
Instruction Fuzzy Hash: 85E07DB2D42531DBC77113149C94BAE73387F10B01F45C254F81FF2145EB20CE0246A0

Function 00C8007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfc75a902bf94f212be07ba9b7b8e86d352def20b5b45c693d6a2f1751718df
Instruction ID: 8970e6eec0366e84c36c7a018a5cdac31f949e0dc93f93932e03d5dc575a240f
Opcode Fuzzy Hash: 4bfc75a902bf94f212be07ba9b7b8e86d352def20b5b45c693d6a2f1751718df
Instruction Fuzzy Hash: D6C17D75A00206EFDB54DF94C888BAEB7B5FF48318F218598E415EB261C770EE85CB94

Function 00C53E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C53F0B
__alldvrm.LIBCMT ref: 00C5410C
__alldvrm.LIBCMT ref: 00C5412E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 0cc9959e3afb0dc990c6e2cfaf2cdb24a7291ec58918b1334c3e2cbc5a76df86
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: F5A1AB79D007869FD729CF18C8817AEBBE4EF61385F2841ADED559B281C2348EC9C758

Function 00CA342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CA3459
CoUninitialize.OLE32 ref: 00CA3463
VariantInit.OLEAUT32(?), ref: 00CA346E
VariantClear.OLEAUT32(?), ref: 00CA371B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 96103a2061a34aa632f122deb9cab0ebdc1689f5b92c0425d05d66586beb675a
Instruction ID: 89945e3d7303bf230652d2070dcd8b6dfd81c0fa239fc69f45102cecd4f58d84
Opcode Fuzzy Hash: 96103a2061a34aa632f122deb9cab0ebdc1689f5b92c0425d05d66586beb675a
Instruction Fuzzy Hash: F0A17A756043119FCB00DF28C595A2AB7E5FF89314F14895DF98AAB362DB30EE01DB92

Function 00C80436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CBFC08,?), ref: 00C805F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CBFC08,?), ref: 00C80608
CLSIDFromProgID.OLE32(?,?,00000000,00CBCC40,000000FF,?,00000000,00000800,00000000,?,00CBFC08,?), ref: 00C8062D
_memcmp.LIBVCRUNTIME ref: 00C8064E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cf195bdc2b298372d0ac3e4db55bfd462d2ce0d7a43f2dad782f4ca91632741e
Instruction ID: 2d447f4610de215ed31724cd7b8c18a1ae88cdd4d254f9f52d9f7b96f9ec5a2f
Opcode Fuzzy Hash: cf195bdc2b298372d0ac3e4db55bfd462d2ce0d7a43f2dad782f4ca91632741e
Instruction Fuzzy Hash: BA814B71A00109EFCB44DF94C988EEEB7B9FF89315F204158F516AB250DB71AE0ACB64

Function 00CAA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CAA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00CAA6BA

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Process32NextW.KERNEL32(00000000,?), ref: 00CAA79C
CloseHandle.KERNEL32(00000000), ref: 00CAA7AB

Part of subcall function 00C3CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C63303,?), ref: 00C3CE8A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 016959471e534d557df682cde19fb4ef8e42704ac51e3ca85fe3686122aef03f
Instruction ID: 82ef36dd334fb790ebd2b11a3532a2fafd00ed064bc3e8ed58768700e58697ef
Opcode Fuzzy Hash: 016959471e534d557df682cde19fb4ef8e42704ac51e3ca85fe3686122aef03f
Instruction Fuzzy Hash: 89513B71508311AFD710EF24D886A6FBBE8FF89754F00492DF595972A2EB30D904DBA2

Function 00C61391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C614C0

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c8face580194e9d2e66050003c0414b6928fdd3653c27cd1af8a1cebba277054
Instruction ID: a7001e6c995b1d305ac1ae2af2c01525e1ac49643df84597e45a1c2a3392f30d
Opcode Fuzzy Hash: c8face580194e9d2e66050003c0414b6928fdd3653c27cd1af8a1cebba277054
Instruction Fuzzy Hash: C4412C35900110ABDB317BB98CC66BE3AA4FF41372F1C4225FC29D7291EA748A417272

Function 00CB6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CB62E2
ScreenToClient.USER32(?,?), ref: 00CB6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CB6382

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c6a598d314ebf808d2a0bd756dbcc02080a0c302c284f950a9c04a58805d03db
Instruction ID: d25de83d15725a21196ab2f33f17bc4bed8de9084787cc8d26fe26fc78cae2ed
Opcode Fuzzy Hash: c6a598d314ebf808d2a0bd756dbcc02080a0c302c284f950a9c04a58805d03db
Instruction Fuzzy Hash: 3D512B74900209EFDF10DF58D880AEE7BF5EB55360F148269F925972A0D734EE41CB90

Function 00CA1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00CA1AFD
WSAGetLastError.WSOCK32 ref: 00CA1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CA1B8A
WSAGetLastError.WSOCK32 ref: 00CA1B94

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 5df4a8d10f80826135b1bd2490316c9c3c689d6373573f3e0ee2561a518d7984
Instruction ID: 9c2aa0a79615e4b9f61078dac4a18a7f3449af9ac1f14840ad7689530013ae07
Opcode Fuzzy Hash: 5df4a8d10f80826135b1bd2490316c9c3c689d6373573f3e0ee2561a518d7984
Instruction Fuzzy Hash: 19411474600201AFE720AF24D886F2977E5AF48718F588048F91A9F7D3D772DE41CBA0

Function 00C5B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb72f3cc61660019e7d9849559d85fe7220ceab715afbccc7e689121e6bcdc0
Instruction ID: 5b73f3e190ebf00ccba6c670a20126f8f9b73d109ec7c9a11ff5fbaaad733bd5
Opcode Fuzzy Hash: 2fb72f3cc61660019e7d9849559d85fe7220ceab715afbccc7e689121e6bcdc0
Instruction Fuzzy Hash: 25412879A00314AFD7349F38CC41BAABFE9EB88711F20452EF911DB281D3719D859794

Function 00C956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C95783
GetLastError.KERNEL32(?,00000000), ref: 00C957A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C957CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C957FA

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 40c32c6f53f491a892a3ec2325f8e53f863a2663b668f44207f571d6f4f74a1d
Instruction ID: 48bd66e3202c51e8eb8790ef0e1fb071e95e22f3edf5d2a95d177443444763fa
Opcode Fuzzy Hash: 40c32c6f53f491a892a3ec2325f8e53f863a2663b668f44207f571d6f4f74a1d
Instruction Fuzzy Hash: 6E412F35600610DFCF11EF55D584A5EBBE1EF89320B198498E85AAF762CB34FD40DB91

Function 00C5D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C46D71,00000000,00000000,00C482D9,?,00C482D9,?,00000001,00C46D71,8BE85006,00000001,00C482D9,00C482D9), ref: 00C5D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C5D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C5D9AB
__freea.LIBCMT ref: 00C5D9B4

Part of subcall function 00C53820: RtlAllocateHeap.NTDLL(00000000,?,00CF1444,?,00C3FDF5,?,?,00C2A976,00000010,00CF1440,00C213FC,?,00C213C6,?,00C21129), ref: 00C53852

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e0b9dbd4f5ad0822363cdb701712542baeaf468d2d3604b359bdee96ab99905d
Instruction ID: 5eaeac83cd4f4171ac8c3472825f0a67a89cf300ee86ffc21f0e855871dccfc7
Opcode Fuzzy Hash: e0b9dbd4f5ad0822363cdb701712542baeaf468d2d3604b359bdee96ab99905d
Instruction Fuzzy Hash: 7531EE72A1030AABDF24DF64DC81EAE7BA5EB41311F050268FC15E6151EB35CE98DB90

Function 00CB52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00CB5352
GetWindowLongW.USER32(?,000000F0), ref: 00CB5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CB5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CB53A8

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 11205848080a7cc8b7307cc2f7b437c325a038dbb3d85430a1ce1fa510017287
Instruction ID: f6f18952b6e9982c441bc9e6cb64f4c8479c028f81e569b71370310cb4815419
Opcode Fuzzy Hash: 11205848080a7cc8b7307cc2f7b437c325a038dbb3d85430a1ce1fa510017287
Instruction Fuzzy Hash: B431A334A55A08EFEB309E14CC55FE977E5AB04390F584102FA21963F1C7F59E80EB52

Function 00C8AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00C8ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C8AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C8AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00C8ACC6

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 89bcb66e2ab25335401a0153857a14c3f92a06057e196ee1706344424a206ddb
Instruction ID: 84374333fcb9ddf3ec7f0b4cc0e1c1f29efe5baeb716b5613f32056187180ba2
Opcode Fuzzy Hash: 89bcb66e2ab25335401a0153857a14c3f92a06057e196ee1706344424a206ddb
Instruction Fuzzy Hash: A9312B70A007186FFF35EB698C04BFE7BA5AB49318F08431BE495521D1C3768E85975A

Function 00CB7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CB769A
GetWindowRect.USER32(?,?), ref: 00CB7710
PtInRect.USER32(?,?,00CB8B89), ref: 00CB7720
MessageBeep.USER32(00000000), ref: 00CB778C

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a19e3e8fbe9ceed77f939153740a62e0d42815e03056df53bdd21442a93eb24f
Instruction ID: 4c1a1293e03dd773ef55b33e31cf9b02a390a4437ad5c86fb7de93f869b10a97
Opcode Fuzzy Hash: a19e3e8fbe9ceed77f939153740a62e0d42815e03056df53bdd21442a93eb24f
Instruction Fuzzy Hash: 3E416B34A09214DFCB12CF59C894FED77F5FB89314F1942A8EC25AB261CB71AA41CB90

Function 00CB16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CB16EB

Part of subcall function 00C83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C83A57
Part of subcall function 00C83A3D: GetCurrentThreadId.KERNEL32 ref: 00C83A5E
Part of subcall function 00C83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C825B3), ref: 00C83A65

GetCaretPos.USER32(?), ref: 00CB16FF
ClientToScreen.USER32(00000000,?), ref: 00CB174C
GetForegroundWindow.USER32 ref: 00CB1752

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 4212ffcd9f9d0afd1aa801c246a426a6aea2facf62b35c6946ca4ccc12e6c99b
Instruction ID: 7171403627ed9d3dba83609429d81b9e82f9416c8d63812aad5209a5e00f5eb6
Opcode Fuzzy Hash: 4212ffcd9f9d0afd1aa801c246a426a6aea2facf62b35c6946ca4ccc12e6c99b
Instruction Fuzzy Hash: 98315071D00159AFCB04EFA9D8C1DEEBBF9EF48304B5480AAE415E7611DB319E45DBA0

Function 00C8DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625

_wcslen.LIBCMT ref: 00C8DFCB
_wcslen.LIBCMT ref: 00C8DFE2
_wcslen.LIBCMT ref: 00C8E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00C8E018

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: fce6c659230818a6b0966a6a39de3c48d6499283252832fb1e42fe1e61083bd8
Instruction ID: 61bb42573b90de8680886a1f93ffde38831e64cae6343a19a08e256d68990a28
Opcode Fuzzy Hash: fce6c659230818a6b0966a6a39de3c48d6499283252832fb1e42fe1e61083bd8
Instruction Fuzzy Hash: C421D171900214AFCB20AFA8D881BAEB7F8EF45724F144068E905BB285D7709E41EBA1

Function 00CB8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

GetCursorPos.USER32(?), ref: 00CB9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C77711,?,?,?,?,?), ref: 00CB9016
GetCursorPos.USER32(?), ref: 00CB905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C77711,?,?,?), ref: 00CB9094

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: addecab5eb42efa9c88dc5dd8a887116f84d91b81b36704e236ba4ee8ad93faa
Instruction ID: 1dc229fd2e308fe4cf531e887b1fdf40ba8c8458c2cce9ca3e65a0ae444e469b
Opcode Fuzzy Hash: addecab5eb42efa9c88dc5dd8a887116f84d91b81b36704e236ba4ee8ad93faa
Instruction Fuzzy Hash: CB219F35600018EFCB259F94D898FFE7BB9EB4A361F044155FA1547261C7719A50EB60

Function 00C8D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CBCB68), ref: 00C8D2FB
GetLastError.KERNEL32 ref: 00C8D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C8D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CBCB68), ref: 00C8D376

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 939b612ac445e158af4c902d9bb0a09376c17e7503cf9e55027ca44ead99ebec
Instruction ID: 4f81beb62d63a4a2c1b35ee8f3ec06b1b067fccc62654d18a4b5701e98df4893
Opcode Fuzzy Hash: 939b612ac445e158af4c902d9bb0a09376c17e7503cf9e55027ca44ead99ebec
Instruction Fuzzy Hash: 132191705043119F8700EF28D8815AEB7F4EE5A328F104A2DF4AAC72E1D730DA45CB97

Function 00C81571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C8102A
Part of subcall function 00C81014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C81036
Part of subcall function 00C81014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81045
Part of subcall function 00C81014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C8104C
Part of subcall function 00C81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C81062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C815BE
_memcmp.LIBVCRUNTIME ref: 00C815E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C81617
HeapFree.KERNEL32(00000000), ref: 00C8161E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 23899468c4139f065ba0ea1e2ec6fd023f533c2541bebf129f3eef6ff32c211c
Instruction ID: 1702600f4c9a0a5f5b16af652c9c77881a373e3996a15f75d18e33a7ab01b310
Opcode Fuzzy Hash: 23899468c4139f065ba0ea1e2ec6fd023f533c2541bebf129f3eef6ff32c211c
Instruction Fuzzy Hash: 84214A71E00109EFDB10EFA4C945BEEB7F8FF44359F184459E891AB241E730AA46DBA4

Function 00CB2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CB280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CB2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CB2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CB2840

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 4b9fea5512c3da737cacc58110adaeaec0db844014bb01a9570a57e53c323531
Instruction ID: 6cb079a79dc1b8e73fc2b2884132fa4d833fa0277e4f1cea56fe8d524b2efd50
Opcode Fuzzy Hash: 4b9fea5512c3da737cacc58110adaeaec0db844014bb01a9570a57e53c323531
Instruction Fuzzy Hash: 3921B031204521AFD7149B24C885FEA7B99EF85324F148258F4268B6E2CB72FD82CBD0

Function 00C878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C88D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C8790A,?,000000FF,?,00C88754,00000000,?,0000001C,?,?), ref: 00C88D8C
Part of subcall function 00C88D7D: lstrcpyW.KERNEL32(00000000,?,?,00C8790A,?,000000FF,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C88DB2
Part of subcall function 00C88D7D: lstrcmpiW.KERNEL32(00000000,?,00C8790A,?,000000FF,?,00C88754,00000000,?,0000001C,?,?), ref: 00C88DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C87923
lstrcpyW.KERNEL32(00000000,?,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C87949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C88754,00000000,?,0000001C,?,?,00000000), ref: 00C87984

Strings

cdecl, xrefs: 00C8797B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d329eb8f59454281860f84f60631d7a1f4a003bb9c237edcc20c713b43c1b1d9
Instruction ID: 396a50b473ee59098d3ea7ad3d896d23ffa3674f7a27f039a136165770370fb0
Opcode Fuzzy Hash: d329eb8f59454281860f84f60631d7a1f4a003bb9c237edcc20c713b43c1b1d9
Instruction Fuzzy Hash: F411033A200242ABCF15BF39D844E7A77A9FF95394B50412AF842CB2A4FF31D901D7A5

Function 00CB7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00CB7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CB7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CB7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C9B7AD,00000000), ref: 00CB7D6B

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 794542b85310248ca9826f5e35b3bd3f235cedf7e740632983e6c958c2e99456
Instruction ID: e7f1b3b0ed7e3fa5e510101ae60706d5c4cbe50bb71c88c4e948118aff639460
Opcode Fuzzy Hash: 794542b85310248ca9826f5e35b3bd3f235cedf7e740632983e6c958c2e99456
Instruction Fuzzy Hash: E2116D31615615AFCB109F68CC44BBA3BA5AF853A0F254728FC3AD72F0E7319A51DB90

Function 00CB5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00CB56BB
_wcslen.LIBCMT ref: 00CB56CD
_wcslen.LIBCMT ref: 00CB56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CB5816

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e74ab639657a0ca747bc4147499385d034e1062a71b60ca1251cd1f7c649f285
Instruction ID: 2531483a6dd654dfeaf773fcc55c5b1c1d389fdc54f8e7710816a1efa4e7e1ac
Opcode Fuzzy Hash: e74ab639657a0ca747bc4147499385d034e1062a71b60ca1251cd1f7c649f285
Instruction Fuzzy Hash: DF11D071A00608AADF209F62CC85BEE77ACFF10764F104126F925D6181EBB0CA81CF64

Function 00C51D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d4b1b3c908a36eb0c3f0c45c99200e6b03f52ebdec037b3252d3d82a68ad68
Instruction ID: aa63605ff37a50b7ead82bc03b19efc113f6a28d16ab599c1bb9961516bad69c
Opcode Fuzzy Hash: f0d4b1b3c908a36eb0c3f0c45c99200e6b03f52ebdec037b3252d3d82a68ad68
Instruction Fuzzy Hash: 1C01A2BA20561A3EF62226786CC4F6B676CDF813BAF380325FD31611D2DB609D885168

Function 00C81A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C81A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C81A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C81A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C81A8A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e78a74af2e1627c43e8f72ddfd826d4072b8d9971109cefb5d388923f4ffc125
Instruction ID: 5d9d8afbd35a9af5373dc1a42991617b454bfa34148d9f520f8ee4dde1751fe1
Opcode Fuzzy Hash: e78a74af2e1627c43e8f72ddfd826d4072b8d9971109cefb5d388923f4ffc125
Instruction Fuzzy Hash: 80112A3A901219FFEB109BA5C985FEDBBB8EB08754F240091EA10B7290D6716E51EB94

Function 00C8E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C8E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00C8E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C8E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C8E24D

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 4d9acf4ababf7f2b512151070ecccf5bff3349f075fbb7d090b1f8711cbbb0b4
Instruction ID: 06d75030491b9471f9e05302175721e1afa96e727db224a98b64b3f6d8f5cfbc
Opcode Fuzzy Hash: 4d9acf4ababf7f2b512151070ecccf5bff3349f075fbb7d090b1f8711cbbb0b4
Instruction Fuzzy Hash: 4C11DB76904254BBC701AFA89C45BAE7FADAB45324F144365F925E32A1D6B0CE04C7A1

Function 00C4D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C4CFF9,00000000,00000004,00000000), ref: 00C4D218
GetLastError.KERNEL32 ref: 00C4D224
__dosmaperr.LIBCMT ref: 00C4D22B
ResumeThread.KERNEL32(00000000), ref: 00C4D249

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a41815c1307d9f2b1d96a49826a4f802e87337af06143638f882d58a2f91c9e1
Instruction ID: f843c62e530a8d951989ff9ce82d985505e6887c7333524625b92e2c41645595
Opcode Fuzzy Hash: a41815c1307d9f2b1d96a49826a4f802e87337af06143638f882d58a2f91c9e1
Instruction Fuzzy Hash: 1201D276805214BBDB216BA5DC49BAF7AA9FF81331F100329F926921E0CBB0CD41D6A0

Function 00CB9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C39BB2

GetClientRect.USER32(?,?), ref: 00CB9F31
GetCursorPos.USER32(?), ref: 00CB9F3B
ScreenToClient.USER32(?,?), ref: 00CB9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00CB9F7A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 4d66e0c55381674ed5fb96949f763c6604eb39dfc9f947683af75f034839132e
Instruction ID: e859a3a67911de5345ae3b8a8d2c1bfa28530f3b7a6c70984e20fbcf857b7b37
Opcode Fuzzy Hash: 4d66e0c55381674ed5fb96949f763c6604eb39dfc9f947683af75f034839132e
Instruction Fuzzy Hash: 7711153290011AEBDB10EFA8D889AFEB7B9FB46321F000555FA11E3150D770BB95DBA1

Function 00C2600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C2604C
GetStockObject.GDI32(00000011), ref: 00C26060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C2606A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 0e2f5d1de65431e0cd179008fa6248c785ea942171e269e43d916adf9427a13e
Instruction ID: 59fdcfade2f05c98271b2c96fac80f9b7b5363a8833f1ca335eaa14e8badaf51
Opcode Fuzzy Hash: 0e2f5d1de65431e0cd179008fa6248c785ea942171e269e43d916adf9427a13e
Instruction Fuzzy Hash: 47115B72501558BFEF124FA4AC84FEEBF69EF193A4F040215FA1456110DB329D60EBA4

Function 00C43B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C43B56

Part of subcall function 00C43AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C43AD2
Part of subcall function 00C43AA3: ___AdjustPointer.LIBCMT ref: 00C43AED

_UnwindNestedFrames.LIBCMT ref: 00C43B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C43B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C43BA4

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 1f23833b79da191246154232d75c935f8cacf8ffbf5520cd3fd12a0041a929da
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 47010C32100189BBDF126E95CC46EEB7F6EFF98754F044114FE5896121C732E961EBA0

Function 00C53073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C213C6,00000000,00000000,?,00C5301A,00C213C6,00000000,00000000,00000000,?,00C5328B,00000006,FlsSetValue), ref: 00C530A5
GetLastError.KERNEL32(?,00C5301A,00C213C6,00000000,00000000,00000000,?,00C5328B,00000006,FlsSetValue,00CC2290,FlsSetValue,00000000,00000364,?,00C52E46), ref: 00C530B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C5301A,00C213C6,00000000,00000000,00000000,?,00C5328B,00000006,FlsSetValue,00CC2290,FlsSetValue,00000000), ref: 00C530BF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 85c08fbbd0c3f9ffb6eee7088a75e05580072d1221a375ad905982878cc47cba
Instruction ID: 698b5007c9aff69fe39bab40976c43227e71d03330d8242b0e9daf39640f59bf
Opcode Fuzzy Hash: 85c08fbbd0c3f9ffb6eee7088a75e05580072d1221a375ad905982878cc47cba
Instruction Fuzzy Hash: 8201FC3A301362ABCB324B799C84B6B77989F85BE2B100720FD15E31C0C721DE49C6E4

Function 00C87464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C8747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C87497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C874AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C874CA

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c5be5420d89e7410b27e27df54aac6a7f24c0b86169757a8f21911a5d8989840
Instruction ID: fa27c44b6cb83ccf4cd8e3230e64038edee82f98c2a54cffcc203c9237bb11f5
Opcode Fuzzy Hash: c5be5420d89e7410b27e27df54aac6a7f24c0b86169757a8f21911a5d8989840
Instruction Fuzzy Hash: 9111A1B1205310ABE7209F54DC48BA67FFCEB80B18F208669A666D6151E770E944DF64

Function 00C8B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C8ACD3,?,00008000), ref: 00C8B126

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e1b09e706da19bcaad6b5ae61c05cbd0084ab73bc964840f76ba49b7be8119bd
Instruction ID: 94a4f7795b5090d2a15d087e5f7cede9182c4b9c01c334dd90e4fa6c1f6c8c78
Opcode Fuzzy Hash: e1b09e706da19bcaad6b5ae61c05cbd0084ab73bc964840f76ba49b7be8119bd
Instruction Fuzzy Hash: 0D115B71C0192CE7CF00EFE9E9987EEBB78FF19715F10418AD991B6181CB305A508B59

Function 00CB7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CB7E33
ScreenToClient.USER32(?,?), ref: 00CB7E4B
ScreenToClient.USER32(?,?), ref: 00CB7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CB7E8A

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: cf7665f6081254f1dbc0b54861dfcaaaec85560a5c73123a54109257d2d3747a
Instruction ID: a661a35b540bf8485ce04c36039174190c933cd8b23d2e6f120db8ee6551b249
Opcode Fuzzy Hash: cf7665f6081254f1dbc0b54861dfcaaaec85560a5c73123a54109257d2d3747a
Instruction Fuzzy Hash: C81114B9D0024AAFDB41DF98C884AEEBBF5FF08310F505166E915E3210D735AA55CF50

Function 00C82DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C82DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C82DD6
GetCurrentThreadId.KERNEL32 ref: 00C82DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C82DE4

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ecf76087285482e1924c0010b7a6a467f9c689beed336877af1ac201864b1130
Instruction ID: ec1f2d7a074b4aa7f971560d9c8d10cbff0b87987c12e7d2ca3b58676ff7d13a
Opcode Fuzzy Hash: ecf76087285482e1924c0010b7a6a467f9c689beed336877af1ac201864b1130
Instruction Fuzzy Hash: 93E0ED72501224BBD7202B669C8DFEF7F6CEB56BA6F400216B505D10919AA58941C6B0

Function 00CB8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C39693
Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396A2
Part of subcall function 00C39639: BeginPath.GDI32(?), ref: 00C396B9
Part of subcall function 00C39639: SelectObject.GDI32(?,00000000), ref: 00C396E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CB8887
LineTo.GDI32(?,?,?), ref: 00CB8894
EndPath.GDI32(?), ref: 00CB88A4
StrokePath.GDI32(?), ref: 00CB88B2

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 884ec7d6fc1915daeb807bdd50472687010f5bca0e30fe3fd245f9701c0d31ea
Instruction ID: b910d585a54ad66bff0562cfe12fc27df8d2895e35d9669a5ec75e3368952757
Opcode Fuzzy Hash: 884ec7d6fc1915daeb807bdd50472687010f5bca0e30fe3fd245f9701c0d31ea
Instruction Fuzzy Hash: 72F05E36041259FBDB126F94AC4AFDE3F69AF06710F048100FA11650E1C7B65611DFE5

Function 00C398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C398CC
SetTextColor.GDI32(?,?), ref: 00C398D6
SetBkMode.GDI32(?,00000001), ref: 00C398E9
GetStockObject.GDI32(00000005), ref: 00C398F1

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 0b1e4757055e241957eb1b081cc0b0c2b75f6da6b4eed684e8ac64254da6df07
Instruction ID: 092e64274ea8f1de1bc9a1cc593f2ff2df8add78339019ebe75020d9dda8a096
Opcode Fuzzy Hash: 0b1e4757055e241957eb1b081cc0b0c2b75f6da6b4eed684e8ac64254da6df07
Instruction Fuzzy Hash: 8CE06D31284284AADB215B78AC49BED3F20EB12336F04C319F6FA680E1C37246409B20

Function 00C8162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C81634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C811D9), ref: 00C8163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C811D9), ref: 00C81648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C811D9), ref: 00C8164F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: ce32d391f6325174f0a1299ad74313c28ef5dc95c7e97e98ce17dacf0d286144
Instruction ID: 71ae102eb1a226f425e4affd64f7c4c6eb233308ef4ad0499a9e31bd98a4e38d
Opcode Fuzzy Hash: ce32d391f6325174f0a1299ad74313c28ef5dc95c7e97e98ce17dacf0d286144
Instruction Fuzzy Hash: D7E08631601211DBD7202FA0AD4DB8B3BBCEF44795F184918F695C9090E6344541C764

Function 00C7D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C7D858
GetDC.USER32(00000000), ref: 00C7D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C7D882
ReleaseDC.USER32(?), ref: 00C7D8A3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0fe28711b2de72506bb1b247dfbfb29ba9cd6b74283a630ee82646a5b9c148b8
Instruction ID: 3e126d791eaf846c3a605b9c15d1ae864c51f1aadaf11d98b50e24ffdf3ead76
Opcode Fuzzy Hash: 0fe28711b2de72506bb1b247dfbfb29ba9cd6b74283a630ee82646a5b9c148b8
Instruction Fuzzy Hash: 34E01AB4C00204DFCB41AFE5E988B6EBBB1FB48310F108109F816E7250C7384901AF90

Function 00C7D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C7D86C
GetDC.USER32(00000000), ref: 00C7D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C7D882
ReleaseDC.USER32(?), ref: 00C7D8A3

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7d9a7eea0fa3d6c60cc6d29174af077fda40a4ba3bd8de4c67d699a1571990dd
Instruction ID: eeca4f9e9e6ecc27e67d7ded1ac461a292fdaf8e3df5189da6023db34e3fb18a
Opcode Fuzzy Hash: 7d9a7eea0fa3d6c60cc6d29174af077fda40a4ba3bd8de4c67d699a1571990dd
Instruction Fuzzy Hash: 78E012B4C00204EFCB40AFA8E888B6EBBB1BB48310F108108F81AE7250CB385901AF90

Function 00C94D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27620: _wcslen.LIBCMT ref: 00C27625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C94ED4

Strings

*, xrefs: 00C94E10
LPT, xrefs: 00C94DFB

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: b2cba01248f1f4bd9129ba4c142c187939e6b737e80b23a5f1480583a6e19964
Instruction ID: 00014f47dbe0a50d65437e3cb1b390a5d5d37cc8de3c0f641da928015057ffbe
Opcode Fuzzy Hash: b2cba01248f1f4bd9129ba4c142c187939e6b737e80b23a5f1480583a6e19964
Instruction Fuzzy Hash: 36916275A002159FCB18DF98C4C8EAABBF5BF44304F148099E41A9F762D735EE86CB91

Function 00C4E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C4E30D

Strings

pow, xrefs: 00C4E2E5, 00C4E302

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a626eccf4640b53ebe843d754a1ea6bf06e1f5919d055f5484905b40561913d1
Instruction ID: 3cd1b5163ee0d1acd02a268b10e20a4341d160b4ed817262c4302d3faaedf727
Opcode Fuzzy Hash: a626eccf4640b53ebe843d754a1ea6bf06e1f5919d055f5484905b40561913d1
Instruction Fuzzy Hash: 99519065A0C2029ACB167B14ED0277D3BA4FF40742F344B58E8F5422F9DB758DC9AA4E

Function 00C3E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00C3E1B1

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e1a5b8ec31f5ff3c2b260c0667bf1900e83d3ddc748ced8d149c54aced0605f2
Instruction ID: f021e469c420ab02482364e8826107c7a1b45d77d0d237517df7fcdf40e3c196
Opcode Fuzzy Hash: e1a5b8ec31f5ff3c2b260c0667bf1900e83d3ddc748ced8d149c54aced0605f2
Instruction Fuzzy Hash: 2B512376500346DFDB19DF68C481ABA7BA8EF19310F248095FCA59B2D0D7349E52DBA0

Function 00C3F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C3F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C3F2BB

Strings

@, xrefs: 00C3F2AF

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 13c655d19ca53e4e0f79c1423a75ec3c27161209c99d234a530f31b066cff04b
Instruction ID: 0b7190e95f1b18c1b0312fbfcbcdc392ea08fce9ed6c5a3b61feb012188a6ea6
Opcode Fuzzy Hash: 13c655d19ca53e4e0f79c1423a75ec3c27161209c99d234a530f31b066cff04b
Instruction Fuzzy Hash: 1D512372408744ABD320AF54E886BAFBBF8FB84300F81895DF1D9411A5EB719529CB66

Function 00CA5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00CA57E0
_wcslen.LIBCMT ref: 00CA57EC

Strings

CALLARGARRAY, xrefs: 00CA57E6, 00CA57EB

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 0aca7bdfdcadbf0ab1cd2491aa8ffe88e9d48e3f649f824da9620939e6a8642f
Instruction ID: 162561f9cee836ceb322a6fa252ebc117468cf362b878f275c20024719621fa4
Opcode Fuzzy Hash: 0aca7bdfdcadbf0ab1cd2491aa8ffe88e9d48e3f649f824da9620939e6a8642f
Instruction Fuzzy Hash: B041B271E0020A9FCB14DFA9C8819BEBBB5FF5A318F148129E515A7291E7349E81DB90

Function 00C9D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C9D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C9D13A

Strings

|, xrefs: 00C9D10B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 9b545daa06d70d3c142eb4f9e8b44babd9281b0c3d2909d9ce1ba9790df53eda
Instruction ID: f7dc08d6ff230b6f1630f6f09851438176061917788d389396bd87d99a8c7a48
Opcode Fuzzy Hash: 9b545daa06d70d3c142eb4f9e8b44babd9281b0c3d2909d9ce1ba9790df53eda
Instruction Fuzzy Hash: CE313C71D01219ABCF15EFA5DC85AEEBFB9FF04310F100019F816B6162EB31AA56DB60

Function 00CB356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CB3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CB365C

Strings

static, xrefs: 00CB35BC

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ff9c12a90ea73b3a663a44efa98601068aa2a05260236ee627f9209504908cdc
Instruction ID: a34427ba8459311ad88bd00c5f4dc40a68e359b6c36eded3609a579258040027
Opcode Fuzzy Hash: ff9c12a90ea73b3a663a44efa98601068aa2a05260236ee627f9209504908cdc
Instruction Fuzzy Hash: 86319A71110644AEDB24DF68DC80FFB73A9FF88720F109619F9A597290DA30AE81DB64

Function 00CB4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CB461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CB4634

Strings

', xrefs: 00CB458E

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 3d7235f0f547f6dc71eee5760a6d95939fcb14974d3977241dda068316d96a4f
Instruction ID: 679c948faf46f589bb96944be08f332ca6114f5bc75679565d923a8d64960a5f
Opcode Fuzzy Hash: 3d7235f0f547f6dc71eee5760a6d95939fcb14974d3977241dda068316d96a4f
Instruction Fuzzy Hash: B1313974A047199FDF18CFA9C980BEA7BB5FF09300F14406AE904AB342D770AA45CF90

Function 00CB31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CB327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CB3287

Strings

Combobox, xrefs: 00CB3249

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ff78d3aa93e4afabb5f694cd8f1462974de7f9841a604bc1206afd8f0fe280b8
Instruction ID: 8409c285dfa7f8dfb0eb30f2d30a4fdf3ee27836c8227c0f65a17255b1a755ed
Opcode Fuzzy Hash: ff78d3aa93e4afabb5f694cd8f1462974de7f9841a604bc1206afd8f0fe280b8
Instruction Fuzzy Hash: 3A11B2713002487FEF259E94DC81FFB376AEB983A4F104228F92897292D6719E519761

Function 00CB3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C2600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C2604C
Part of subcall function 00C2600E: GetStockObject.GDI32(00000011), ref: 00C26060
Part of subcall function 00C2600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C2606A

GetWindowRect.USER32(00000000,?), ref: 00CB377A
GetSysColor.USER32(00000012), ref: 00CB3794

Strings

static, xrefs: 00CB3757

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3eff7c72b6e372020d9002bf15ab1ab6a57ead791e86394c7b7c68ebd014f9ea
Instruction ID: 64b377f68f4ab8518b15988a3f3e58967abbf78c061df8f30b9d826f6579c884
Opcode Fuzzy Hash: 3eff7c72b6e372020d9002bf15ab1ab6a57ead791e86394c7b7c68ebd014f9ea
Instruction Fuzzy Hash: 2A1129B2610209AFDF00DFA8CD85EEE7BB8EB08354F004624F965E2250EB35E951DB60

Function 00C9CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C9CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C9CDA6

Strings

<local>, xrefs: 00C9CD66

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 9073e51ad43e5ec2ff13b18c1aa1cee6a0d7a8701c88845d8b83987b153abe7b
Instruction ID: 01d50f0c0fec5baa94fc2111d01bdd28edf872bfc3ca528a7e4fa5e187516f5b
Opcode Fuzzy Hash: 9073e51ad43e5ec2ff13b18c1aa1cee6a0d7a8701c88845d8b83987b153abe7b
Instruction Fuzzy Hash: 3311A3B22056317ADB244B668CC9FE7BE6CEB127A4F004226F11993080D6609950D6F0

Function 00CB3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CB34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CB34BA

Strings

edit, xrefs: 00CB348F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c1d045caeb186d939c0eac2486b21c82f76b3f323d9ceaeff5ed69f95fec8c4a
Instruction ID: 51cc92700323fe289533ef8531a75c5ce6f8e64b7b38d1824e8acded62fbc36e
Opcode Fuzzy Hash: c1d045caeb186d939c0eac2486b21c82f76b3f323d9ceaeff5ed69f95fec8c4a
Instruction Fuzzy Hash: 9D118C71200248ABEB228E68DC84BFB3B6AEF15374F504724F971971E0C771DE55AB60

Function 00C86C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

CharUpperBuffW.USER32(?,?,?), ref: 00C86CB6
_wcslen.LIBCMT ref: 00C86CC2

Strings

STOP, xrefs: 00C86CBC, 00C86CC1

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 00efce601bd455f20c2ccc2920d5c4d9e7cdfa185e60db9d13f67c1d11d5c4d7
Instruction ID: 7bbd57035349d102d62d64ec4d7b37cef6bd63eee92224e240b24c4dcc935eed
Opcode Fuzzy Hash: 00efce601bd455f20c2ccc2920d5c4d9e7cdfa185e60db9d13f67c1d11d5c4d7
Instruction Fuzzy Hash: 3101C032A105268BCB21BFFEDC809BF77B5FB61718B100529E86296190EA31DA00D754

Function 00C81CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C81D4C

Strings

ComboBox, xrefs: 00C81CEB
ListBox, xrefs: 00C81D16

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 096c171d6baf84c474f5195a6f32ab2442e4e52e5108c86e8b6ebaa0956381be
Instruction ID: 6dfe83445a83c584c0be63e3ab8f186335a496ca4c9963d19210426bb027ccfd
Opcode Fuzzy Hash: 096c171d6baf84c474f5195a6f32ab2442e4e52e5108c86e8b6ebaa0956381be
Instruction Fuzzy Hash: C201D875601228ABCB05FBA4DC51EFE73A8FB46354F08062AFC32572C1EA3059099764

Function 00C81BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C81C46

Strings

ComboBox, xrefs: 00C81BE5
ListBox, xrefs: 00C81C10

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1306a4fd50b7b1e077aaae99f306bebdcf76616779a5efd9ee2121e48f36af76
Instruction ID: 87bc8c4073c9e14535991a93a2b7bc5ee7b4b11fac8707e24cefe84e23335bee
Opcode Fuzzy Hash: 1306a4fd50b7b1e077aaae99f306bebdcf76616779a5efd9ee2121e48f36af76
Instruction Fuzzy Hash: 9901A775B8111867CB04FB90D951EFF77ECEB16344F180029B816672C1EA209F0997B5

Function 00C81C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C81CC8

Strings

ComboBox, xrefs: 00C81C69
ListBox, xrefs: 00C81C94

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3f58b7ea96728459980a92a67f9f8182009ff3c4a8a97c8d729ec9f4fe0e637d
Instruction ID: aab7fdd9d05f85698c8440c27cd2b5aaa0a1596e44693cb8386e77ddf37ba8ee
Opcode Fuzzy Hash: 3f58b7ea96728459980a92a67f9f8182009ff3c4a8a97c8d729ec9f4fe0e637d
Instruction Fuzzy Hash: 9201D6B5B8012867CB04FBA5DA11EFE73ECAB12384F180025BC0273281EA709F09D775

Function 00C81D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29CB3: _wcslen.LIBCMT ref: 00C29CBD

Part of subcall function 00C83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C83CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C81DD3

Strings

ComboBox, xrefs: 00C81D75
ListBox, xrefs: 00C81DA0

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3d0512ba48e41f3f2d038564409d5f88ec26dc491533b911a083525dc660b943
Instruction ID: 05ec9f82461bd89be9f6652d633783835a52367c670794ba3eabfbd21dd62c34
Opcode Fuzzy Hash: 3d0512ba48e41f3f2d038564409d5f88ec26dc491533b911a083525dc660b943
Instruction Fuzzy Hash: EBF0C871B5122867DB05F7A5DC52FFF77BCEB02758F080926BC22632C1DA705A099364

Function 00CA747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CA7493
_wcslen.LIBCMT ref: 00CA74B9

Strings

3, 3, 16, 1, xrefs: 00CA7483

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: aa15c92a0f02be8251ee2789053ce5006fab070df46fbe43cb708680e3c94abb
Instruction ID: 722bf78d5cc6e36f4209b331f22a419d90e04799013e04cecc4a802568e834a1
Opcode Fuzzy Hash: aa15c92a0f02be8251ee2789053ce5006fab070df46fbe43cb708680e3c94abb
Instruction Fuzzy Hash: C9E02B02214221109235127A9CC1A7F578DFFDE750720192BF981C2266EE948E92B3A0

Function 00C80B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C80B23

Strings

Error allocating memory., xrefs: 00C80B1C
AutoIt, xrefs: 00C80B17

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: bfcb87716580ff24b730622d615d5509f69d1bc17ade723439186fc2a3cc6c10
Instruction ID: 2975784e445217797d23564cdb9aa11ed658bc207f5be9d1fb2c7795161d5146
Opcode Fuzzy Hash: bfcb87716580ff24b730622d615d5509f69d1bc17ade723439186fc2a3cc6c10
Instruction Fuzzy Hash: C3E0803224435837D2143B957C47FC97B849F05F65F20043AFB58555C38EE1655157ED

Function 00C40D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C3F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C40D71,?,?,?,00C2100A), ref: 00C3F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C2100A), ref: 00C40D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C2100A), ref: 00C40D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C40D7F

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: edff2717a90fb464c37e4c9cbf77bcb7f63eadd44c145f4e56bc184e3c2c6916
Instruction ID: 8dfdb904d801640124d22a3dd90f4617a64f257458a7c62d00a53e4b1139a81a
Opcode Fuzzy Hash: edff2717a90fb464c37e4c9cbf77bcb7f63eadd44c145f4e56bc184e3c2c6916
Instruction Fuzzy Hash: 80E092B06407518BD730AFBCE8487567BE0BF04740F104A2DE592C7751DBB5E449CBA2

Function 00C93017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C9302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00C93044

Strings

aut, xrefs: 00C93038

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 4cfc0f439c58a064e0e07eaac1eaf5b6df1db888825b952df3a087433b1bd047
Instruction ID: 8eed56b951182e1f6d5aed5838a7606e4e4cc4adf4d81b0a7d83f87c291df078
Opcode Fuzzy Hash: 4cfc0f439c58a064e0e07eaac1eaf5b6df1db888825b952df3a087433b1bd047
Instruction Fuzzy Hash: C9D05EB290032867DA20A7A5AC4EFCB3A6CDB04750F0002A1B755E3091DAB89984CBE1

Function 00C7D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C7D220

Strings

X64, xrefs: 00C7D2A8
%.3d, xrefs: 00C7D22B

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 42947ff20e7415919d9b2f78ab65b20b5a78622348bfa6cf0e59620ade064977
Instruction ID: d79a85c45ded45d70e5453e3b9aa47c14b981dad7813db80a4214de1c72df6c2
Opcode Fuzzy Hash: 42947ff20e7415919d9b2f78ab65b20b5a78622348bfa6cf0e59620ade064977
Instruction Fuzzy Hash: D3D012A1C08108EACB9096E2DC859BDB37CBF08301F50C462F90BA1041D624CD0A6761

Function 00CB2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CB236C
PostMessageW.USER32(00000000), ref: 00CB2373

Part of subcall function 00C8E97B: Sleep.KERNEL32 ref: 00C8E9F3

Strings

Shell_TrayWnd, xrefs: 00CB2365

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 49fc7c2cb49bcfffe3dbd1b580ecc2202c44480c31190d88571d796ba6062cac
Instruction ID: 63e61240d8eebcbbd099253df7000a95a41a958d9fbc9943c7d04e35b5a0082c
Opcode Fuzzy Hash: 49fc7c2cb49bcfffe3dbd1b580ecc2202c44480c31190d88571d796ba6062cac
Instruction Fuzzy Hash: 31D0A9323C03007AE264B731AC4FFCA66049B04B00F000A12B281AA0D0C8E0A8408A08

Function 00CB2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CB232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CB233F

Part of subcall function 00C8E97B: Sleep.KERNEL32 ref: 00C8E9F3

Strings

Shell_TrayWnd, xrefs: 00CB2325

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 19be45310cca0546f6fb52eb9a087df11f5653202eed36f5bb9c9ec509326184
Instruction ID: e213e459d463b91a59144793405e1b7d9bb9ac1ab1bc34549089c6d000c44991
Opcode Fuzzy Hash: 19be45310cca0546f6fb52eb9a087df11f5653202eed36f5bb9c9ec509326184
Instruction Fuzzy Hash: 9AD012363D4350B7E674B771EC4FFDA7A149B14B14F004A16B785AA1D0D9F0A845CB54

Function 00C5BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C5BE93
GetLastError.KERNEL32 ref: 00C5BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C5BEFC

Memory Dump Source

Source File: 00000000.00000002.1794167342.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1794113120.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794300197.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794386287.0000000000CEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1794422012.0000000000CF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1bf374ca8a6fbda83f6c16bd702db06c2e2229f425b6eb339e13b41e635264d5
Instruction ID: de9daac9c2736b90df334ebd0d4837c898ec9576fc6691e498b4cf73ca5d510c
Opcode Fuzzy Hash: 1bf374ca8a6fbda83f6c16bd702db06c2e2229f425b6eb339e13b41e635264d5
Instruction Fuzzy Hash: 6941C63C600206AFCB21CFA5CC45BAA7FA5AF41312F144269FD69571A1DB708E89DB64

Analysis Process: firefox.exePID: 7576, Parent PID: 7780COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000002715DFA21F2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000002715DFA2257

Strings

>, xrefs: 000002715DFA305C
z, xrefs: 000002715DFA3836
>, xrefs: 000002715DFA62FF
#, xrefs: 000002715DFA2282
A, xrefs: 000002715DFA224F
>, xrefs: 000002715DFA22B9
4, xrefs: 000002715DFA62D9
#, xrefs: 000002715DFA05C5
#, xrefs: 000002715DFA3331
z, xrefs: 000002715DFA228B

Memory Dump Source

Source File: 00000010.00000002.2997420008.000002715DFA0000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002715DFA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2715dfa0000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 949b6e706f03312b8e2015f38d387fa16f48d381b41c258835839bfb2a6a43b4
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: EBA3F531618A498BDB2DDF1DDC856A973E5FF98700F54422ED88AC7245DF34EA128BC2

Function 000002715DF99286 Relevance: 1.1, Instructions: 1086
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2996959214.000002715DF98000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002715DF98000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2715df98000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e05535263f377124fd2e64c50c6294686e67101ff6e4dab1b75545afbcc9b58
Instruction ID: 623e629aea13600aa90897217d992b4542518496e8dca02f154f7bd6a69b13db
Opcode Fuzzy Hash: 6e05535263f377124fd2e64c50c6294686e67101ff6e4dab1b75545afbcc9b58
Instruction Fuzzy Hash: C321933151CB8C4FD745EF28C844A56BBE0FB5A310F1506AFE0C9C3292E734D9498792

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1951667958.000002D2AB6F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1815612740.000002D2B389C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925197063.000002D2B389C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926028996.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1815612740.000002D2B389C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925197063.000002D2B389C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926028996.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1956609636.000002D2B4C32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925110949.000002D2B4C32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1815612740.000002D2B389C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925197063.000002D2B389C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926028996.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1815612740.000002D2B389C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925197063.000002D2B389C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926028996.000002D2B35DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998349877.000002715E00A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998349877.000002715E00A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1980258962.000002D2AD541000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931621084.000002D2AD53F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2998349877.000002715E00A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1942244227.000002D2B4DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956609636.000002D2B4C32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925110949.000002D2B4C32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1942244227.000002D2B4DB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1970307999.000002D2B4DB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1925197063.000002D2B389C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957194605.000002D2B389C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1974318995.000002D2B38F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.114.101:443 -> 192.168.2.4:53057 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:53131 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:53130 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:53133 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.101
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 53319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53131
Source: unknown	Network traffic detected: HTTP traffic on port 53085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53130
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53057
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53133
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 53130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 53131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53319
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53085
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_acf8b154-b237-4e2d-afd7-0699068602cd.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_acf8b154-b237-4e2d-afd7-0699068602cd.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre