Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545856
MD5:	a335cd63136a16beb8fe31ab14a26a75
SHA1:	2f9b495d470243da1c704bdc296f99397c2009ef
SHA256:	e00d314b4c4fb9f66c905e4b4f968bcef3ac6830ee74119ca4c665c8991e9382
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

file.exe (PID: 2188 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A335CD63136A16BEB8FE31AB14A26A75)

taskkill.exe (PID: 8 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2304 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4048 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4208 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4948 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5688 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4048 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6640 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7244 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fccaa5e-2c76-487a-a81d-78c63d2f5f66} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 2519f370910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7756 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4288 -parentBuildID 20230927232528 -prefsHandle 3944 -prefMapHandle 4280 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {007e07b1-cd7c-48ac-9d53-5a47acb7766b} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 251b1934a10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7324 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5060 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 5080 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37d919aa-f902-48a8-a2ba-21699d9c826f} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 251b0cfa110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1743147765.0000000001821000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 2188	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00CBEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00CBEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CBED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00CBED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00CBEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00CAAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CD9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f1d281b6-1
Source: file.exe, 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6430fcc9-3
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cba74445-f
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d311a672-3

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001C549EE93B7 NtQuerySystemInformation,		16_2_000001C549EE93B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001C54A4987B2 NtQuerySystemInformation,		16_2_000001C54A4987B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00CAD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00CA1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00CAE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB2046	0_2_00CB2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C48060	0_2_00C48060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA8298	0_2_00CA8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7E4FF	0_2_00C7E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7676B	0_2_00C7676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD4873	0_2_00CD4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4CAF0	0_2_00C4CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6CAA0	0_2_00C6CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5CC39	0_2_00C5CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C76DD9	0_2_00C76DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C491C0	0_2_00C491C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5B119	0_2_00C5B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C61394	0_2_00C61394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C61706	0_2_00C61706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6781B	0_2_00C6781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C619B0	0_2_00C619B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5997D	0_2_00C5997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C47920	0_2_00C47920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C67A4A	0_2_00C67A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C67CA7	0_2_00C67CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C61C77	0_2_00C61C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C79EEE	0_2_00C79EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCBE44	0_2_00CCBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C61F32	0_2_00C61F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001C549EE93B7	16_2_000001C549EE93B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001C54A4987B2	16_2_000001C54A4987B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001C54A4987F2	16_2_000001C54A4987F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001C54A498EDC	16_2_000001C54A498EDC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C5F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C60A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@74/11

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB37B5 GetLastError,FormatMessageW,

0_2_00CB37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA10BF AdjustTokenPrivileges,CloseHandle,		0_2_00CA10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00CA16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00CB51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00CAD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00CB648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C442A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files\Mozilla Firefox\firefox.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1905240295.00000251AB4EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885279051.00000251BAB95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1885279051.00000251BAB95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1885279051.00000251BAB95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1885279051.00000251BAB95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1866457667.00000251BACA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1885279051.00000251BAB95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1885279051.00000251BAB95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1885279051.00000251BAB95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1885279051.00000251BAB95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1885279051.00000251BAB95000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	ReversingLabs: Detection: 47%
Source: file.exe	Virustotal: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fccaa5e-2c76-487a-a81d-78c63d2f5f66} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 2519f370910 socket
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4288 -parentBuildID 20230927232528 -prefsHandle 3944 -prefMapHandle 4280 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {007e07b1-cd7c-48ac-9d53-5a47acb7766b} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 251b1934a10 rdd
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5060 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 5080 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37d919aa-f902-48a8-a2ba-21699d9c826f} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 251b0cfa110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fccaa5e-2c76-487a-a81d-78c63d2f5f66} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 2519f370910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4288 -parentBuildID 20230927232528 -prefsHandle 3944 -prefMapHandle 4280 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {007e07b1-cd7c-48ac-9d53-5a47acb7766b} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 251b1934a10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5060 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 5080 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37d919aa-f902-48a8-a2ba-21699d9c826f} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 251b0cfa110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1798238635.00000251AC773000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: kbdus.pdb source: firefox.exe, 0000000D.00000003.1835798868.00000251AC75E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835502758.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1836376911.00000251AC792000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1836963772.00000251AC793000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1836376911.00000251AC792000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1798238635.00000251AC773000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1836963772.00000251AC793000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdbGCTL source: firefox.exe, 0000000D.00000003.1835798868.00000251AC75E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835502758.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C442DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C60A76 push ecx; ret

0_2_00C60A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C5F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CD1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95593

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001C549EE93B7 rdtsc

16_2_000001C549EE93B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00CADBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB68EE FindFirstFileW,FindClose,	0_2_00CB68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00CB698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CAD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CAD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CAD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CAD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CB9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CB979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00CB9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00CB5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C442DE

Source: firefox.exe, 00000010.00000002.2930056618.000001C549BBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^9J
Source: firefox.exe, 00000011.00000002.2935232165.00000208D1380000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"
Source: firefox.exe, 0000000F.00000002.2936058983.0000029355A40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWo
Source: firefox.exe, 0000000F.00000002.2930277413.00000293551BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: firefox.exe, 0000000F.00000002.2930277413.00000293551BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2935672609.000001C54A390000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2930028402.00000208D0EAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2935312537.000002935561C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.2930277413.00000293551BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWI
Source: firefox.exe, 0000000F.00000002.2936058983.0000029355A40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2935672609.000001C54A3A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001C549EE93B7 rdtsc

16_2_000001C549EE93B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CBEAA2 BlockInput,

0_2_00CBEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C72622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C64CE8 mov eax, dword ptr fs:[00000030h]

0_2_00C64CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00CA0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C72622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C72622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C6083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C609D5 SetUnhandledExceptionFilter,	0_2_00C609D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C60C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C60C21

Source: C:\Users\user\Desktop\file.exe

0_2_00CA1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C82BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C82BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAB226 SendInput,keybd_event,

0_2_00CAB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CC22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00CC22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "c:\program files\mozilla firefox\firefox.exe" -contentproc --channel=2300 -parentbuildid 20230927232528 -prefshandle 2244 -prefmaphandle 2236 -prefslen 25359 -prefmapsize 237879 -win32klockeddown -appdir "c:\program files\mozilla firefox\browser" - {1fccaa5e-2c76-487a-a81d-78c63d2f5f66} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 2519f370910 socket
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "c:\program files\mozilla firefox\firefox.exe" -contentproc --channel=4288 -parentbuildid 20230927232528 -prefshandle 3944 -prefmaphandle 4280 -prefslen 26374 -prefmapsize 237879 -appdir "c:\program files\mozilla firefox\browser" - {007e07b1-cd7c-48ac-9d53-5a47acb7766b} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 251b1934a10 rdd
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "c:\program files\mozilla firefox\firefox.exe" -contentproc --channel=5060 -parentbuildid 20230927232528 -sandboxingkind 0 -prefshandle 4996 -prefmaphandle 5080 -prefslen 33185 -prefmapsize 237879 -win32klockeddown -appdir "c:\program files\mozilla firefox\browser" - {37d919aa-f902-48a8-a2ba-21699d9c826f} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 251b0cfa110 utility

Source: C:\Users\user\Desktop\file.exe

0_2_00CA0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CA1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00CA1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1808248902.00000251BB5F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C60698 cpuid

0_2_00C60698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00CB8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9D27A GetUserNameW,

0_2_00C9D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C7BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C7BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C442DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1743147765.0000000001821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2188, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1743147765.0000000001821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2188, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00CC1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00CC1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	41%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false		unknown
twitter.com	104.244.42.65	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false		unknown
services.addons.mozilla.org	151.101.65.91	true	false		unknown
dyna.wikimedia.org	185.15.59.224	true	false		unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
youtube.com	142.250.186.142	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	142.250.184.206	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.65.140	true	false		unknown
ipv4only.arpa	192.0.0.171	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
197.87.175.4.in-addr.arpa	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
241.42.69.40.in-addr.arpa	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 0000000D.00000003.1791269171.00000251B0027000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1888792687.00000251B2B8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889561765.00000251B28EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2932913659.000001C549FC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2931978751.00000208D12C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1898303694.00000251B0C55000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1866094360.00000251BAFEA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2932514867.00000293555B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2932913659.000001C549FE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2935444824.00000208D1503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1839748376.00000251B713C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.2932913659.000001C549F86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2931978751.00000208D128F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1899808135.00000251B0639000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1908184166.00000251B72DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1872737136.00000251BA589000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1724869256.00000251AC963000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724533142.00000251AC920000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724698601.00000251AC941000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1725052190.00000251AC984000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724377860.00000251AEE00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1906681128.00000251B0E43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897006477.00000251B0E43000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1913758283.00000251BAB75000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1874034939.00000251B707F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1874034939.00000251B705B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1886265237.00000251B9673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724698601.00000251AC941000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1725052190.00000251AC984000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724377860.00000251AEE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896834303.00000251B0EA4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1874974673.00000251B2664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895784686.00000251B2664000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1724869256.00000251AC963000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724533142.00000251AC920000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724698601.00000251AC941000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724377860.00000251AEE00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1890344739.00000251B19BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888792687.00000251B2BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878042383.00000251B1AF2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1890344739.00000251B19C6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2932514867.00000293555B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2932913659.000001C549FE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2935444824.00000208D1503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://spocs.getpocket.com/7$	firefox.exe, 00000011.00000002.2931978751.00000208D1213000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1874974673.00000251B26B4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1874034939.00000251B705B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2932514867.00000293555B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2932913659.000001C549FE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2935444824.00000208D1503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1871492988.00000251BB47D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2932913659.000001C549F0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2931978751.00000208D120C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1787388062.00000251B0046000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1911052747.00000251B75C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1899808135.00000251B0639000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1873058492.00000251B725B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2932913659.000001C549FC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2931978751.00000208D12C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1791269171.00000251B0027000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1787388062.00000251B0046000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1839275478.00000251B0F4B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1914008776.00000251BA5F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1906681128.00000251B0E43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897006477.00000251B0E43000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1872737136.00000251BA589000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1914473371.00000251BA3B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000010.00000002.2932913659.000001C549F12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2931978751.00000208D1213000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1899808135.00000251B0639000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1874034939.00000251B707F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1886744246.00000251B75CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901048938.00000251B75CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911052747.00000251B75CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893752708.00000251B75CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1842495900.00000251B790C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873913028.00000251B70EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786494537.00000251B79C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837914843.00000251B0F1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843196131.00000251B718D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878042383.00000251B1AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843196131.00000251B712E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915562643.00000251B70EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1735257502.00000251AEEB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1880904240.00000251B7612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878910906.00000251B19D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789888580.00000251B76A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873652649.00000251B7224000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1880813880.00000251B7667000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837304860.00000251B29EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835876898.00000251AEE9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1882529280.00000251ACA65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1882434050.00000251ACAA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839275478.00000251B0F6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874034939.00000251B7045000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839275478.00000251B0F4B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1874974673.00000251B2664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895784686.00000251B2664000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1874974673.00000251B2664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877364085.00000251B1CA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895784686.00000251B2664000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1888792687.00000251B2BEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1873652649.00000251B7224000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866457667.00000251BACA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874974673.00000251B2641000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1873652649.00000251B7224000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866457667.00000251BACA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874974673.00000251B2641000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1886744246.00000251B75CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901048938.00000251B75CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911052747.00000251B75CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893752708.00000251B75CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1839748376.00000251B713C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1874034939.00000251B705B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1899688867.00000251B0677000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1874034939.00000251B705B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1731486495.00000251AEB31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727064236.00000251AEB33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1730646496.00000251AEB31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1858715767.00000251AEB31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1891319440.00000251B0EEF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=https:	firefox.exe, 0000000D.00000003.1806480909.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809407404.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1836528889.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837410595.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827909504.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1799796015.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798667137.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1833200532.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807877959.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1802060970.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835502758.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808527335.00000251AC74A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1895784686.00000251B2675000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874974673.00000251B2675000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1787388062.00000251B0046000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1787698475.00000251B005C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1731486495.00000251AEB31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727064236.00000251AEB33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1730646496.00000251AEB31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1858715767.00000251AEB31000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2932514867.00000293555B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2932913659.000001C549FE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2935444824.00000208D1503000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1899808135.00000251B0659000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1899808135.00000251B0639000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1884839474.00000251BACC7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1724377860.00000251AEE00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1724869256.00000251AC963000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1840679149.00000251B0FE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724533142.00000251AC920000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724698601.00000251AC941000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1725052190.00000251AC984000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1724377860.00000251AEE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896834303.00000251B0EA4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1874034939.00000251B707F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2931877256.00000293552A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2932226324.000001C549EA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2931415932.00000208D1090000.00000002.10000000.00040000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545856
Start date and time:	2024-10-31 07:45:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@74/11
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 39 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.160.212.113, 54.185.230.140, 52.11.191.138, 172.217.16.142, 2.22.61.59, 2.22.61.56, 142.250.186.74, 142.250.186.170, 142.250.186.142
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:46:11	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	34.160.144.191
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0f569f28-2b47-40d1-b4cb-ce8f4c02a763.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1837985121045405
Encrypted:	false
SSDEEP:	192:OjMiXjUcbhbVbTbfbRbObtbyEl7n8raJA6WnSrDtTUd/SkDrm:OYZcNhnzFSJcrpBnSrDhUd/k
MD5:	E73E40BB4AFFDE0E7031644DEBD1B5E2
SHA1:	E53B473BB5134965DB7DD3EE2E78D94AFD0B2910
SHA-256:	3F1AF31B5EC80E6FF00F345B536B7FDFF1E64C03EFEBE45B8725169C1F9E3E4A
SHA-512:	DB57B4DA30712C3713249F8BE604B5DB6DC2771DEAAE3D247BBA4083A8654321BD75CAFB43E620EFC55CCB8E67A958A3E9534336F8DC859F03CA6A22C82D78C7
Malicious:	false
Preview:	{"type":"uninstall","id":"0f569f28-2b47-40d1-b4cb-ce8f4c02a763","creationDate":"2024-10-31T08:16:51.518Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0f569f28-2b47-40d1-b4cb-ce8f4c02a763.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1837985121045405
Encrypted:	false
SSDEEP:	192:OjMiXjUcbhbVbTbfbRbObtbyEl7n8raJA6WnSrDtTUd/SkDrm:OYZcNhnzFSJcrpBnSrDhUd/k
MD5:	E73E40BB4AFFDE0E7031644DEBD1B5E2
SHA1:	E53B473BB5134965DB7DD3EE2E78D94AFD0B2910
SHA-256:	3F1AF31B5EC80E6FF00F345B536B7FDFF1E64C03EFEBE45B8725169C1F9E3E4A
SHA-512:	DB57B4DA30712C3713249F8BE604B5DB6DC2771DEAAE3D247BBA4083A8654321BD75CAFB43E620EFC55CCB8E67A958A3E9534336F8DC859F03CA6A22C82D78C7
Malicious:	false
Preview:	{"type":"uninstall","id":"0f569f28-2b47-40d1-b4cb-ce8f4c02a763","creationDate":"2024-10-31T08:16:51.518Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9256657873516
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNS9W:8S+OfJQPUFpOdwNIOdYVjvYcXaNLBB8P
MD5:	E0009EB8500FAC41D244A6147CF65A73
SHA1:	C5F4E350CE33C540AE1C1676FC3429CC65D0948B
SHA-256:	7467B02008CC708BB87E0CF898717F3FACFCF23A524527F627AC921BBA1138D8
SHA-512:	F02008CDA11C9106088B72128E55424362FD28238C85C6BF503F0BF43BC0D403683E94A7FABFF6E9451B286BBE3DC78EE8D296BD4E88E5CEF40EF342DB7F3835
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9256657873516
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNS9W:8S+OfJQPUFpOdwNIOdYVjvYcXaNLBB8P
MD5:	E0009EB8500FAC41D244A6147CF65A73
SHA1:	C5F4E350CE33C540AE1C1676FC3429CC65D0948B
SHA-256:	7467B02008CC708BB87E0CF898717F3FACFCF23A524527F627AC921BBA1138D8
SHA-512:	F02008CDA11C9106088B72128E55424362FD28238C85C6BF503F0BF43BC0D403683E94A7FABFF6E9451B286BBE3DC78EE8D296BD4E88E5CEF40EF342DB7F3835
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6075
Entropy (8bit):	6.623258976790648
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j2+:JTx2x2t0FDJ4NF6ILPd+Md0k+uj
MD5:	0EE1DEA50353EF72B3983D45C0F79672
SHA1:	83A858B3793BD9B1C35A954FA71582F557DDAB01
SHA-256:	76D8DD378010DD3158633286B32FCEE00A63EA8E85EAF2E60A8B8B1F6FD32C87
SHA-512:	D08B7A1C9EBF2C277662EA7314B371EE114153AE8CA840100D9EA053210BD20188CE591CA247C7E541590C6AAD925AD10F84F1AA025ACB2F01BC37B1DBC57EBD
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6075
Entropy (8bit):	6.623258976790648
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j2+:JTx2x2t0FDJ4NF6ILPd+Md0k+uj
MD5:	0EE1DEA50353EF72B3983D45C0F79672
SHA1:	83A858B3793BD9B1C35A954FA71582F557DDAB01
SHA-256:	76D8DD378010DD3158633286B32FCEE00A63EA8E85EAF2E60A8B8B1F6FD32C87
SHA-512:	D08B7A1C9EBF2C277662EA7314B371EE114153AE8CA840100D9EA053210BD20188CE591CA247C7E541590C6AAD925AD10F84F1AA025ACB2F01BC37B1DBC57EBD
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07329021336285205
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkir:DLhesh7Owd4+ji
MD5:	198B093C57A26CBF81F6F122B0CE0F1F
SHA1:	E62D94DC9AAE38724ABDA647F55F40A1617D84BC
SHA-256:	447A6A9DA7E584CA4912C1C0A5A5986FFA418DDE56BA9C58515964B96ED4A02B
SHA-512:	DE2BD7B4A4CD20E2C0132DAFE96A2DE89C0F403AFA72F3A5CFF5661895E28DB21E635EF3496A112DEA5E36134B2AE70FCBCFE9867F50217E9EE8B6AFBD2C4349
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035455806264726504
Encrypted:	false
SSDEEP:	3:GtlstF8ijL78O/tlstF8ijL78T89//alEl:GtWt+V+tWt+VT89XuM
MD5:	407C0DCCC45E0A8B1BB70748507992A7
SHA1:	72A912FDA5117F2026B994DC70E731D8BF596DBA
SHA-256:	54D612B7D45407540E3E592BE2FA526A489DA1746CCC033F170B6D51E27E9779
SHA-512:	54008A7D196D2CBE1ED1746C4927C32E8C2290F006DB28D5FC5E5142D499FFF9F71294A8E874F5E31B3F5F049ED7AAAB63C8023C04473F498CE11166B1D537CD
Malicious:	false
Preview:	..-.....................+d[z....{....d...w....qc..-.....................+d[z....{....d...w....qc........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03993518821809553
Encrypted:	false
SSDEEP:	3:Ol1dMac/2lfeBBDB9tl8rEXsxdwhml8XW3R2:KR826B9tl8dMhm93w
MD5:	7E81F6F4699D4F4E5A64D06661942255
SHA1:	04F140D6A936973113BACB66B9DF19273FC48F5D
SHA-256:	D05FF721268EFFE4AEFC81106A3DE57A48F089F984D43C4AA56DFB5CA2B3FB0A
SHA-512:	1BA7C19C7B92DFE13B886C4ABB7BE02A1EC6A8D832B5B93299253BAD5A3BCD8CE37C0998882C2645FE630A1FA9257810B7B20DCD3CA1D9BEBD25CD19F52120E4
Malicious:	false
Preview:	7....-..........{....d...@u!P........{....d..z[d+....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494982298945413
Encrypted:	false
SSDEEP:	192:VnaRtLYbBp6Shj4qyaaXY6KloNh85RfGNBw8dCSl:4e0qoioecwZ0
MD5:	3FB55E723AEAD489AC7F0BF16AF9DA2C
SHA1:	C930A2F7BED0A8A22534D8DCD880B9B24130D535
SHA-256:	CDB7F93113C917E4EF480B55C266A9D94B0E7FC54270A0BBD50550279FE8CA5A
SHA-512:	2D8D51131597E23E29913421BD7876F07CE28B6B343444AEB747F7BEC5DF0CCD60A2AB6381B8B9DB192792C13B771D869682D1169B862909A85B4B91BE199023
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730362582);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730362582);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730362582);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173036

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494982298945413
Encrypted:	false
SSDEEP:	192:VnaRtLYbBp6Shj4qyaaXY6KloNh85RfGNBw8dCSl:4e0qoioecwZ0
MD5:	3FB55E723AEAD489AC7F0BF16AF9DA2C
SHA1:	C930A2F7BED0A8A22534D8DCD880B9B24130D535
SHA-256:	CDB7F93113C917E4EF480B55C266A9D94B0E7FC54270A0BBD50550279FE8CA5A
SHA-512:	2D8D51131597E23E29913421BD7876F07CE28B6B343444AEB747F7BEC5DF0CCD60A2AB6381B8B9DB192792C13B771D869682D1169B862909A85B4B91BE199023
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730362582);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730362582);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730362582);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173036

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.332151230336102
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMzLXnIgl/pnxQwRlszT5sKt0JZ3eHVQj6TjamhujJTOsIomNVr0ay:GUpOxz3nR6WZ3eHTj4JTIquR4
MD5:	B51377F3F7A05E00A23F9D3B5F0AEDAF
SHA1:	571D7F161B77D91B1B554C4EB36D262EF4E44CC9
SHA-256:	FA4FBE0FC60CFD1EDD8507165F1A309EE7F708971AEC27F2BC784CDB9ADD0FC5
SHA-512:	D63922AC1EFE0F19E153F5FB32D1BDF0DE85B47FAAA2F1E0DB604956C296A42CB89B9C8F3DAAF2427AB52EBE8881C6F37FE1E3A93133A2D7F5A3B8ED0372D4BE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{413e65a3-9bcf-4085-a077-09c14934a675}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730362585611,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..P51239...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...57296,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.332151230336102
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMzLXnIgl/pnxQwRlszT5sKt0JZ3eHVQj6TjamhujJTOsIomNVr0ay:GUpOxz3nR6WZ3eHTj4JTIquR4
MD5:	B51377F3F7A05E00A23F9D3B5F0AEDAF
SHA1:	571D7F161B77D91B1B554C4EB36D262EF4E44CC9
SHA-256:	FA4FBE0FC60CFD1EDD8507165F1A309EE7F708971AEC27F2BC784CDB9ADD0FC5
SHA-512:	D63922AC1EFE0F19E153F5FB32D1BDF0DE85B47FAAA2F1E0DB604956C296A42CB89B9C8F3DAAF2427AB52EBE8881C6F37FE1E3A93133A2D7F5A3B8ED0372D4BE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{413e65a3-9bcf-4085-a077-09c14934a675}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730362585611,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..P51239...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...57296,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.332151230336102
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMzLXnIgl/pnxQwRlszT5sKt0JZ3eHVQj6TjamhujJTOsIomNVr0ay:GUpOxz3nR6WZ3eHTj4JTIquR4
MD5:	B51377F3F7A05E00A23F9D3B5F0AEDAF
SHA1:	571D7F161B77D91B1B554C4EB36D262EF4E44CC9
SHA-256:	FA4FBE0FC60CFD1EDD8507165F1A309EE7F708971AEC27F2BC784CDB9ADD0FC5
SHA-512:	D63922AC1EFE0F19E153F5FB32D1BDF0DE85B47FAAA2F1E0DB604956C296A42CB89B9C8F3DAAF2427AB52EBE8881C6F37FE1E3A93133A2D7F5A3B8ED0372D4BE
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{413e65a3-9bcf-4085-a077-09c14934a675}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730362585611,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...2,"startTim..P51239...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...57296,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033505365646192
Encrypted:	false
SSDEEP:	48:YrSAYn756UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcb5:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	0DA942FA04507F57E661250A5F393B20
SHA1:	4D1AA0962B578CC9BA6D930FADB8F88FF0AF87F4
SHA-256:	7F10CEA86AFD29CA6DCF509018B13DA6959C2564C55DF9F2C181E8802ED8E583
SHA-512:	0014A7F6FE1048850F3E6B267CA7FBCCA512148B87C697F9B5E348BD891696ACDE056C9A1DC1A0A8C499A422801FD92F9DB7440436D5DF6366E4F4FE86E87B22
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T08:16:05.980Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033505365646192
Encrypted:	false
SSDEEP:	48:YrSAYn756UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcb5:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	0DA942FA04507F57E661250A5F393B20
SHA1:	4D1AA0962B578CC9BA6D930FADB8F88FF0AF87F4
SHA-256:	7F10CEA86AFD29CA6DCF509018B13DA6959C2564C55DF9F2C181E8802ED8E583
SHA-512:	0014A7F6FE1048850F3E6B267CA7FBCCA512148B87C697F9B5E348BD891696ACDE056C9A1DC1A0A8C499A422801FD92F9DB7440436D5DF6366E4F4FE86E87B22
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T08:16:05.980Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584694746507346
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	a335cd63136a16beb8fe31ab14a26a75
SHA1:	2f9b495d470243da1c704bdc296f99397c2009ef
SHA256:	e00d314b4c4fb9f66c905e4b4f968bcef3ac6830ee74119ca4c665c8991e9382
SHA512:	d48b90f8caa499796ff81b5038be1aa385c7535ba8c7420f8eb83455062e0ea391079ebafc5f97cd6bebc5ed5a6439418afe1f8fdfb563ce0c3042b3693bd8ac
SSDEEP:	12288:dqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TK:dqDEvCTbMWu7rQYlBQcBiT6rprG8abK
TLSH:	29159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67232713 [Thu Oct 31 06:43:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC960D6FE33h
jmp 00007FC960D6F73Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC960D6F91Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC960D6F8EAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC960D724DDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC960D72528h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC960D72511h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	b0ea5bf3ed8aef141632b0184721cfee	False	0.3156398338607595	data	5.374265518574596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 07:46:07.309155941 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:07.309267998 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:07.309356928 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:07.313560009 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:07.313597918 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:07.920430899 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:07.920815945 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:07.928158045 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:07.928186893 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:07.928337097 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:07.928379059 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:07.928580046 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:07.928709984 CET	49737	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:07.928746939 CET	443	49737	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:07.928837061 CET	49737	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:07.930155993 CET	49737	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:07.930167913 CET	443	49737	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:08.558938980 CET	443	49737	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:08.560292006 CET	49737	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:08.567877054 CET	49737	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:08.567893982 CET	443	49737	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:08.567975044 CET	49737	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:08.568039894 CET	443	49737	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:08.572823048 CET	49737	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:09.445907116 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:09.450825930 CET	80	49741	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:09.454417944 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:09.454701900 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:09.459603071 CET	80	49741	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:09.896395922 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:09.896447897 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:09.896593094 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:09.898008108 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:09.898022890 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:09.900109053 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:09.900141001 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:09.910253048 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:09.911684990 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:09.911698103 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.050174952 CET	80	49741	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:10.099370003 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.158715963 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:10.158798933 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:10.161914110 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:10.162117004 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:10.162154913 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:10.174241066 CET	49745	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.179126978 CET	80	49745	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:10.179797888 CET	49745	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.179929018 CET	49745	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.184789896 CET	80	49745	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:10.363461018 CET	49747	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:10.363493919 CET	443	49747	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:10.363590002 CET	49747	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:10.378197908 CET	49747	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:10.378210068 CET	443	49747	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:10.512671947 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.512743950 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.518845081 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.518857956 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.518965960 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.519006014 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.519351959 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.519378901 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.522511959 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.522526026 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.527564049 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.527606010 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.527709961 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.530781984 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.530796051 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.533265114 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.533269882 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.533380985 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.533498049 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.533710957 CET	49750	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.533720016 CET	443	49750	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.533936977 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.533972979 CET	49750	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.535340071 CET	49750	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:10.535351038 CET	443	49750	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:10.777772903 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:10.777892113 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:10.781378031 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:10.781409979 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:10.781832933 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:10.781996012 CET	80	49745	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:10.784451962 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:10.784538984 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:10.784691095 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:10.784750938 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:10.832609892 CET	49745	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.863332987 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.863373041 CET	49745	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.873061895 CET	80	49741	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:10.873096943 CET	80	49745	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:10.875004053 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.875021935 CET	49745	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.909065008 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.914127111 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:10.916016102 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.916182041 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:10.921027899 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:10.998209000 CET	443	49747	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:10.998285055 CET	49747	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.001259089 CET	49747	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.001272917 CET	443	49747	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:11.001667023 CET	443	49747	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:11.004009962 CET	49747	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.004141092 CET	49747	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.004198074 CET	443	49747	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:11.004539013 CET	49752	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.004565001 CET	443	49752	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:11.004678011 CET	49747	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.004714012 CET	49752	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.004928112 CET	49752	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.004945040 CET	443	49752	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:11.134816885 CET	443	49750	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:11.134905100 CET	49750	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:11.137984037 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:11.137999058 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:11.138079882 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:11.141345024 CET	49750	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:11.141355038 CET	443	49750	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:11.141479015 CET	49750	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:11.141535044 CET	443	49750	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:11.141848087 CET	49750	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:11.144490004 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:11.144499063 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:11.144572973 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:11.144673109 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:11.144727945 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:11.527585030 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:11.579082012 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:11.647238970 CET	443	49752	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:11.648299932 CET	49752	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.651747942 CET	49752	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.651761055 CET	443	49752	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:11.652055025 CET	443	49752	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:11.656038046 CET	49752	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.656131029 CET	49752	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.656212091 CET	443	49752	34.160.144.191	192.168.2.4
Oct 31, 2024 07:46:11.657869101 CET	49752	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.657882929 CET	49752	443	192.168.2.4	34.160.144.191
Oct 31, 2024 07:46:11.825149059 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:11.825191975 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:11.841200113 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:11.851953030 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:11.851968050 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:11.908422947 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:11.913315058 CET	80	49754	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:11.913939953 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:11.914117098 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:11.919104099 CET	80	49754	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:11.972517014 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:11.977397919 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:12.098946095 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:12.144215107 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:12.704621077 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:12.821491003 CET	80	49754	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:12.821568012 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:12.821628094 CET	80	49754	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:12.821680069 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:12.823725939 CET	80	49754	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:12.823808908 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:12.824953079 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:12.824986935 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:12.825141907 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:12.830635071 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:12.830647945 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:12.830776930 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:12.830830097 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:12.830879927 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:12.831348896 CET	49757	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:12.831386089 CET	443	49757	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:12.834656954 CET	49757	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:12.835859060 CET	49757	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:12.835870028 CET	443	49757	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:12.933756113 CET	49758	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:12.938770056 CET	80	49758	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:12.940743923 CET	49758	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:12.941330910 CET	49758	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:12.944278002 CET	49759	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:12.944314957 CET	443	49759	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:12.944942951 CET	49759	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:12.946185112 CET	80	49758	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:12.946377039 CET	49759	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:12.946396112 CET	443	49759	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:13.068293095 CET	49760	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:13.068334103 CET	443	49760	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:13.069578886 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:13.075283051 CET	49760	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:13.076888084 CET	49760	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:13.076908112 CET	443	49760	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:13.082799911 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:13.100141048 CET	49761	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:13.100161076 CET	443	49761	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:13.100334883 CET	49761	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:13.100492954 CET	49761	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:13.100506067 CET	443	49761	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:13.204066992 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:13.206845045 CET	49758	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:13.207354069 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:13.207381010 CET	443	49762	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:13.208348989 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:13.209768057 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:13.209783077 CET	443	49762	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:13.256091118 CET	80	49758	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:13.258882999 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:13.349893093 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:13.356684923 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:13.357603073 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:13.357871056 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:13.364449978 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:13.737540960 CET	80	49758	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:13.737617970 CET	49758	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:13.737989902 CET	80	49758	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:13.738045931 CET	49758	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:13.743289948 CET	443	49757	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:13.743381977 CET	49757	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:13.744199991 CET	443	49761	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:13.744641066 CET	49761	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:13.746618032 CET	443	49759	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:13.746678114 CET	49759	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:13.747984886 CET	80	49758	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:13.755631924 CET	443	49760	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:13.755645990 CET	443	49760	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:13.755693913 CET	49760	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:13.800662041 CET	49761	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:13.800674915 CET	443	49761	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:13.801049948 CET	443	49761	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:13.804291964 CET	49760	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:13.806052923 CET	49757	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:13.806072950 CET	443	49757	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:13.806118965 CET	49757	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:13.806226015 CET	49759	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:13.806237936 CET	443	49759	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:13.806282997 CET	443	49757	34.117.188.166	192.168.2.4
Oct 31, 2024 07:46:13.806401968 CET	443	49759	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:13.806525946 CET	49759	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:13.806531906 CET	443	49759	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:13.806600094 CET	49761	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:13.806725979 CET	49757	443	192.168.2.4	34.117.188.166
Oct 31, 2024 07:46:13.806771994 CET	443	49761	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:13.806940079 CET	49761	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:13.806943893 CET	443	49761	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:13.808604002 CET	49760	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:13.808614969 CET	443	49760	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:13.808665037 CET	49760	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:13.809252024 CET	443	49760	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:13.809319019 CET	49760	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:13.962496042 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:13.995764017 CET	443	49762	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:13.995850086 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:14.015335083 CET	443	49761	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:14.015345097 CET	443	49759	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:14.015397072 CET	49761	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:14.016103983 CET	49759	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:14.020430088 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:14.142584085 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:14.142606020 CET	443	49762	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:14.142685890 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:14.143408060 CET	443	49762	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:14.154192924 CET	49762	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:16.247153997 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:16.252043962 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:16.265642881 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:16.265692949 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:16.269979000 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:16.271437883 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:16.271466017 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:16.275836945 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:16.275861979 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:16.276670933 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:16.276798010 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:16.276809931 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:16.283631086 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:16.283668041 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:16.284789085 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:16.284919977 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:16.284930944 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:16.286750078 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:16.286782980 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:16.291598082 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:16.293028116 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:16.293045998 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:16.705945969 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:16.706028938 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:16.715337038 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:17.038109064 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:17.038191080 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:17.042910099 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.045094013 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.045397043 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.045691013 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:17.047327995 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.048504114 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.051765919 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.051774979 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.052007914 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.055337906 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.056098938 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.056216955 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.056232929 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.056374073 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.056399107 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.056399107 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.057746887 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.057760954 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:17.057765007 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.057811022 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.061084032 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.061094999 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.061486006 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.064096928 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.064106941 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.064264059 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.064299107 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.064305067 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.064475060 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:17.064475060 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:17.064491987 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:17.064562082 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.064625978 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.064692974 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:17.064769030 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:17.066397905 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.066545010 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.066869020 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:17.066973925 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:20.275958061 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:20.280874014 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:20.486087084 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:20.486119986 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:20.486260891 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:20.486373901 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:20.486387014 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:20.535883904 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:20.581012011 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:20.616101980 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:20.621120930 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:20.671464920 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:20.671515942 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:20.671612978 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:20.673082113 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:20.673100948 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:20.736886024 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:20.736934900 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:20.737775087 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:20.738380909 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:20.738403082 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:20.742814064 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:20.797238111 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:21.129193068 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:21.129312992 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.290000916 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:21.290070057 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.377310991 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:21.377403021 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.652973890 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.653001070 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:21.654036045 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:21.656280994 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.656346083 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:21.656373024 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:21.656686068 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:21.659518957 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.659688950 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.659795046 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.659838915 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:21.659873962 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.659936905 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.659986019 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.660016060 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:21.660104990 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:21.660130024 CET	443	49774	34.120.208.123	192.168.2.4
Oct 31, 2024 07:46:21.660806894 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.660845041 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.661041021 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.661266088 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.661266088 CET	49774	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:46:21.661597013 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:21.782726049 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:21.807648897 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:21.812613010 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:21.827264071 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:21.827389002 CET	443	49776	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:21.827498913 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:21.828941107 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:21.828978062 CET	443	49776	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:21.831378937 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:21.934324026 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:21.985088110 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:22.140551090 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:22.145869017 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:22.267487049 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:22.317264080 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:22.480881929 CET	443	49776	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:22.480974913 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:22.947849035 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:22.947882891 CET	443	49776	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:22.947923899 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:22.948473930 CET	443	49776	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:22.949301004 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:23.043469906 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:23.048502922 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:23.470237970 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:23.470417023 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:23.473962069 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:23.766962051 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:23.767029047 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:24.958921909 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:24.964021921 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:25.085832119 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:25.141025066 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:33.057456017 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:33.057502985 CET	443	49778	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:33.064176083 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:33.065784931 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:33.065800905 CET	443	49778	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:33.480746984 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:34.165553093 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:34.767455101 CET	443	49778	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:34.767469883 CET	443	49778	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:34.767546892 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:34.771842003 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:34.771851063 CET	443	49778	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:34.772001982 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:34.772011042 CET	443	49778	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:34.772202969 CET	49778	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:34.774728060 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:34.779575109 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:34.901330948 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:34.905153990 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:34.910034895 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:34.953726053 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:35.031378984 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:35.085331917 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:36.900258064 CET	52587	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:36.900295973 CET	443	52587	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:36.905567884 CET	52587	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:36.905726910 CET	52587	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:36.905736923 CET	443	52587	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:36.925164938 CET	52588	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:36.925218105 CET	443	52588	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:36.928396940 CET	52588	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:36.928564072 CET	52588	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:36.928579092 CET	443	52588	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:36.930509090 CET	52589	443	192.168.2.4	151.101.65.91
Oct 31, 2024 07:46:36.930537939 CET	443	52589	151.101.65.91	192.168.2.4
Oct 31, 2024 07:46:36.930952072 CET	52589	443	192.168.2.4	151.101.65.91
Oct 31, 2024 07:46:36.931174994 CET	52589	443	192.168.2.4	151.101.65.91
Oct 31, 2024 07:46:36.931188107 CET	443	52589	151.101.65.91	192.168.2.4
Oct 31, 2024 07:46:36.934180021 CET	52590	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:36.934210062 CET	443	52590	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:36.934359074 CET	52590	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:36.935801983 CET	52590	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:36.935816050 CET	443	52590	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:36.943341017 CET	52591	443	192.168.2.4	35.201.103.21
Oct 31, 2024 07:46:36.943376064 CET	443	52591	35.201.103.21	192.168.2.4
Oct 31, 2024 07:46:36.945730925 CET	52591	443	192.168.2.4	35.201.103.21
Oct 31, 2024 07:46:36.945760012 CET	52591	443	192.168.2.4	35.201.103.21
Oct 31, 2024 07:46:36.945765972 CET	443	52591	35.201.103.21	192.168.2.4
Oct 31, 2024 07:46:37.519027948 CET	443	52587	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:37.519118071 CET	52587	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.522583961 CET	52587	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.522612095 CET	443	52587	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:37.522993088 CET	443	52587	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:37.525299072 CET	52587	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.525418997 CET	52587	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.525489092 CET	443	52587	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:37.526212931 CET	52587	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.530015945 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:37.534981012 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:37.540213108 CET	443	52589	151.101.65.91	192.168.2.4
Oct 31, 2024 07:46:37.540293932 CET	52589	443	192.168.2.4	151.101.65.91
Oct 31, 2024 07:46:37.543356895 CET	52589	443	192.168.2.4	151.101.65.91
Oct 31, 2024 07:46:37.543365955 CET	443	52589	151.101.65.91	192.168.2.4
Oct 31, 2024 07:46:37.543648005 CET	443	52589	151.101.65.91	192.168.2.4
Oct 31, 2024 07:46:37.545905113 CET	52589	443	192.168.2.4	151.101.65.91
Oct 31, 2024 07:46:37.545989990 CET	52589	443	192.168.2.4	151.101.65.91
Oct 31, 2024 07:46:37.546046972 CET	443	52589	151.101.65.91	192.168.2.4
Oct 31, 2024 07:46:37.546789885 CET	443	52588	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:37.552620888 CET	52589	443	192.168.2.4	151.101.65.91
Oct 31, 2024 07:46:37.552653074 CET	52588	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:37.555838108 CET	52588	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:37.555854082 CET	443	52588	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:37.556190014 CET	443	52588	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:37.556660891 CET	52592	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.556694984 CET	443	52592	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:37.556920052 CET	52592	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.557176113 CET	52592	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.557187080 CET	443	52592	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:37.557694912 CET	52593	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.557717085 CET	443	52593	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:37.557885885 CET	52593	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.558026075 CET	52593	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.558039904 CET	443	52593	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:37.559801102 CET	52594	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.559812069 CET	443	52594	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:37.559951067 CET	52594	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.560117006 CET	52594	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:37.560126066 CET	443	52594	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:37.560434103 CET	52588	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:37.560512066 CET	52588	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:37.560641050 CET	443	52588	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:37.560691118 CET	52588	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:37.567785978 CET	443	52590	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:37.567984104 CET	52590	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:37.568636894 CET	443	52591	35.201.103.21	192.168.2.4
Oct 31, 2024 07:46:37.568706036 CET	52591	443	192.168.2.4	35.201.103.21
Oct 31, 2024 07:46:37.574814081 CET	52590	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:37.574822903 CET	443	52590	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:37.574904919 CET	52590	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:37.575118065 CET	443	52590	35.190.72.216	192.168.2.4
Oct 31, 2024 07:46:37.575128078 CET	52591	443	192.168.2.4	35.201.103.21
Oct 31, 2024 07:46:37.575133085 CET	443	52591	35.201.103.21	192.168.2.4
Oct 31, 2024 07:46:37.575180054 CET	52591	443	192.168.2.4	35.201.103.21
Oct 31, 2024 07:46:37.575401068 CET	443	52591	35.201.103.21	192.168.2.4
Oct 31, 2024 07:46:37.575423002 CET	52590	443	192.168.2.4	35.190.72.216
Oct 31, 2024 07:46:37.575493097 CET	52591	443	192.168.2.4	35.201.103.21
Oct 31, 2024 07:46:37.588449955 CET	52595	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:37.588475943 CET	443	52595	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:37.588563919 CET	52595	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:37.588655949 CET	52595	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:37.588669062 CET	443	52595	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:37.656966925 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:37.659902096 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:37.664830923 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:37.715039968 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:37.787209034 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:37.830960989 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:38.167464018 CET	443	52593	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.167583942 CET	52593	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.170320034 CET	443	52594	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.170388937 CET	52594	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.170593023 CET	52593	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.170599937 CET	443	52593	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.170830011 CET	443	52593	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.171967030 CET	443	52592	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.173000097 CET	52594	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.173011065 CET	443	52594	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.173197031 CET	52592	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.173244953 CET	443	52594	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.175705910 CET	52592	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.175712109 CET	443	52592	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.176047087 CET	443	52592	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.178864956 CET	52593	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.179006100 CET	443	52593	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.179131985 CET	52593	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.179137945 CET	443	52593	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.179816961 CET	52594	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.179876089 CET	52594	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.179961920 CET	443	52594	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.180527925 CET	52592	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.180598974 CET	52592	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.180705070 CET	443	52592	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.182004929 CET	52594	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.182020903 CET	52592	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.185951948 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:38.191024065 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:38.204307079 CET	443	52595	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:38.204390049 CET	52595	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:38.207250118 CET	52595	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:38.207257032 CET	443	52595	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:38.207606077 CET	443	52595	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:38.209460974 CET	52595	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:38.209527969 CET	52595	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:38.209621906 CET	443	52595	34.149.100.209	192.168.2.4
Oct 31, 2024 07:46:38.209753036 CET	52595	443	192.168.2.4	34.149.100.209
Oct 31, 2024 07:46:38.313010931 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:38.316309929 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:38.321245909 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:38.363652945 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:38.383338928 CET	443	52593	35.244.181.201	192.168.2.4
Oct 31, 2024 07:46:38.383501053 CET	52593	443	192.168.2.4	35.244.181.201
Oct 31, 2024 07:46:38.442718983 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:38.495187998 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:40.261002064 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:40.266431093 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:40.388012886 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:40.391071081 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:40.396147966 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:40.438528061 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:40.517970085 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:40.570082903 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:50.398780107 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:50.408061981 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:50.530277967 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:50.535397053 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:55.077630997 CET	52601	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:55.077682018 CET	443	52601	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:55.077836990 CET	52601	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:55.079297066 CET	52601	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:55.079320908 CET	443	52601	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:55.699695110 CET	443	52601	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:55.699834108 CET	52601	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:55.704411983 CET	52601	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:55.704425097 CET	443	52601	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:55.704510927 CET	52601	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:55.704633951 CET	443	52601	34.107.243.93	192.168.2.4
Oct 31, 2024 07:46:55.705315113 CET	52601	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:46:55.707420111 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:55.712346077 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:55.834023952 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:55.837560892 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:55.842612028 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:55.882925987 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:46:55.964234114 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:46:56.014498949 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:05.843265057 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:05.848416090 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:05.974811077 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:05.979609013 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:06.238528967 CET	52637	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.238569021 CET	443	52637	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.238818884 CET	52638	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.238872051 CET	443	52638	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.238941908 CET	52639	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.238953114 CET	443	52639	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.239104986 CET	52637	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.239460945 CET	52638	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.239888906 CET	52639	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.239995956 CET	52637	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.240008116 CET	443	52637	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.240164042 CET	52638	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.240197897 CET	443	52638	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.240237951 CET	52639	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.240242958 CET	443	52639	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.861094952 CET	443	52637	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.866990089 CET	52637	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.870239973 CET	52637	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.870261908 CET	443	52637	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.870692968 CET	443	52637	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.875504971 CET	52637	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.875648022 CET	52637	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.876029968 CET	443	52637	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.877569914 CET	443	52638	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.877595901 CET	443	52639	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.883337975 CET	443	52638	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.883342981 CET	443	52639	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.884078026 CET	52637	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.884124994 CET	52639	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.884133101 CET	52638	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.884222984 CET	52639	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.884280920 CET	52638	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.887110949 CET	52638	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.887136936 CET	443	52638	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.887418985 CET	443	52638	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.889518023 CET	52639	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.889523029 CET	443	52639	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.889801025 CET	443	52639	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.890742064 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:06.895296097 CET	52638	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.895486116 CET	443	52638	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.895500898 CET	52638	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.895517111 CET	443	52638	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.895530939 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:06.895634890 CET	52639	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.895703077 CET	52639	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.895785093 CET	443	52639	34.120.208.123	192.168.2.4
Oct 31, 2024 07:47:06.904668093 CET	52639	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:06.904735088 CET	52638	443	192.168.2.4	34.120.208.123
Oct 31, 2024 07:47:07.016890049 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:07.020406008 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:07.025177002 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:07.068943977 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:07.146415949 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:07.191436052 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:17.022327900 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:17.027574062 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:17.151694059 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:17.319489956 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:27.039297104 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:27.044182062 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:27.340341091 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:27.345343113 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:35.822984934 CET	52804	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:47:35.823020935 CET	443	52804	34.107.243.93	192.168.2.4
Oct 31, 2024 07:47:35.823299885 CET	52804	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:47:35.824944019 CET	52804	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:47:35.824955940 CET	443	52804	34.107.243.93	192.168.2.4
Oct 31, 2024 07:47:36.431150913 CET	443	52804	34.107.243.93	192.168.2.4
Oct 31, 2024 07:47:36.431243896 CET	52804	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:47:36.437644958 CET	52804	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:47:36.437665939 CET	443	52804	34.107.243.93	192.168.2.4
Oct 31, 2024 07:47:36.437817097 CET	52804	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:47:36.437846899 CET	443	52804	34.107.243.93	192.168.2.4
Oct 31, 2024 07:47:36.438889027 CET	52804	443	192.168.2.4	34.107.243.93
Oct 31, 2024 07:47:36.441587925 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:36.446561098 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:36.570275068 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:36.574537992 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:36.579543114 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:36.613996983 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:36.700659037 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:36.745625019 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:46.574469090 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:46.579643965 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:46.712501049 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:46.717338085 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:56.587496042 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:56.592510939 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:47:56.725575924 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:47:56.730540037 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 07:48:06.607142925 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:48:06.612076044 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 07:48:06.738687992 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 07:48:06.743565083 CET	80	49763	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 07:46:07.311718941 CET	50384	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:07.319127083 CET	53	50384	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:07.332351923 CET	65038	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:07.339657068 CET	53	65038	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:09.411326885 CET	50125	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.411781073 CET	53524	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.418627977 CET	53	50125	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:09.420335054 CET	52591	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.420525074 CET	57802	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.427742004 CET	53	57802	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:09.428158045 CET	53	52591	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:09.428575039 CET	56424	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.431709051 CET	59822	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.435400009 CET	53	56424	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:09.438401937 CET	53	59822	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:09.887434006 CET	58915	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.891807079 CET	59703	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.894316912 CET	53	58915	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:09.896526098 CET	50648	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.899061918 CET	53	59703	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:09.903633118 CET	53	50648	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:09.909037113 CET	61143	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.910864115 CET	49671	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.916331053 CET	53	61143	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:09.917180061 CET	65301	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:09.917800903 CET	53	49671	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:09.923959970 CET	53	65301	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:10.128412962 CET	60209	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:10.128859043 CET	53085	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:10.135332108 CET	53	60209	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:10.135466099 CET	53	53085	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:10.157870054 CET	50721	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:10.169982910 CET	57766	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:10.178740025 CET	53	57766	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:10.179372072 CET	61188	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:10.186444044 CET	53	61188	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:10.355349064 CET	54646	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:10.362504959 CET	53	54646	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:10.363663912 CET	58495	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:10.370345116 CET	53	58495	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:10.370923996 CET	59742	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:10.377964973 CET	53	59742	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:12.029552937 CET	61721	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:12.075864077 CET	53	53099	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:12.944853067 CET	50175	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:12.951589108 CET	53	50175	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:12.952195883 CET	58731	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:12.958894968 CET	53	58731	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:12.973890066 CET	50929	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:12.981056929 CET	53	50929	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:13.011038065 CET	57459	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:13.017904997 CET	53	57459	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:13.026145935 CET	64058	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:13.033159018 CET	53	64058	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:13.171680927 CET	53528	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:13.198251009 CET	53	53528	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:13.208235979 CET	51756	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:13.216984987 CET	53	51756	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:13.239362001 CET	61640	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:13.247805119 CET	53	61640	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:16.095724106 CET	61302	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:16.103096962 CET	53	61302	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:16.110600948 CET	51675	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:16.118273020 CET	53	51675	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:16.123239994 CET	56983	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:16.130573034 CET	53	56983	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.260152102 CET	61327	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.260457039 CET	62762	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.260754108 CET	52367	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.267155886 CET	53	61327	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.267673016 CET	53	62762	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.268141031 CET	63721	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.268667936 CET	53	52367	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.268974066 CET	61191	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.275296926 CET	53	63721	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.275794029 CET	53	61191	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.278727055 CET	55653	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.279927015 CET	62252	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.286175966 CET	53	55653	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.286580086 CET	53	62252	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.482409000 CET	63800	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.482661963 CET	56091	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.483479023 CET	53376	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.537904024 CET	53	53376	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.538094044 CET	53	56091	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.538264990 CET	53	63800	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.539055109 CET	52379	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.539055109 CET	59748	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.539470911 CET	49759	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.545651913 CET	53	52379	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.545948029 CET	53	59748	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.546114922 CET	64752	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.546396971 CET	56414	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.546720982 CET	53	49759	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.548101902 CET	63470	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:20.553086042 CET	53	56414	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.553309917 CET	53	64752	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:20.554954052 CET	53	63470	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:21.828054905 CET	60054	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:21.835047960 CET	53	60054	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:33.057704926 CET	62931	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:34.051522017 CET	62931	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:34.165643930 CET	53	62931	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:34.167855978 CET	53	62931	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:34.729315996 CET	53	58465	162.159.36.2	192.168.2.4
Oct 31, 2024 07:46:35.367157936 CET	60552	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:35.374891043 CET	53	60552	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:36.901340961 CET	58575	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:36.909539938 CET	53	58575	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:36.921312094 CET	59432	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:36.928689957 CET	53	59432	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:36.930898905 CET	63531	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:36.935050964 CET	64157	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:36.938071012 CET	53	63531	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:36.938642025 CET	50455	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:36.942399979 CET	53	64157	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:36.944004059 CET	50139	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:36.945692062 CET	53	50455	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:36.951580048 CET	53	50139	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:36.952116013 CET	64195	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:36.959656954 CET	53	64195	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:37.814237118 CET	51284	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:37.822154999 CET	53	51284	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:40.263356924 CET	53471	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:40.272272110 CET	62017	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:40.285506010 CET	53	62017	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:40.286449909 CET	65316	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:40.297969103 CET	53	65316	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:40.389156103 CET	64701	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:40.389389038 CET	63627	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:40.396111012 CET	53	64701	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:40.396183014 CET	53	63627	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:55.068413973 CET	62350	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:55.076596022 CET	53	62350	1.1.1.1	192.168.2.4
Oct 31, 2024 07:46:55.077553988 CET	62953	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:46:55.084474087 CET	53	62953	1.1.1.1	192.168.2.4
Oct 31, 2024 07:47:06.231729031 CET	51226	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:47:06.238343954 CET	53	51226	1.1.1.1	192.168.2.4
Oct 31, 2024 07:47:06.239454985 CET	61509	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:47:06.246062040 CET	53	61509	1.1.1.1	192.168.2.4
Oct 31, 2024 07:47:35.815124989 CET	60501	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:47:35.821958065 CET	53	60501	1.1.1.1	192.168.2.4
Oct 31, 2024 07:47:35.822935104 CET	61764	53	192.168.2.4	1.1.1.1
Oct 31, 2024 07:47:35.829639912 CET	53	61764	1.1.1.1	192.168.2.4
Oct 31, 2024 07:47:36.441883087 CET	55411	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 07:46:07.311718941 CET	192.168.2.4	1.1.1.1	0xfcb3	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:07.332351923 CET	192.168.2.4	1.1.1.1	0xf323	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 07:46:09.411326885 CET	192.168.2.4	1.1.1.1	0x9c3	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.411781073 CET	192.168.2.4	1.1.1.1	0x5e0c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.420335054 CET	192.168.2.4	1.1.1.1	0x8326	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.420525074 CET	192.168.2.4	1.1.1.1	0x2a49	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.428575039 CET	192.168.2.4	1.1.1.1	0x9b5a	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 07:46:09.431709051 CET	192.168.2.4	1.1.1.1	0x5e66	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:09.887434006 CET	192.168.2.4	1.1.1.1	0x27f0	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.891807079 CET	192.168.2.4	1.1.1.1	0xf9c	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.896526098 CET	192.168.2.4	1.1.1.1	0xe082	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.909037113 CET	192.168.2.4	1.1.1.1	0x2baf	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.910864115 CET	192.168.2.4	1.1.1.1	0x187d	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:09.917180061 CET	192.168.2.4	1.1.1.1	0xc79a	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 07:46:10.128412962 CET	192.168.2.4	1.1.1.1	0x89ca	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.128859043 CET	192.168.2.4	1.1.1.1	0x9aea	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.157870054 CET	192.168.2.4	1.1.1.1	0x1982	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.169982910 CET	192.168.2.4	1.1.1.1	0x4f7a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.179372072 CET	192.168.2.4	1.1.1.1	0xb46f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 07:46:10.355349064 CET	192.168.2.4	1.1.1.1	0x272c	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.363663912 CET	192.168.2.4	1.1.1.1	0x4170	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.370923996 CET	192.168.2.4	1.1.1.1	0x84ec	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 07:46:12.029552937 CET	192.168.2.4	1.1.1.1	0x8592	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:12.944853067 CET	192.168.2.4	1.1.1.1	0xdcc5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:12.952195883 CET	192.168.2.4	1.1.1.1	0xd41f	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:12.973890066 CET	192.168.2.4	1.1.1.1	0x8909	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:13.011038065 CET	192.168.2.4	1.1.1.1	0x2b3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:13.026145935 CET	192.168.2.4	1.1.1.1	0x65aa	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:13.171680927 CET	192.168.2.4	1.1.1.1	0x63ab	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:13.208235979 CET	192.168.2.4	1.1.1.1	0x70ec	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:13.239362001 CET	192.168.2.4	1.1.1.1	0xc3f2	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 07:46:16.095724106 CET	192.168.2.4	1.1.1.1	0x36e5	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:16.110600948 CET	192.168.2.4	1.1.1.1	0x7438	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:16.123239994 CET	192.168.2.4	1.1.1.1	0xae65	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 07:46:20.260152102 CET	192.168.2.4	1.1.1.1	0x67c9	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.260457039 CET	192.168.2.4	1.1.1.1	0xf8f5	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.260754108 CET	192.168.2.4	1.1.1.1	0x4091	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.268141031 CET	192.168.2.4	1.1.1.1	0xff1f	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.268974066 CET	192.168.2.4	1.1.1.1	0x589e	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.278727055 CET	192.168.2.4	1.1.1.1	0xa3ab	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:20.279927015 CET	192.168.2.4	1.1.1.1	0xf0cf	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:20.482409000 CET	192.168.2.4	1.1.1.1	0xd4bb	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.482661963 CET	192.168.2.4	1.1.1.1	0xf4c	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.483479023 CET	192.168.2.4	1.1.1.1	0x789e	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.539055109 CET	192.168.2.4	1.1.1.1	0x206	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.539055109 CET	192.168.2.4	1.1.1.1	0x9c5	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.539470911 CET	192.168.2.4	1.1.1.1	0xaeb5	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 31, 2024 07:46:20.546114922 CET	192.168.2.4	1.1.1.1	0x1f40	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 31, 2024 07:46:20.546396971 CET	192.168.2.4	1.1.1.1	0xe5ab	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:20.548101902 CET	192.168.2.4	1.1.1.1	0x920a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:21.828054905 CET	192.168.2.4	1.1.1.1	0xc804	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:33.057704926 CET	192.168.2.4	1.1.1.1	0x5fc3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:34.051522017 CET	192.168.2.4	1.1.1.1	0x5fc3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:35.367157936 CET	192.168.2.4	1.1.1.1	0xed0a	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 31, 2024 07:46:36.901340961 CET	192.168.2.4	1.1.1.1	0x8eb9	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 07:46:36.921312094 CET	192.168.2.4	1.1.1.1	0xe91a	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.930898905 CET	192.168.2.4	1.1.1.1	0x4b5a	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.935050964 CET	192.168.2.4	1.1.1.1	0x5f4d	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.938642025 CET	192.168.2.4	1.1.1.1	0x9e3d	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 31, 2024 07:46:36.944004059 CET	192.168.2.4	1.1.1.1	0xe04a	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.952116013 CET	192.168.2.4	1.1.1.1	0x753b	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 07:46:37.814237118 CET	192.168.2.4	1.1.1.1	0xc646	Standard query (0)	197.87.175.4.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 31, 2024 07:46:40.263356924 CET	192.168.2.4	1.1.1.1	0xd03f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:40.272272110 CET	192.168.2.4	1.1.1.1	0x174a	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:40.286449909 CET	192.168.2.4	1.1.1.1	0xd943	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 07:46:40.389156103 CET	192.168.2.4	1.1.1.1	0x5166	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:40.389389038 CET	192.168.2.4	1.1.1.1	0x40c2	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:55.068413973 CET	192.168.2.4	1.1.1.1	0x2131	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:55.077553988 CET	192.168.2.4	1.1.1.1	0x942a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 07:47:06.231729031 CET	192.168.2.4	1.1.1.1	0x973a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:47:06.239454985 CET	192.168.2.4	1.1.1.1	0x101d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 07:47:35.815124989 CET	192.168.2.4	1.1.1.1	0x3297	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:47:35.822935104 CET	192.168.2.4	1.1.1.1	0x8cf9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 07:47:36.441883087 CET	192.168.2.4	1.1.1.1	0xa675	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 07:46:07.306006908 CET	1.1.1.1	192.168.2.4	0x93e6	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:07.319127083 CET	1.1.1.1	192.168.2.4	0xfcb3	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.418627977 CET	1.1.1.1	192.168.2.4	0x9c3	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.418872118 CET	1.1.1.1	192.168.2.4	0x5e0c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:09.418872118 CET	1.1.1.1	192.168.2.4	0x5e0c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.427742004 CET	1.1.1.1	192.168.2.4	0x2a49	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.428158045 CET	1.1.1.1	192.168.2.4	0x8326	No error (0)	youtube.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.435400009 CET	1.1.1.1	192.168.2.4	0x9b5a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 07:46:09.438401937 CET	1.1.1.1	192.168.2.4	0x5e66	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 31, 2024 07:46:09.894316912 CET	1.1.1.1	192.168.2.4	0x27f0	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.899061918 CET	1.1.1.1	192.168.2.4	0xf9c	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:09.899061918 CET	1.1.1.1	192.168.2.4	0xf9c	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.903633118 CET	1.1.1.1	192.168.2.4	0xe082	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:09.916331053 CET	1.1.1.1	192.168.2.4	0x2baf	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.135332108 CET	1.1.1.1	192.168.2.4	0x89ca	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.135466099 CET	1.1.1.1	192.168.2.4	0x9aea	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.135466099 CET	1.1.1.1	192.168.2.4	0x9aea	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.156512976 CET	1.1.1.1	192.168.2.4	0x3355	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:10.156512976 CET	1.1.1.1	192.168.2.4	0x3355	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.164995909 CET	1.1.1.1	192.168.2.4	0x1982	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:10.164995909 CET	1.1.1.1	192.168.2.4	0x1982	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.178740025 CET	1.1.1.1	192.168.2.4	0x4f7a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.362504959 CET	1.1.1.1	192.168.2.4	0x272c	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:10.362504959 CET	1.1.1.1	192.168.2.4	0x272c	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:10.362504959 CET	1.1.1.1	192.168.2.4	0x272c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.370345116 CET	1.1.1.1	192.168.2.4	0x4170	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:10.377964973 CET	1.1.1.1	192.168.2.4	0x84ec	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 07:46:12.036655903 CET	1.1.1.1	192.168.2.4	0x8592	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:12.938893080 CET	1.1.1.1	192.168.2.4	0x84a1	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:12.951589108 CET	1.1.1.1	192.168.2.4	0xdcc5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:12.981056929 CET	1.1.1.1	192.168.2.4	0x8909	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:13.017904997 CET	1.1.1.1	192.168.2.4	0x2b3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:13.084903955 CET	1.1.1.1	192.168.2.4	0xc1fb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:13.084903955 CET	1.1.1.1	192.168.2.4	0xc1fb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:13.198251009 CET	1.1.1.1	192.168.2.4	0x63ab	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:13.198251009 CET	1.1.1.1	192.168.2.4	0x63ab	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:13.216984987 CET	1.1.1.1	192.168.2.4	0x70ec	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:16.103096962 CET	1.1.1.1	192.168.2.4	0x36e5	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:16.103096962 CET	1.1.1.1	192.168.2.4	0x36e5	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:16.103096962 CET	1.1.1.1	192.168.2.4	0x36e5	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:16.118273020 CET	1.1.1.1	192.168.2.4	0x7438	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:16.254975080 CET	1.1.1.1	192.168.2.4	0x5687	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267155886 CET	1.1.1.1	192.168.2.4	0x67c9	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267673016 CET	1.1.1.1	192.168.2.4	0xf8f5	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:20.267673016 CET	1.1.1.1	192.168.2.4	0xf8f5	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.268667936 CET	1.1.1.1	192.168.2.4	0x4091	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:20.268667936 CET	1.1.1.1	192.168.2.4	0x4091	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275296926 CET	1.1.1.1	192.168.2.4	0xff1f	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.275794029 CET	1.1.1.1	192.168.2.4	0x589e	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.286175966 CET	1.1.1.1	192.168.2.4	0xa3ab	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 31, 2024 07:46:20.286580086 CET	1.1.1.1	192.168.2.4	0xf0cf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 07:46:20.286580086 CET	1.1.1.1	192.168.2.4	0xf0cf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 07:46:20.286580086 CET	1.1.1.1	192.168.2.4	0xf0cf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 07:46:20.286580086 CET	1.1.1.1	192.168.2.4	0xf0cf	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 07:46:20.537904024 CET	1.1.1.1	192.168.2.4	0x789e	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.538094044 CET	1.1.1.1	192.168.2.4	0xf4c	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:20.538094044 CET	1.1.1.1	192.168.2.4	0xf4c	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.538094044 CET	1.1.1.1	192.168.2.4	0xf4c	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.538094044 CET	1.1.1.1	192.168.2.4	0xf4c	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.538094044 CET	1.1.1.1	192.168.2.4	0xf4c	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.538264990 CET	1.1.1.1	192.168.2.4	0xd4bb	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.545651913 CET	1.1.1.1	192.168.2.4	0x206	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.545651913 CET	1.1.1.1	192.168.2.4	0x206	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.545651913 CET	1.1.1.1	192.168.2.4	0x206	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.545651913 CET	1.1.1.1	192.168.2.4	0x206	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.545948029 CET	1.1.1.1	192.168.2.4	0x9c5	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:20.546720982 CET	1.1.1.1	192.168.2.4	0xaeb5	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 31, 2024 07:46:35.374891043 CET	1.1.1.1	192.168.2.4	0xed0a	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 31, 2024 07:46:36.928689957 CET	1.1.1.1	192.168.2.4	0xe91a	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.928689957 CET	1.1.1.1	192.168.2.4	0xe91a	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.928689957 CET	1.1.1.1	192.168.2.4	0xe91a	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.928689957 CET	1.1.1.1	192.168.2.4	0xe91a	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.938071012 CET	1.1.1.1	192.168.2.4	0x4b5a	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.938071012 CET	1.1.1.1	192.168.2.4	0x4b5a	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.938071012 CET	1.1.1.1	192.168.2.4	0x4b5a	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.938071012 CET	1.1.1.1	192.168.2.4	0x4b5a	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.942399979 CET	1.1.1.1	192.168.2.4	0x5f4d	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:36.942399979 CET	1.1.1.1	192.168.2.4	0x5f4d	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:36.945692062 CET	1.1.1.1	192.168.2.4	0x9e3d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 07:46:36.945692062 CET	1.1.1.1	192.168.2.4	0x9e3d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 07:46:36.945692062 CET	1.1.1.1	192.168.2.4	0x9e3d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 07:46:36.945692062 CET	1.1.1.1	192.168.2.4	0x9e3d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 07:46:36.951580048 CET	1.1.1.1	192.168.2.4	0xe04a	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:37.822154999 CET	1.1.1.1	192.168.2.4	0xc646	Name error (3)	197.87.175.4.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 31, 2024 07:46:38.197689056 CET	1.1.1.1	192.168.2.4	0x9474	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:38.197689056 CET	1.1.1.1	192.168.2.4	0x9474	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:40.271040916 CET	1.1.1.1	192.168.2.4	0xd03f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:46:40.271040916 CET	1.1.1.1	192.168.2.4	0xd03f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:40.285506010 CET	1.1.1.1	192.168.2.4	0x174a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:40.297969103 CET	1.1.1.1	192.168.2.4	0xd943	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 07:46:40.396111012 CET	1.1.1.1	192.168.2.4	0x5166	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:40.396183014 CET	1.1.1.1	192.168.2.4	0x40c2	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:40.396183014 CET	1.1.1.1	192.168.2.4	0x40c2	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:46:55.076596022 CET	1.1.1.1	192.168.2.4	0x2131	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:47:06.226950884 CET	1.1.1.1	192.168.2.4	0x32ac	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:47:06.238343954 CET	1.1.1.1	192.168.2.4	0x973a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:47:35.821958065 CET	1.1.1.1	192.168.2.4	0x3297	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 07:47:36.448818922 CET	1.1.1.1	192.168.2.4	0xa675	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 07:47:36.448818922 CET	1.1.1.1	192.168.2.4	0xa675	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	34.107.221.82	80	6640	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 07:46:09.454701900 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:10.050174952 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67605 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49745	34.107.221.82	80	6640	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 07:46:10.179929018 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:10.781996012 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 58976 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	34.107.221.82	80	6640	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 07:46:10.916182041 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:11.527585030 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67607 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:11.972517014 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:12.098946095 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67608 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:13.069578886 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:13.204066992 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67609 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:16.247153997 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:16.705945969 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67612 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:16.706028938 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67612 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:17.038109064 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67612 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:20.616101980 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:20.742814064 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67616 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:21.807648897 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:21.934324026 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67617 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:23.043469906 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:23.470237970 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67619 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:23.470417023 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67619 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:23.766962051 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67619 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:33.480746984 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:46:34.774728060 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:34.901330948 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67630 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:37.530015945 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:37.656966925 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67633 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:38.185951948 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:38.313010931 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67634 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:40.261002064 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:40.388012886 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67636 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:46:50.398780107 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:46:55.707420111 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:46:55.834023952 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67651 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:47:05.843265057 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:47:06.890742064 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:47:07.016890049 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67662 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:47:17.022327900 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:47:27.039297104 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:47:36.441587925 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 07:47:36.570275068 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 11:59:24 GMT Age: 67692 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 07:47:46.574469090 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:47:56.587496042 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:48:06.607142925 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49754	34.107.221.82	80	6640	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 07:46:11.914117098 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:12.821491003 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 58978 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:46:12.821628094 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 58978 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49758	34.107.221.82	80	6640	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 07:46:12.941330910 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49763	34.107.221.82	80	6640	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 07:46:13.357871056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:13.962496042 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 58979 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:46:20.275958061 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:20.535883904 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 58986 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:46:21.656373024 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:21.782726049 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 58987 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:46:22.140551090 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:22.267487049 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 58988 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:46:24.958921909 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:25.085832119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 58991 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:46:34.905153990 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:35.031378984 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 59000 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:46:37.659902096 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:37.787209034 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 59003 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:46:38.316309929 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:38.442718983 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 59004 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:46:40.391071081 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:40.517970085 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 59006 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:46:50.530277967 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:46:55.837560892 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:46:55.964234114 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 59021 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:47:05.974811077 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:47:07.020406008 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:47:07.146415949 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 59033 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:47:17.151694059 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:47:27.340341091 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:47:36.574537992 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 07:47:36.700659037 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 14:23:14 GMT Age: 59062 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 07:47:46.712501049 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:47:56.725575924 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 07:48:06.738687992 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	02:46:01
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xc40000
File size:	919'552 bytes
MD5 hash:	A335CD63136A16BEB8FE31AB14A26A75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1743147765.0000000001821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:46:01
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x260000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:46:01
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:46:03
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x260000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:46:03
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:46:03
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x260000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:46:03
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:46:04
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x260000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:46:04
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:46:04
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x260000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:46:04
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:46:04
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:46:04
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:46:04
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	02:46:05
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fccaa5e-2c76-487a-a81d-78c63d2f5f66} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 2519f370910 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	02:46:07
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4288 -parentBuildID 20230927232528 -prefsHandle 3944 -prefMapHandle 4280 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {007e07b1-cd7c-48ac-9d53-5a47acb7766b} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 251b1934a10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	02:46:12
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5060 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4996 -prefMapHandle 5080 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37d919aa-f902-48a8-a2ba-21699d9c826f} 6640 "\\.\pipe\gecko-crash-server-pipe.6640" 251b0cfa110 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1535
Total number of Limit Nodes:	66

Executed Functions

Function 00C442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C4430D

Part of subcall function 00C46B57: _wcslen.LIBCMT ref: 00C46B6A

GetCurrentProcess.KERNEL32(?,00CDCB64,00000000,?,?), ref: 00C44422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C44429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C44454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C44466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C44474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C4447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C444A0

Strings

|O, xrefs: 00C836F8
GetNativeSystemInfo, xrefs: 00C44460
kernel32.dll, xrefs: 00C4444F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8bb91d9d7dd75ba5ca1b24757a5c08b2389cef23aa2c4aa5be3ebca355a2edc5
Instruction ID: 8d7527a27c7d0c753e799b4807b6d47bfd7d45ffa791e8acd2e1a8850677c183
Opcode Fuzzy Hash: 8bb91d9d7dd75ba5ca1b24757a5c08b2389cef23aa2c4aa5be3ebca355a2edc5
Instruction Fuzzy Hash: 74A1F66990A3C0FFCB15D7697C843D97FA47B22704B18E49AE271D3B29DA20460ADB35

Function 00C442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C450AA,?,?,00000000,00000000), ref: 00C442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C450AA,?,?,00000000,00000000), ref: 00C442C9
LoadResource.KERNEL32(?,00000000,?,?,00C450AA,?,?,00000000,00000000,?,?,?,?,?,?,00C44F20), ref: 00C835BE
SizeofResource.KERNEL32(?,00000000,?,?,00C450AA,?,?,00000000,00000000,?,?,?,?,?,?,00C44F20), ref: 00C835D3
LockResource.KERNEL32(00C450AA,?,?,00C450AA,?,?,00000000,00000000,?,?,?,?,?,?,00C44F20,?), ref: 00C835E6

Strings

SCRIPT, xrefs: 00C442BF

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 5a02cab963dbbf4d72e976dda52d6c46b37e842f06cdc67287a645828aaafb52
Instruction ID: e99dbc11370dc632b4393359f64def79eb99db26a970763e0fad1efd96ae1531
Opcode Fuzzy Hash: 5a02cab963dbbf4d72e976dda52d6c46b37e842f06cdc67287a645828aaafb52
Instruction Fuzzy Hash: 77117CB0201701BFDB258BA5DC88F2B7BB9EBC5B51F20416EB41296290DBB1D900C620

Function 00C82BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C42B6B

Part of subcall function 00C43A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D11418,?,00C42E7F,?,?,?,00000000), ref: 00C43A78

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00D02224), ref: 00C82C10
ShellExecuteW.SHELL32(00000000,?,?,00D02224), ref: 00C82C17

Strings

runas, xrefs: 00C82C0B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: f317b3d71b2704ad4e9666ceb1ccbf9416f0814a3d1d50b994b64102013cd40b
Instruction ID: a628788c8c3874866c411ac0d24086735a795b0c1622b4ea67df5667848b2711
Opcode Fuzzy Hash: f317b3d71b2704ad4e9666ceb1ccbf9416f0814a3d1d50b994b64102013cd40b
Instruction Fuzzy Hash: 0F11D6312483456BC714FF60E896ABEB7A4FFD1750F44142DF157521A2CF318A4AE722

Function 00CAD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CAD501
Process32FirstW.KERNEL32(00000000,?), ref: 00CAD50F
Process32NextW.KERNEL32(00000000,?), ref: 00CAD52F
CloseHandle.KERNELBASE(00000000), ref: 00CAD5DC

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 786f03c0addb8fbfc21d09e532012f20af81d059e9471e3e5b517c2516f847db
Instruction ID: f5efc8bec0c2393c0a6275527baaa0d5551cbc313dcac8e2eb77ad023af909ff
Opcode Fuzzy Hash: 786f03c0addb8fbfc21d09e532012f20af81d059e9471e3e5b517c2516f847db
Instruction Fuzzy Hash: FC3193711083019FD301EF54D885BAFBBF8FF9A354F14052DF582861A2EB719A44DB92

Function 00CADBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00C85222), ref: 00CADBCE
GetFileAttributesW.KERNELBASE(?), ref: 00CADBDD
FindFirstFileW.KERNEL32(?,?), ref: 00CADBEE
FindClose.KERNEL32(00000000), ref: 00CADBFA

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 3640cb1ecf974fad86e3b8e644e1f612ddbd8cf6cd8a559cb90acdfc48c46a1e
Instruction ID: 3c3439d0bb2109763a658fc3ebfff7dff932437de4ff6c130fda20f56d5a1971
Opcode Fuzzy Hash: 3640cb1ecf974fad86e3b8e644e1f612ddbd8cf6cd8a559cb90acdfc48c46a1e
Instruction Fuzzy Hash: 10F0A0308119225783206B78AC4DAAE376C9E0233CB904713F877C24F0EBB45E54C695

Function 00C64CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00C728E9,?,00C64CBE,00C728E9,00D088B8,0000000C,00C64E15,00C728E9,00000002,00000000,?,00C728E9), ref: 00C64D09
TerminateProcess.KERNEL32(00000000,?,00C64CBE,00C728E9,00D088B8,0000000C,00C64E15,00C728E9,00000002,00000000,?,00C728E9), ref: 00C64D10
ExitProcess.KERNEL32 ref: 00C64D22

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fbae75449a8c16fb1c104ea09173c82100d68d310de27a83f902da6ee37b64d2
Instruction ID: c2d730a74db41c29f2de25e8691aaa543afc3e4bd1339bb20b860a204abdbe92
Opcode Fuzzy Hash: fbae75449a8c16fb1c104ea09173c82100d68d310de27a83f902da6ee37b64d2
Instruction Fuzzy Hash: 56E0B631401149ABCF25AF54DD89B9C3B69FB41791F108015FC198B132CB35DE42DA80

Function 00CCAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00CCB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CCB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CCB1D4
_wcslen.LIBCMT ref: 00CCB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CCB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CCB236
_wcslen.LIBCMT ref: 00CCB332

Part of subcall function 00CB05A7: GetStdHandle.KERNEL32(000000F6), ref: 00CB05C6

_wcslen.LIBCMT ref: 00CCB34B
_wcslen.LIBCMT ref: 00CCB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CCB3B6
GetLastError.KERNEL32(00000000), ref: 00CCB407
CloseHandle.KERNEL32(?), ref: 00CCB439
CloseHandle.KERNEL32(00000000), ref: 00CCB44A
CloseHandle.KERNEL32(00000000), ref: 00CCB45C
CloseHandle.KERNEL32(00000000), ref: 00CCB46E
CloseHandle.KERNEL32(?), ref: 00CCB4E3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e62373f30d461cf92e55bad548bf361d45f151d9dddc2d8061677a79a0c899e1
Instruction ID: 29ff10eed28c93577a325e020e80329adf52e0f627269e5d0711eea2bae9778c
Opcode Fuzzy Hash: e62373f30d461cf92e55bad548bf361d45f151d9dddc2d8061677a79a0c899e1
Instruction Fuzzy Hash: E1F19B715083409FC724EF64C882B6EBBE5BF85310F18895DF8999B2A2CB31ED44DB52

Function 00C4D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C4D807
timeGetTime.WINMM ref: 00C4DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C4DB28
TranslateMessage.USER32(?), ref: 00C4DB7B
DispatchMessageW.USER32(?), ref: 00C4DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C4DB9F
Sleep.KERNELBASE(0000000A), ref: 00C4DBB1

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 439d70567e5e975df91317c1356f36b6be336b25f9d347fadab1de864d8e0e97
Instruction ID: e4fe919bd7598aa93629b51fa60e1dd15a6342348bdda6a2ce9fb9b9b544ed53
Opcode Fuzzy Hash: 439d70567e5e975df91317c1356f36b6be336b25f9d347fadab1de864d8e0e97
Instruction Fuzzy Hash: A342F430608342EFDB29DF25C889BAAB7E0FF55304F14855DE8A687391DB70E944DB92

Function 00C42CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C42D07
RegisterClassExW.USER32(00000030), ref: 00C42D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C42D42
InitCommonControlsEx.COMCTL32(?), ref: 00C42D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C42D6F
LoadIconW.USER32(000000A9), ref: 00C42D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C42D94

Strings

TaskbarCreated, xrefs: 00C42D37
AutoIt v3 GUI, xrefs: 00C42D23
0, xrefs: 00C42CE9
+, xrefs: 00C42CF0

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e089cb5e85e9c9e3ca7497841b81e4829a75af32add7baca04e3d45b173d2898
Instruction ID: f4eb88641234dfbcc7cfef6a2ff60c2f4c587c3607ad34d75f9bf4cb4dff95bb
Opcode Fuzzy Hash: e089cb5e85e9c9e3ca7497841b81e4829a75af32add7baca04e3d45b173d2898
Instruction Fuzzy Hash: F121C8B9902319AFDB00DF94E889BDDBBB4FB08701F00811AF621E6390DBB15545CF61

Function 00C8065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C8039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C80704,?,?,00000000,?,00C80704,00000000,0000000C), ref: 00C803B7

GetLastError.KERNEL32 ref: 00C8076F
__dosmaperr.LIBCMT ref: 00C80776
GetFileType.KERNELBASE(00000000), ref: 00C80782
GetLastError.KERNEL32 ref: 00C8078C
__dosmaperr.LIBCMT ref: 00C80795
CloseHandle.KERNEL32(00000000), ref: 00C807B5
CloseHandle.KERNEL32(?), ref: 00C808FF
GetLastError.KERNEL32 ref: 00C80931
__dosmaperr.LIBCMT ref: 00C80938

Strings

H, xrefs: 00C808BD

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d037297ff65f0148a9b759263a95a71b01c8e68302588db9f5ffef3dc020fb75
Instruction ID: bb24a45eeaf3ff39e68899ac250c90b12345b4ca4ad7654cefdfd50fff083f54
Opcode Fuzzy Hash: d037297ff65f0148a9b759263a95a71b01c8e68302588db9f5ffef3dc020fb75
Instruction Fuzzy Hash: F0A12832A001049FDF19BF68D892BAD3BA0AB06324F24415DF815DB3E1DB319D57DB95

Function 00C4344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C43A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D11418,?,00C42E7F,?,?,?,00000000), ref: 00C43A78

Part of subcall function 00C43357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C43379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C4356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C8318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C831CE
RegCloseKey.ADVAPI32(?), ref: 00C83210
_wcslen.LIBCMT ref: 00C83277
_wcslen.LIBCMT ref: 00C83286

Strings

\Include\, xrefs: 00C43527
\, xrefs: 00C8328C
Software\AutoIt v3\AutoIt, xrefs: 00C43560
Include, xrefs: 00C83184, 00C831C5

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 5b30b17463019c5855af552bf909696614ae6373b25731ac27f6739915f2c690
Instruction ID: 6427d05c72ecee972ed92fedd3be0a6a2078e545510305b03ac747a97278fd26
Opcode Fuzzy Hash: 5b30b17463019c5855af552bf909696614ae6373b25731ac27f6739915f2c690
Instruction Fuzzy Hash: 8771B271404301AFC714EF69EC819ABBBE8FF85750F40442EF565C32A1DB319A59DB62

Function 00C42B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C42B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C42B9D
LoadIconW.USER32(00000063), ref: 00C42BB3
LoadIconW.USER32(000000A4), ref: 00C42BC5
LoadIconW.USER32(000000A2), ref: 00C42BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C42BEF
RegisterClassExW.USER32(?), ref: 00C42C40

Part of subcall function 00C42CD4: GetSysColorBrush.USER32(0000000F), ref: 00C42D07
Part of subcall function 00C42CD4: RegisterClassExW.USER32(00000030), ref: 00C42D31
Part of subcall function 00C42CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C42D42
Part of subcall function 00C42CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C42D5F
Part of subcall function 00C42CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C42D6F
Part of subcall function 00C42CD4: LoadIconW.USER32(000000A9), ref: 00C42D85
Part of subcall function 00C42CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C42D94

Strings

#, xrefs: 00C42C16
AutoIt v3, xrefs: 00C42C2F
0, xrefs: 00C42C0F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 8499f746d191598974c72b09683527a943b8367e659114e5f194617005f86dbe
Instruction ID: a026ecd87b8950cfab48a78d9284455c12d84a2b64e97e2ccb91698a5f9fd317
Opcode Fuzzy Hash: 8499f746d191598974c72b09683527a943b8367e659114e5f194617005f86dbe
Instruction Fuzzy Hash: 9B21F878A42314ABDB109FA5EC95BDDBFB4FB48B50F00801AE620E67A4DBB11541DFA0

Function 00C43170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C4316A,?,?), ref: 00C431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C4316A,?,?), ref: 00C43204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C43227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C4316A,?,?), ref: 00C43232
CreatePopupMenu.USER32 ref: 00C43246
PostQuitMessage.USER32(00000000), ref: 00C43267

Strings

TaskbarCreated, xrefs: 00C4322D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 119fc23a382fbf8072ee45ab95e8e9753dcb45a3b17a73ee7bc4d59a8ed0f185
Instruction ID: 948154048eb6b262aa2b7583a8922670ce6500aa4f85dcb548f9a78e0e54686e
Opcode Fuzzy Hash: 119fc23a382fbf8072ee45ab95e8e9753dcb45a3b17a73ee7bc4d59a8ed0f185
Instruction Fuzzy Hash: 80410739200285B6DF252B78AD4DBBD3A15F785344F044116FA31C5296CFA19B41E775

Function 00C41410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C41459
CoUninitialize.COMBASE ref: 00C414F8
UnregisterHotKey.USER32(?), ref: 00C416DD
DestroyWindow.USER32(?), ref: 00C824B9
FreeLibrary.KERNEL32(?), ref: 00C8251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C8254B

Strings

close all, xrefs: 00C41454

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 34a82ed27e14f819b16b13d292982fa54427b22277ad9b3013c34230cedffa08
Instruction ID: 961484fac8b798aa33bba51e0e3bf73e04ba05f881fdad90311ae1fa98aee685
Opcode Fuzzy Hash: 34a82ed27e14f819b16b13d292982fa54427b22277ad9b3013c34230cedffa08
Instruction Fuzzy Hash: 2CD18C31701212CFCB19EF15C899B69F7A0BF05704F1942ADE98A6B252DB30ED52DF58

Function 00C42C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C42C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C42CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C41CAD,?), ref: 00C42CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C41CAD,?), ref: 00C42CCF

Strings

AutoIt v3, xrefs: 00C42C89, 00C42C8E, 00C42C8F
edit, xrefs: 00C42CAC

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8bf2867b52cd9845843b89c2d0a9c28dddbe1ed2fe4ef29adeed08ce5636c6f7
Instruction ID: a89a980a35366f8b4ba237eae012e0d5773b5d2c5186e27ed5ac0a398e8c8cd3
Opcode Fuzzy Hash: 8bf2867b52cd9845843b89c2d0a9c28dddbe1ed2fe4ef29adeed08ce5636c6f7
Instruction Fuzzy Hash: BAF0DA796403907AEB311757AC48FBB6EBDD7C6F50B01815AFA10E26A4CA611852DAB0

Function 00C43B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C43B0F,SwapMouseButtons,00000004,?), ref: 00C43B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C43B0F,SwapMouseButtons,00000004,?), ref: 00C43B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C43B0F,SwapMouseButtons,00000004,?), ref: 00C43B83

Strings

Control Panel\Mouse, xrefs: 00C43B3E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 02bcd826378891849581297f7170333ad4f560037703c31a4cd47ebdb904a3e7
Instruction ID: 7368c8c6327f839e38d1e4fb267a423d1d045976966011e477f9dfd996fcfdf8
Opcode Fuzzy Hash: 02bcd826378891849581297f7170333ad4f560037703c31a4cd47ebdb904a3e7
Instruction Fuzzy Hash: 101127B5611248FFDB218FA5DC84BAFBBB8FF84744B10856AA805D7110E231AF449BA0

Function 00C43923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C833A2

Part of subcall function 00C46B57: _wcslen.LIBCMT ref: 00C46B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C43A04

Strings

Line: , xrefs: 00C833EB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 99d53e108fb7af02c75059e4af118f3f1b567a351654f121aac3090986cacba8
Instruction ID: cdd5874faa2c5668ffae2ea73100800a2dd4b9c69624bde2e9837797ceed8980
Opcode Fuzzy Hash: 99d53e108fb7af02c75059e4af118f3f1b567a351654f121aac3090986cacba8
Instruction Fuzzy Hash: D931C071448340AAD721EB60DC45BEFB7E8BF81714F10492AF5A9821A1EF709B4AD7D2

Function 00C5FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C60668

Part of subcall function 00C632A4: RaiseException.KERNEL32(?,?,?,00C6068A,?,00D11444,?,?,?,?,?,?,00C6068A,00C41129,00D08738,00C41129), ref: 00C63304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C60685

Strings

Unknown exception, xrefs: 00C60692

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: fc3fa3f0baab9d541b23f970d54c0068b4f4de4f7d9c6699a3ff15fbdecae4a0
Instruction ID: 2b50f700076c9cbf5b4c144bd5f0cd76faf0bd9e9770f17cad5666b59dcca595
Opcode Fuzzy Hash: fc3fa3f0baab9d541b23f970d54c0068b4f4de4f7d9c6699a3ff15fbdecae4a0
Instruction Fuzzy Hash: 47F0223880030DB7CB24BAA4DCC6C9E7B7C5E00300B704035BD28A65D2EF31DB6AE594

Function 00C410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C41BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C41BF4
Part of subcall function 00C41BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C41BFC
Part of subcall function 00C41BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C41C07
Part of subcall function 00C41BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C41C12
Part of subcall function 00C41BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C41C1A
Part of subcall function 00C41BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C41C22

Part of subcall function 00C41B4A: RegisterWindowMessageW.USER32(00000004,?,00C412C4), ref: 00C41BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C4136A
OleInitialize.OLE32 ref: 00C41388
CloseHandle.KERNEL32(00000000,00000000), ref: 00C824AB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 855ba7da667461555f6e9680cd454d440a84702b1168dea74c2b4960c34e22b1
Instruction ID: c7523ce1e90a2e1b2951e90a99c0309783ff8a5cda359d97212ff6e88884b385
Opcode Fuzzy Hash: 855ba7da667461555f6e9680cd454d440a84702b1168dea74c2b4960c34e22b1
Instruction Fuzzy Hash: 5571A9BC912301BEE784EF79A8456D53AF2BB88340754C22AE60AC7361EF304486DF74

Function 00CAC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C43923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C43A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CAC259
KillTimer.USER32(?,00000001,?,?), ref: 00CAC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CAC270

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 120b145fbf1f7121d303f6220aec29fdc62d396eb008ed6daa5d43b118ecb401
Instruction ID: 0d3e1786b9af86537d40417eaa2bb504ab392e1660e6eb770a1f21abc5ffef6c
Opcode Fuzzy Hash: 120b145fbf1f7121d303f6220aec29fdc62d396eb008ed6daa5d43b118ecb401
Instruction Fuzzy Hash: 9E319170904344AFEB329F64C8D5BEBBBECAF17308F00449AD6EAA7241C7745A85CB51

Function 00C786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00C785CC,?,00D08CC8,0000000C), ref: 00C78704
GetLastError.KERNEL32(?,00C785CC,?,00D08CC8,0000000C), ref: 00C7870E
__dosmaperr.LIBCMT ref: 00C78739

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 62f6f6544d3ddad5d5922494d84a4a4f3e28b7653a5776f12736909169ba0afc
Instruction ID: 70a5ae74af9f4737945741c7ff2c16ea8dd0157b65d1a4f31bc384aa65056994
Opcode Fuzzy Hash: 62f6f6544d3ddad5d5922494d84a4a4f3e28b7653a5776f12736909169ba0afc
Instruction Fuzzy Hash: 4B014E32A8562036D6246334684E77E6B4A4B81774F39C119FA3CCB1F2DEE0DD86D150

Function 00C7CE40 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C7CE44
_free.LIBCMT ref: 00C7CE7D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C7CE84

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: 9259c30c0907382aa396dc70a526107ae2aca6f43e3335d9346c3641260a03fd
Instruction ID: 0aee5334872194865cf53ecc86890c446926988329655dd79d8ed120f6dd7f34
Opcode Fuzzy Hash: 9259c30c0907382aa396dc70a526107ae2aca6f43e3335d9346c3641260a03fd
Instruction Fuzzy Hash: D5E02B7350542326D232233A7CC9EAF3B4DDFC2770B25812AF44CD2142DE208D0251F1

Function 00C4DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00C4DB7B
DispatchMessageW.USER32(?), ref: 00C4DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C4DB9F
Sleep.KERNELBASE(0000000A), ref: 00C4DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00C91CC9

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: bbc41af5f20987a6a8ca4c21f2ffecdf3985ec48074a782cb7ea6cd28264134d
Instruction ID: 28f737d8d1344d3817f7219cb6305971e1842a548608147f0019cb2191d58381
Opcode Fuzzy Hash: bbc41af5f20987a6a8ca4c21f2ffecdf3985ec48074a782cb7ea6cd28264134d
Instruction Fuzzy Hash: B3F0FE30645341ABEB34DB60DC89FEA73A8EB45351F104619F66AC30D0DB349589DB65

Function 00C51310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C517F6

Strings

CALL, xrefs: 00C517C6

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f88feffe0222eea7ecd47f40c9fe8281aacaabf600d43c545f66dbc1f102a991
Instruction ID: e111568a207e137cd6140d99335089fe8f368b9406bdb0875d8e0cf6ed2b4eb1
Opcode Fuzzy Hash: f88feffe0222eea7ecd47f40c9fe8281aacaabf600d43c545f66dbc1f102a991
Instruction Fuzzy Hash: 3922AB786082019FC714DF15C488B2ABBF1BF85315F18891DFC968B3A1D771E989DB86

Function 00C42DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00C82C8C

Part of subcall function 00C43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C43A97,?,?,00C42E7F,?,?,?,00000000), ref: 00C43AC2

Part of subcall function 00C42DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C42DC4

Strings

X, xrefs: 00C82C5A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 4651e4404e1a5a2b459a05c7b920b60e09a3f8c6c4850a8cb83e6879d0596bf7
Instruction ID: 9144e40ca46681080875da89f2d2584d92c80a171f9c1971572e61cfcbe0e0b6
Opcode Fuzzy Hash: 4651e4404e1a5a2b459a05c7b920b60e09a3f8c6c4850a8cb83e6879d0596bf7
Instruction Fuzzy Hash: 75219371A002989BDB01EF94C849BEE7BFCAF49314F008059E905B7381DBB49A49DF65

Function 00C43837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C43908

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3f687e9bc8d32bddf9de886ef2ce53fcf2adcec577b821213a93edc2f4405a7d
Instruction ID: 69986a970bcf529e77ee589229c023b4ab9d299fc1e5cf3f33618dab2e6058ff
Opcode Fuzzy Hash: 3f687e9bc8d32bddf9de886ef2ce53fcf2adcec577b821213a93edc2f4405a7d
Instruction Fuzzy Hash: C83161745057419FD720DF64D88579BBBE8FB89708F00092EF6A9C7390E771AA44CB52

Function 00C5F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C5F661

Part of subcall function 00C4D730: GetInputState.USER32 ref: 00C4D807

Sleep.KERNEL32(00000000), ref: 00C9F2DE

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 70cb04ed8de0ecd3aaae78387b30b117e7796b40c11b7f97f7010559057a5578
Instruction ID: f291419b370acaf27cdf40711a56a42cd876d982930fe9045267b1a7cecab432
Opcode Fuzzy Hash: 70cb04ed8de0ecd3aaae78387b30b117e7796b40c11b7f97f7010559057a5578
Instruction Fuzzy Hash: F3F08C31240606AFD314EF69D589B6AB7E8FF45761F00002AF85EC72A0DB70AC00CB90

Function 00C44ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C44E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C44EDD,?,00D11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C44E9C
Part of subcall function 00C44E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C44EAE
Part of subcall function 00C44E90: FreeLibrary.KERNEL32(00000000,?,?,00C44EDD,?,00D11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C44EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C44EFD

Part of subcall function 00C44E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C83CDE,?,00D11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C44E62
Part of subcall function 00C44E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C44E74
Part of subcall function 00C44E59: FreeLibrary.KERNEL32(00000000,?,?,00C83CDE,?,00D11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C44E87

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ea1c9d3c053589429e8b6cbd6e9049f878339999ba2f59e982bc2ab79951ee2f
Instruction ID: c96696edd16b1e839e1400121cd0f7a70cfbba76ae557d89542cac2f97012ce0
Opcode Fuzzy Hash: ea1c9d3c053589429e8b6cbd6e9049f878339999ba2f59e982bc2ab79951ee2f
Instruction Fuzzy Hash: 2D11E332600205ABDF28BBA4DC42FAD77A5BF40B10F20842EF542A61C1EE719A09A750

Function 00C78402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C78440

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: af8f6ad339a622eda5e0bbcdff329dbad6fbc31ff452eb460413ef0bc8bdb5fe
Instruction ID: 944d7138fd1b0d20a4ad6e2bfd27700336deaabc2840dc6b811cf0c8b548f094
Opcode Fuzzy Hash: af8f6ad339a622eda5e0bbcdff329dbad6fbc31ff452eb460413ef0bc8bdb5fe
Instruction Fuzzy Hash: 2211487190420AAFCB05DF58E94499E7BF4EF48314F108059F908AB312DA70DA15CBA4

Function 00C6E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: b80805d7a0c5d51a57b3d02bcb59b06ccc426ad02a1e29e80da22d3c65014561
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 4EF02836910A18EAC7313A7ADC49B9A339C9F62330F104716F529931D2CF70D906A6A6

Function 00C73820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D11444,?,00C5FDF5,?,?,00C4A976,00000010,00D11440,00C413FC,?,00C413C6,?,00C41129), ref: 00C73852

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2ce7e8ca6d50a1b0028504d812a61d04c4c5fdad038b2f6f6211326433bd621f
Instruction ID: 3ec1271e627c07c4d32f20c979528692bc5e7a88e68be89ce3e55b4f2ad0a740
Opcode Fuzzy Hash: 2ce7e8ca6d50a1b0028504d812a61d04c4c5fdad038b2f6f6211326433bd621f
Instruction Fuzzy Hash: 88E0E5311012A5A6D7312AA79C00F9A7748AB427B0F058123BC3C965C1CB31DF01B1F3

Function 00C44F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C44F6D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c8557c90955cc615a083f12c20c9aa977c47e235362b6944fbe63cdac71a110a
Instruction ID: ed4543eb4af78e70ef6ba2722dcd3e0ec60cd02d15af68ce4efe98bec0dd6e59
Opcode Fuzzy Hash: c8557c90955cc615a083f12c20c9aa977c47e235362b6944fbe63cdac71a110a
Instruction Fuzzy Hash: BFF03071105752CFEB389FA5D490A16B7E4BF14329320897EE1EA82521C7319848DF10

Function 00CD2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CD2A66

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e3c87303ea9c507156438ae7e592421aa2f629dc6c3f7100d2b562e21d97604a
Instruction ID: 9cb574793a6a29e2b9cea5a8ec53f542f744441af4ab1418c6dd8100dca93168
Opcode Fuzzy Hash: e3c87303ea9c507156438ae7e592421aa2f629dc6c3f7100d2b562e21d97604a
Instruction Fuzzy Hash: DAE04F36350116AAC714EA31DC909FEB35CEBA5395B104537BD2AC2240EB30DA95A6A0

Function 00C430F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C4314E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 76afad12e39b176b30ef678420e26497b33630c2de318486a7a46c88c59f8082
Instruction ID: 7b545bcc9821f10e3cacbd84270dd0668746971705e0eb892e161518f93cc5c6
Opcode Fuzzy Hash: 76afad12e39b176b30ef678420e26497b33630c2de318486a7a46c88c59f8082
Instruction Fuzzy Hash: 19F0A770900314AFE7529B24DC457D97BBCAB01708F0000E5A258D6295DB704789CF51

Function 00C42DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C42DC4

Part of subcall function 00C46B57: _wcslen.LIBCMT ref: 00C46B6A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1fe3871f1e7e805bc73379e29895dd08579d27e21f6fbe54140bdd1670fac5fd
Instruction ID: c7b37ccb5c358c1a2aaab8581b61027dc414457bea0686c06c29bc78899cb1e0
Opcode Fuzzy Hash: 1fe3871f1e7e805bc73379e29895dd08579d27e21f6fbe54140bdd1670fac5fd
Instruction Fuzzy Hash: B4E0CD726001245BCB10E6989C05FDA77DDDFC8794F040071FD09D7248D960AD80D655

Function 00C42B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C43837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C43908

Part of subcall function 00C4D730: GetInputState.USER32 ref: 00C4D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C42B6B

Part of subcall function 00C430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C4314E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f9b6779ec07ba3d7de34dd2f7634071c7370ad6d2b655e71cea8985c0c9e4700
Instruction ID: f2fab839c6d727652cff50a1e0940a365f01f83a82c7bd2d0f730222c1d52e70
Opcode Fuzzy Hash: f9b6779ec07ba3d7de34dd2f7634071c7370ad6d2b655e71cea8985c0c9e4700
Instruction Fuzzy Hash: 9AE0262130028413CA04BB74A8526EDB349FBD1321F40053EF143832A3CE6046859221

Function 00C8039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00C80704,?,?,00000000,?,00C80704,00000000,0000000C), ref: 00C803B7

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6bf43545df608784c14d32bf827f2121ef4c712e25654b34e4c4d14f5cc0eb31
Instruction ID: 956603f286ea416f789f58bb4b54b0b214905925b4642c1735b91a715bcff681
Opcode Fuzzy Hash: 6bf43545df608784c14d32bf827f2121ef4c712e25654b34e4c4d14f5cc0eb31
Instruction Fuzzy Hash: 7DD06C3204010DBBDF028F84DD46EDE3BAAFB48714F014000BE1856020C732E821EB90

Function 00C41CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C41CBC

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: f3837a77d0177d273a19b82b67ca5a321455718dde42fd0f786adcbbb0e9b5ae
Instruction ID: a926c0be6e09bcbc912ee15657937b45966f1b6663147765c9dacc1b1e7f8ea6
Opcode Fuzzy Hash: f3837a77d0177d273a19b82b67ca5a321455718dde42fd0f786adcbbb0e9b5ae
Instruction Fuzzy Hash: 65C09B35280305BFF6144780BC8AF547765E348B00F04C101F709D56E3D7A22421E660

Non-executed Functions

Function 00CD9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C59BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CD961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CD965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CD969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CD96C9
SendMessageW.USER32 ref: 00CD96F2
GetKeyState.USER32(00000011), ref: 00CD978B
GetKeyState.USER32(00000009), ref: 00CD9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CD97AE
GetKeyState.USER32(00000010), ref: 00CD97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CD97E9
SendMessageW.USER32 ref: 00CD9810
SendMessageW.USER32(?,00001030,?,00CD7E95), ref: 00CD9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CD992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CD9941
SetCapture.USER32(?), ref: 00CD994A
ClientToScreen.USER32(?,?), ref: 00CD99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CD99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CD99D6
ReleaseCapture.USER32 ref: 00CD99E1
GetCursorPos.USER32(?), ref: 00CD9A19
ScreenToClient.USER32(?,?), ref: 00CD9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CD9A80
SendMessageW.USER32 ref: 00CD9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CD9AEB
SendMessageW.USER32 ref: 00CD9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CD9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CD9B4A
GetCursorPos.USER32(?), ref: 00CD9B68
ScreenToClient.USER32(?,?), ref: 00CD9B75
GetParent.USER32(?), ref: 00CD9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CD9BFA
SendMessageW.USER32 ref: 00CD9C2B
ClientToScreen.USER32(?,?), ref: 00CD9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CD9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CD9CDE
SendMessageW.USER32 ref: 00CD9D01
ClientToScreen.USER32(?,?), ref: 00CD9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CD9D82

Part of subcall function 00C59944: GetWindowLongW.USER32(?,000000EB), ref: 00C59952

GetWindowLongW.USER32(?,000000F0), ref: 00CD9E05

Strings

F, xrefs: 00CD9D07
@GUI_DRAGID, xrefs: 00CD997D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 8b6880dfc69c392842437363e681a361f2777af7a175e475745103eeca363e47
Instruction ID: dfbc8ff6d4bc928838d4576860f119650aaca830d81c089e701f08f8d905c714
Opcode Fuzzy Hash: 8b6880dfc69c392842437363e681a361f2777af7a175e475745103eeca363e47
Instruction Fuzzy Hash: 26426838205601AFDB24CF24CC84BAABBF5FF49310F14461AF6A9973A1DB31E952DB51

Function 00CD4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00CD48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00CD4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00CD4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00CD494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00CD495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00CD497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00CD49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00CD49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00CD4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CD4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CD4A7E
IsMenu.USER32(?), ref: 00CD4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CD4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CD4B20
GetWindowLongW.USER32(?,000000F0), ref: 00CD4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00CD4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00CD4C82
wsprintfW.USER32 ref: 00CD4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CD4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CD4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CD4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CD4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CD4D5A

Strings

%d/%02d/%02d, xrefs: 00CD4CA8

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 75da72650a24bfd16816811b592681bb481c3f0a16c359bf3b574327b089e839
Instruction ID: 594e64ef96d37aded54b41666476e30378a1aeb871446253e2964dffab885572
Opcode Fuzzy Hash: 75da72650a24bfd16816811b592681bb481c3f0a16c359bf3b574327b089e839
Instruction Fuzzy Hash: 7A12F271600215ABEB289F65CC89FAE7BF8EF45310F10412AF725DB2E1DB749A41DB50

Function 00C5F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C5F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C9F474
IsIconic.USER32(00000000), ref: 00C9F47D
ShowWindow.USER32(00000000,00000009), ref: 00C9F48A
SetForegroundWindow.USER32(00000000), ref: 00C9F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C9F4AA
GetCurrentThreadId.KERNEL32 ref: 00C9F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C9F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C9F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C9F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C9F4DE
SetForegroundWindow.USER32(00000000), ref: 00C9F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C9F4F6
keybd_event.USER32(00000012,00000000), ref: 00C9F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C9F50B
keybd_event.USER32(00000012,00000000), ref: 00C9F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C9F519
keybd_event.USER32(00000012,00000000), ref: 00C9F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C9F528
keybd_event.USER32(00000012,00000000), ref: 00C9F52D
SetForegroundWindow.USER32(00000000), ref: 00C9F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C9F557

Strings

Shell_TrayWnd, xrefs: 00C9F46F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8d08014281c5c51380d7673b1b3bdc6b7e02734e808bbacd3cdb304c18b57fa8
Instruction ID: 14f11c57f43c1507eef475b25d21f06d8108bd1a2f6eb5cfb6338ad2b86fff89
Opcode Fuzzy Hash: 8d08014281c5c51380d7673b1b3bdc6b7e02734e808bbacd3cdb304c18b57fa8
Instruction Fuzzy Hash: DD317271A41219BFEF206BB55C8AFBF7F6CEB44B50F11006AFA00E61D1D6B09D11EA60

Function 00CA1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00CA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CA170D
Part of subcall function 00CA16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CA173A
Part of subcall function 00CA16C3: GetLastError.KERNEL32 ref: 00CA174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00CA1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00CA12A8
CloseHandle.KERNEL32(?), ref: 00CA12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CA12D1
GetProcessWindowStation.USER32 ref: 00CA12EA
SetProcessWindowStation.USER32(00000000), ref: 00CA12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CA1310

Part of subcall function 00CA10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CA11FC), ref: 00CA10D4
Part of subcall function 00CA10BF: CloseHandle.KERNEL32(?,?,00CA11FC), ref: 00CA10E9

Strings

winsta0, xrefs: 00CA12CC
, xrefs: 00CA125A
default, xrefs: 00CA130B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 71689c35dcb3b150149de5736f4ce53d5b07560fec120f597c0400156984db13
Instruction ID: c99f9171e167d7a48022455a43c2acec68db8d6ef22fa871969504678bffdb5c
Opcode Fuzzy Hash: 71689c35dcb3b150149de5736f4ce53d5b07560fec120f597c0400156984db13
Instruction Fuzzy Hash: EA81B67190020AAFDF119FA8DC89FEE7BB9EF09708F184119FD20E61A0C7749A45CB20

Function 00CA0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CA1114
Part of subcall function 00CA10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CA0B9B,?,?,?), ref: 00CA1120
Part of subcall function 00CA10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CA0B9B,?,?,?), ref: 00CA112F
Part of subcall function 00CA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CA0B9B,?,?,?), ref: 00CA1136
Part of subcall function 00CA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CA114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CA0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CA0C00
GetLengthSid.ADVAPI32(?), ref: 00CA0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00CA0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CA0C6D
GetLengthSid.ADVAPI32(?), ref: 00CA0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CA0C8C
HeapAlloc.KERNEL32(00000000), ref: 00CA0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CA0CB4
CopySid.ADVAPI32(00000000), ref: 00CA0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CA0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CA0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CA0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CA0D45
HeapFree.KERNEL32(00000000), ref: 00CA0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CA0D55
HeapFree.KERNEL32(00000000), ref: 00CA0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CA0D65
HeapFree.KERNEL32(00000000), ref: 00CA0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00CA0D78
HeapFree.KERNEL32(00000000), ref: 00CA0D7F

Part of subcall function 00CA1193: GetProcessHeap.KERNEL32(00000008,00CA0BB1,?,00000000,?,00CA0BB1,?), ref: 00CA11A1
Part of subcall function 00CA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CA0BB1,?), ref: 00CA11A8
Part of subcall function 00CA1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CA0BB1,?), ref: 00CA11B7

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 38996e3c1b10fbfaff09ce4563ee42edda584e78b401672a3f42e2c8d7c0d8f6
Instruction ID: 9bc902c78eea33dca6bec592acc996cfe0c25b6377c16102cdf534dcd62ab3f6
Opcode Fuzzy Hash: 38996e3c1b10fbfaff09ce4563ee42edda584e78b401672a3f42e2c8d7c0d8f6
Instruction Fuzzy Hash: D0718C7290121BABDF10DFA4DC88BAEBBB8BF05358F144119F924A7191D771AA05CBA1

Function 00CBEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CDCC08), ref: 00CBEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00CBEB37
GetClipboardData.USER32(0000000D), ref: 00CBEB43
CloseClipboard.USER32 ref: 00CBEB4F
GlobalLock.KERNEL32(00000000), ref: 00CBEB87
CloseClipboard.USER32 ref: 00CBEB91
GlobalUnlock.KERNEL32(00000000), ref: 00CBEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00CBEBC9
GetClipboardData.USER32(00000001), ref: 00CBEBD1
GlobalLock.KERNEL32(00000000), ref: 00CBEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00CBEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00CBEC38
GetClipboardData.USER32(0000000F), ref: 00CBEC44
GlobalLock.KERNEL32(00000000), ref: 00CBEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00CBEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CBEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CBECD2
GlobalUnlock.KERNEL32(00000000), ref: 00CBECF3
CountClipboardFormats.USER32 ref: 00CBED14
CloseClipboard.USER32 ref: 00CBED59

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 59f3b2840b7df23d403c34821bbfafc3985a32fa3209931f0016f08f1d7e2c41
Instruction ID: 0eb635e7c41499821c97b8f9bb4f8108a61fb6ed562b6a0a08baca6cba78c2cf
Opcode Fuzzy Hash: 59f3b2840b7df23d403c34821bbfafc3985a32fa3209931f0016f08f1d7e2c41
Instruction Fuzzy Hash: 2A61AF35204202AFD310EF24D889FAEB7A8FF84B14F14455EF456972A2DB71DE06DB62

Function 00CB698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CB69BE
FindClose.KERNEL32(00000000), ref: 00CB6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CB6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CB6A75

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00CB6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CB6ADF

Strings

%4d, xrefs: 00CB6BB1
%03d, xrefs: 00CB6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00CB6B32
%02d, xrefs: 00CB6C00, 00CB6C0A, 00CB6C5A, 00CB6CAA, 00CB6CFA, 00CB6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00CB6B6A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 59fa9e95c738da680bc02e96ee40037e48dbb57122baab6a70f2dd67f1d44ab7
Instruction ID: 68e8351293185d62ad3b0d87005aa1a97fca89ffa6f1d6fc4ebeac4f2fbcf9f8
Opcode Fuzzy Hash: 59fa9e95c738da680bc02e96ee40037e48dbb57122baab6a70f2dd67f1d44ab7
Instruction Fuzzy Hash: 0FD14F72508340AFC714EBA4C881EAFB7ECBF89704F44491DF985D6191EB74DA48DB62

Function 00CB9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CB9663
GetFileAttributesW.KERNEL32(?), ref: 00CB96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00CB96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00CB96D3
FindClose.KERNEL32(00000000), ref: 00CB96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00CB96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00CB974A
SetCurrentDirectoryW.KERNEL32(00D06B7C), ref: 00CB9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CB9772
FindClose.KERNEL32(00000000), ref: 00CB977F
FindClose.KERNEL32(00000000), ref: 00CB978F

Strings

*.*, xrefs: 00CB96F5

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 0592e1a415edce73fe88fae8a60119a717aed8efe029d88c6c56bdb25c3885b9
Instruction ID: 705f26b404047e72c7804845756a914ec1c1f7987afe7422f1648584b99ee594
Opcode Fuzzy Hash: 0592e1a415edce73fe88fae8a60119a717aed8efe029d88c6c56bdb25c3885b9
Instruction Fuzzy Hash: 6831D37254121A6EDF24AFB4DC89BDE77ECDF49320F104166FA15E21A0EB34DE44CA60

Function 00CB979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CB97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00CB9819
FindClose.KERNEL32(00000000), ref: 00CB9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00CB9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00CB9890
SetCurrentDirectoryW.KERNEL32(00D06B7C), ref: 00CB98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CB98B8
FindClose.KERNEL32(00000000), ref: 00CB98C5
FindClose.KERNEL32(00000000), ref: 00CB98D5

Part of subcall function 00CADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CADB00

Strings

*.*, xrefs: 00CB983B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: d2daced71f458af4b2c513adb440a5ec9cd274e298983e811e6c8eda344555e4
Instruction ID: ad3c7495b987bfd385bdbd7baec6155082a8b8c54988d6f2dc70028d4e693fce
Opcode Fuzzy Hash: d2daced71f458af4b2c513adb440a5ec9cd274e298983e811e6c8eda344555e4
Instruction Fuzzy Hash: 0431C67154161A6EDF24EFB4DC88BDE77BCDF46320F144166EA24A21E0DB32DE44DA60

Function 00CCBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CCC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CCB6AE,?,?), ref: 00CCC9B5
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCC9F1
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCCA68
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CCBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00CCBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00CCBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CCC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CCC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CCC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CCC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00CCC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CCC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CCC382
RegCloseKey.ADVAPI32(00000000), ref: 00CCC38F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: ad3e2ad52917c1e7979c99d2ba2ca6e65e5a271a1bae6951702a5ba2bf48fd63
Instruction ID: e06efd346af2862d1c484ea975b75e436454944a5f3d1753fdfb16d15b365bef
Opcode Fuzzy Hash: ad3e2ad52917c1e7979c99d2ba2ca6e65e5a271a1bae6951702a5ba2bf48fd63
Instruction Fuzzy Hash: 4E022871604240AFD714CF28C8D5F2ABBE5EF89318F18849DE85ACB2A2D731ED46CB51

Function 00CB8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CB8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CB8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CB8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00CB8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00CB8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CB838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00CB8395

Strings

*.*, xrefs: 00CB839B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 3e3bfb1e2f24ce32ccac9f979886af8e34c071f5c0f0a88c79b2e9ae13144c0e
Instruction ID: 2a62f5a08084332e7a7704ed53d00eeb96ef3c9f111f2abf90edc790f2642d39
Opcode Fuzzy Hash: 3e3bfb1e2f24ce32ccac9f979886af8e34c071f5c0f0a88c79b2e9ae13144c0e
Instruction Fuzzy Hash: 57615B725043459FCB10EF64C880AAEB3ECFF89314F04491EF99997261DB35EA49CB92

Function 00CAD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C43A97,?,?,00C42E7F,?,?,?,00000000), ref: 00C43AC2

Part of subcall function 00CAE199: GetFileAttributesW.KERNEL32(?,00CACF95), ref: 00CAE19A

FindFirstFileW.KERNEL32(?,?), ref: 00CAD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00CAD1DD
MoveFileW.KERNEL32(?,?), ref: 00CAD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CAD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CAD237

Part of subcall function 00CAD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00CAD21C,?,?), ref: 00CAD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00CAD253
FindClose.KERNEL32(00000000), ref: 00CAD264

Strings

\*.*, xrefs: 00CAD0CD, 00CAD0D6, 00CAD0EB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 68eb5cf7b6b7afe739f51d5479b1d5f0d4d3154dcf1ec5eba450a97dd3531f83
Instruction ID: ddf86d99ff4e0482f3ba3e024bf0e84df685b99b3f3fb8adab53cf9448dd21bd
Opcode Fuzzy Hash: 68eb5cf7b6b7afe739f51d5479b1d5f0d4d3154dcf1ec5eba450a97dd3531f83
Instruction Fuzzy Hash: 52616D3184115E9BCF05EBE0D992AEEB7B5BF56304F204165E413771A2EB306F09EB61

Function 00CBED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00CBED91
EmptyClipboard.USER32 ref: 00CBED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00CBEDAC
CloseClipboard.USER32 ref: 00CBEEA3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 91b4fef977a7bc2ece7604b80cad4c5447f2c1e0128f03d5e3c59affc3020b4c
Instruction ID: 6a685494027c9fef3665f940b429c5c9cc2d193cf047fde6fa36c5c42ca02153
Opcode Fuzzy Hash: 91b4fef977a7bc2ece7604b80cad4c5447f2c1e0128f03d5e3c59affc3020b4c
Instruction Fuzzy Hash: A041BE35205652AFE720CF25D888B99BBE5FF44718F14C09AE8258B762C775ED42CB90

Function 00CAE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CA170D
Part of subcall function 00CA16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CA173A
Part of subcall function 00CA16C3: GetLastError.KERNEL32 ref: 00CA174A

ExitWindowsEx.USER32(?,00000000), ref: 00CAE932

Strings

, xrefs: 00CAE920
, xrefs: 00CAE95C
SeShutdownPrivilege, xrefs: 00CAE902
@, xrefs: 00CAE925

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 574854d3a4876e1a6df38cbcba4cabe9ab79581c8ac2b6d03df79793ae29030a
Instruction ID: d38a797ceb62d61470f0e15ec6aa269ac5cc1c70e96316a1339b7e676a882008
Opcode Fuzzy Hash: 574854d3a4876e1a6df38cbcba4cabe9ab79581c8ac2b6d03df79793ae29030a
Instruction Fuzzy Hash: 84012632610313ABEB1422B5ACC6BFF725C9B06758F180422FC12E20D1E5A05D44D2E0

Function 00CC1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CC1276
WSAGetLastError.WSOCK32 ref: 00CC1283
bind.WSOCK32(00000000,?,00000010), ref: 00CC12BA
WSAGetLastError.WSOCK32 ref: 00CC12C5
closesocket.WSOCK32(00000000), ref: 00CC12F4
listen.WSOCK32(00000000,00000005), ref: 00CC1303
WSAGetLastError.WSOCK32 ref: 00CC130D
closesocket.WSOCK32(00000000), ref: 00CC133C

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: be803adf12d9a543597ecd1db39cd8801c51d2a9e1d06358ed5886afe935210f
Instruction ID: 5bb06b2f5f7e392a2da38027a6486af5dff7764fd2857d00893e73b2c2c078ea
Opcode Fuzzy Hash: be803adf12d9a543597ecd1db39cd8801c51d2a9e1d06358ed5886afe935210f
Instruction Fuzzy Hash: 25416D35A001419FD710DF65C888F2ABBE5AF46318F18818DE8668F2E3C771ED81CBA1

Function 00CAD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C43A97,?,?,00C42E7F,?,?,?,00000000), ref: 00C43AC2

Part of subcall function 00CAE199: GetFileAttributesW.KERNEL32(?,00CACF95), ref: 00CAE19A

FindFirstFileW.KERNEL32(?,?), ref: 00CAD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CAD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CAD481
FindClose.KERNEL32(00000000), ref: 00CAD498
FindClose.KERNEL32(00000000), ref: 00CAD4A1

Strings

\*.*, xrefs: 00CAD3F2

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 0ffcc051aaed6b2102b7f8bc69b36ab6fb44c52de9e2a9e8850c06a44daccc49
Instruction ID: 289e40f212d0a08831e0df942cd5868331cc9210d8b2d8c76951033a8ee2dcfa
Opcode Fuzzy Hash: 0ffcc051aaed6b2102b7f8bc69b36ab6fb44c52de9e2a9e8850c06a44daccc49
Instruction Fuzzy Hash: C73182710493469FC300EF64C8959AF77E8BE96314F444A1EF4D2531A1EB30AA09E763

Function 00C7E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C7E645

Strings

1#SNAN, xrefs: 00C7F844
1#QNAN, xrefs: 00C7F84B
1#INF, xrefs: 00C7F852
1#IND, xrefs: 00C7F83D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4e24fd04d3924209cc05c3f54931a4e22fd5f42aaafd87180e826b88a20fe5c9
Instruction ID: 8e31bf805aeb04bc8fa39841ac7b57ae2c924ff3c20248bd341baa00b0f14d31
Opcode Fuzzy Hash: 4e24fd04d3924209cc05c3f54931a4e22fd5f42aaafd87180e826b88a20fe5c9
Instruction Fuzzy Hash: E1C24E72E046288FDB25CF68DD807EAB7B5EB49304F1481EAD45DE7241E774AE828F41

Function 00CB648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CB64DC
CoInitialize.OLE32(00000000), ref: 00CB6639
CoCreateInstance.OLE32(00CDFCF8,00000000,00000001,00CDFB68,?), ref: 00CB6650
CoUninitialize.OLE32 ref: 00CB68D4

Strings

.lnk, xrefs: 00CB64BA, 00CB6524, 00CB65E0

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 7dbf002ea2546dcc5b097262b9ea8829def4655d93c3ad19825bb6498b9005a8
Instruction ID: d6a850e0e541274985735f3fb08d4382f33127ddcd5eeffafba8a4ce8e7e4ca5
Opcode Fuzzy Hash: 7dbf002ea2546dcc5b097262b9ea8829def4655d93c3ad19825bb6498b9005a8
Instruction Fuzzy Hash: C3D14971508311AFD314EF64C881EABB7E8FF95704F00496DF5958B2A1DB71EA09CBA2

Function 00CC22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00CC22E8

Part of subcall function 00CBE4EC: GetWindowRect.USER32(?,?), ref: 00CBE504

GetDesktopWindow.USER32 ref: 00CC2312
GetWindowRect.USER32(00000000), ref: 00CC2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CC2355
GetCursorPos.USER32(?), ref: 00CC2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CC23DF

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 861efd8adacb1e27de969cb006b1f9383031103866c56137d2997ee389426a43
Instruction ID: e8f3907b4e9efaf8b8f219df943c02b2aec09a46e3c8df3cc9c5a1ca70304139
Opcode Fuzzy Hash: 861efd8adacb1e27de969cb006b1f9383031103866c56137d2997ee389426a43
Instruction Fuzzy Hash: C631DA72105356ABC720DF14D888F9BBBA9FB88714F040A1EF894D7191DA34EA08CB92

Function 00CB9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00CB9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CB9C8B

Part of subcall function 00CB3874: GetInputState.USER32 ref: 00CB38CB
Part of subcall function 00CB3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CB3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CB9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CB9C75

Strings

*.*, xrefs: 00CB9B5D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: ce84575a1201688c3b1eb1977525893350d0975b749a843f2b2204409ae65a59
Instruction ID: 2785b3e9730cd1c8092dbae240ff4c0b288d4118c487f4e5a682337d52a3aaf5
Opcode Fuzzy Hash: ce84575a1201688c3b1eb1977525893350d0975b749a843f2b2204409ae65a59
Instruction Fuzzy Hash: 13415E7194420AAFDF14DFA4C889AEEBBB8FF45310F244156E915A31A1EB309F84DF60

Function 00C5997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00C59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C59BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C59A4E
GetSysColor.USER32(0000000F), ref: 00C59B23
SetBkColor.GDI32(?,00000000), ref: 00C59B36

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 165419ea2087dde86bf05d73a717d92a0ffda2d5ad87fa2e30da816b5b91d77f
Instruction ID: 3d0cff016dcc310d7c7b00136ea55bc65ffb5376cc3cdedda8e4efec376f923e
Opcode Fuzzy Hash: 165419ea2087dde86bf05d73a717d92a0ffda2d5ad87fa2e30da816b5b91d77f
Instruction Fuzzy Hash: 7CA17FB8219144FFEB25AA3D8C4CEBF365DDB42301F14434AF922C6691CA359F85E279

Function 00CC1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CC307A
Part of subcall function 00CC304E: _wcslen.LIBCMT ref: 00CC309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CC185D
WSAGetLastError.WSOCK32 ref: 00CC1884
bind.WSOCK32(00000000,?,00000010), ref: 00CC18DB
WSAGetLastError.WSOCK32 ref: 00CC18E6
closesocket.WSOCK32(00000000), ref: 00CC1915

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 8f08da2bb4b4320343a072d9ed3c6732eb967f0c2dcf5e8f2b54f7fee10e5a10
Instruction ID: 295f72591ac3b0fc6a1cbfdf213cab650c2d947d5080411d64002884ec94cdf8
Opcode Fuzzy Hash: 8f08da2bb4b4320343a072d9ed3c6732eb967f0c2dcf5e8f2b54f7fee10e5a10
Instruction Fuzzy Hash: 6F51B075A00210AFEB10AF24C886F2AB7E5AB45718F18849CFD169F3D3C771AD41DBA1

Function 00CD1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CD1CC0
IsWindowEnabled.USER32 ref: 00CD1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00CD1CDB
IsIconic.USER32 ref: 00CD1CE9
IsZoomed.USER32 ref: 00CD1CF7

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 1e026b6a1baad1486823ec12f51b43f4e18136c97c0e79fd956858bbac8b4e68
Instruction ID: 669e5cb193f9354f533d1d3356331ece0c14da700a83708516a706ff83643009
Opcode Fuzzy Hash: 1e026b6a1baad1486823ec12f51b43f4e18136c97c0e79fd956858bbac8b4e68
Instruction Fuzzy Hash: D721F1317512016FE7208F2AC884B2A7BE5EF84320B1C806AED5A8B351DB71ED42CB90

Function 00C48060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C483FA
VUUU, xrefs: 00C85DF0
VUUU, xrefs: 00C4843C
ERCP, xrefs: 00C4813C
VUUU, xrefs: 00C483E8

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 91fb77fdf58f251460fb72086c4f609b2df83ae0379fe9e79817418d496005a7
Instruction ID: 9fa5e168215088b2e0646b5290db436ccebcd77512c9dbeb2f9b7702e4f6a17c
Opcode Fuzzy Hash: 91fb77fdf58f251460fb72086c4f609b2df83ae0379fe9e79817418d496005a7
Instruction Fuzzy Hash: 80A2A070E0061ACBDF24DF58C9407EEB7B1BF54318F2481AAE825A7285DB749E85CF94

Function 00CAAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00CAAAAC
SetKeyboardState.USER32(00000080), ref: 00CAAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00CAAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00CAAB88

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fc10ecde378d19eafbe166924f24b1acc21ec3461b72a467d0adf912f8d57dd5
Instruction ID: fec2a39090d64ecd1413b0d4eddd1b13450a54a77c055d5d27ce7439d36e6564
Opcode Fuzzy Hash: fc10ecde378d19eafbe166924f24b1acc21ec3461b72a467d0adf912f8d57dd5
Instruction Fuzzy Hash: 42312A70A4020AAFFF35CB65EC05BFE7BA6AB46318F04421AF191961D1D3758E81D772

Function 00C7BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C7BB7F

Part of subcall function 00C729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000), ref: 00C729DE
Part of subcall function 00C729C8: GetLastError.KERNEL32(00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000,00000000), ref: 00C729F0

GetTimeZoneInformation.KERNEL32 ref: 00C7BB91
WideCharToMultiByte.KERNEL32(00000000,?,00D1121C,000000FF,?,0000003F,?,?), ref: 00C7BC09
WideCharToMultiByte.KERNEL32(00000000,?,00D11270,000000FF,?,0000003F,?,?,?,00D1121C,000000FF,?,0000003F,?,?), ref: 00C7BC36

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 31c22a6d0a2c1d2c94699478719a0483aad6e35cdbbbe53f04e1e75c8e8be2ac
Instruction ID: f7fe1f878ac1fa1d51bf9982b2f12e14d456f671d122a580d3b8efa1bc647b8f
Opcode Fuzzy Hash: 31c22a6d0a2c1d2c94699478719a0483aad6e35cdbbbe53f04e1e75c8e8be2ac
Instruction Fuzzy Hash: 8831EE70904205EFCB01DF69DC81AADBBB8BF45350B14C2AAE128D72A1CB309E41DB60

Function 00CBCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00CBCE89
GetLastError.KERNEL32(?,00000000), ref: 00CBCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00CBCEFE

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 583e56494eee705fe2d130a6436fb562854872e5c126c8d3820d80ed08c6b470
Instruction ID: 85ed58121ecd474a3873cd2db0b47440ea420c138d825070e272391c3e0df18f
Opcode Fuzzy Hash: 583e56494eee705fe2d130a6436fb562854872e5c126c8d3820d80ed08c6b470
Instruction Fuzzy Hash: 912189B1A00306EBEB309FA5C9C8BAAB7FCEB50354F10441AE55692151E770EA05DBA0

Function 00CA8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CA82AA

Strings

(, xrefs: 00CA82F0
|, xrefs: 00CA82DA

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 4a2e32cb23b5307c8234ee249a3b0ca1679d66127bcdfa801832ac4070ed8648
Instruction ID: 2067b7b25cb631fd3e2a66d9a4f55f70be77404f408ab058226249bb30b433ab
Opcode Fuzzy Hash: 4a2e32cb23b5307c8234ee249a3b0ca1679d66127bcdfa801832ac4070ed8648
Instruction Fuzzy Hash: 29323874A007069FCB28CF59C481A6AB7F0FF48714B15C56EE5AADB3A1EB70E941CB44

Function 00CB5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CB5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00CB5D17
FindClose.KERNEL32(?), ref: 00CB5D5F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 4703cec8265361dbbfbbea7eb7d86e99b5fd5a8f6cba3b2dde725e069911c86e
Instruction ID: 4cbd73e7ab05054e02e75bbe6dc0c219e57930b4a85f525c8aa81191fdc8efa2
Opcode Fuzzy Hash: 4703cec8265361dbbfbbea7eb7d86e99b5fd5a8f6cba3b2dde725e069911c86e
Instruction Fuzzy Hash: F8518974604A019FC718DF28C494A9AB7E4FF49314F14865EE9AA8B3A1CB30FD45CF91

Function 00C72622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C7271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C72724
UnhandledExceptionFilter.KERNEL32(?), ref: 00C72731

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: dc0ad5ab92e4677b2610587c33232f4e1c2d277e706aa58d52ae9aea9eddb6ef
Instruction ID: c16f123dda59932ad906d57040b430cb29dd9c94c4ed2ea61b75ef743c398383
Opcode Fuzzy Hash: dc0ad5ab92e4677b2610587c33232f4e1c2d277e706aa58d52ae9aea9eddb6ef
Instruction Fuzzy Hash: 7131B5749112189BCB21DF68DD897DDB7B8AF08310F5042EAE81CA7261E7309F819F45

Function 00CB51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CB51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CB5238
SetErrorMode.KERNEL32(00000000), ref: 00CB52A1

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a64e068baa1a26a06ba8db07b9ef308a9174881e07d896c6ebebc0437b9ea242
Instruction ID: 03f4d057816cdfd0822f31a60696cc8df1c075613ac99f39a4a58f13540c6c93
Opcode Fuzzy Hash: a64e068baa1a26a06ba8db07b9ef308a9174881e07d896c6ebebc0437b9ea242
Instruction Fuzzy Hash: EA314B75A006199FDB00DF94D8C4FADBBB4FF49314F048099E805AB3A2DB31E956CB91

Function 00CA16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C60668
Part of subcall function 00C5FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C60685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CA170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CA173A
GetLastError.KERNEL32 ref: 00CA174A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: d6e4456b4fd51ebdbaaf3d53d71ac5fd6a86b0d2aa4e8675af566a4d089a797b
Instruction ID: c141f502d99133b9b53fe9a7bfa937ddd759365c5554ff265f3d5d9613b9b5e3
Opcode Fuzzy Hash: d6e4456b4fd51ebdbaaf3d53d71ac5fd6a86b0d2aa4e8675af566a4d089a797b
Instruction Fuzzy Hash: 6211C1B2400305AFD7189F54DCC6E6AB7B9EB04714B24852EF45697241EB70BC82CA24

Function 00CAD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CAD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00CAD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CAD650

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: bb16cdb0a9205bd4b28669fedaf54596eb1d5e88ebe9a94f5b0990d3a478dc6a
Instruction ID: 28ea135dc97f0261e3f52b20712a17e456fdfc00a5c8cd127f0968d8777e3949
Opcode Fuzzy Hash: bb16cdb0a9205bd4b28669fedaf54596eb1d5e88ebe9a94f5b0990d3a478dc6a
Instruction Fuzzy Hash: DE118E71E05228BFDB108F95DC84FEFBBBCEB45B60F108116F915E7290C2704A018BA1

Function 00CA1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00CA168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CA16A1
FreeSid.ADVAPI32(?), ref: 00CA16B1

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8c6410d8f7fc01263f39bcb927468afdb2f46eeac44d666e6a48bc71f0970ad6
Instruction ID: 8e38dee7ba31004a704e2f0f3587daf08ddf94d3740c171a3b1b39917ce4dbb9
Opcode Fuzzy Hash: 8c6410d8f7fc01263f39bcb927468afdb2f46eeac44d666e6a48bc71f0970ad6
Instruction Fuzzy Hash: 90F0F47195130AFBDF00DFE4DC89AAEBBBCEB08604F504565E901E2181E774AA448A50

Function 00C9D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C9D28C

Strings

X64, xrefs: 00C9D2A8

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: eb7fda753645af0a8eae3ba7b019b5581eb6558510b79b4d5762d208db1647f3
Instruction ID: 31d5bf7c171e219a434e2940ffc14951d61a3859fd588083bae7a14a7131a03e
Opcode Fuzzy Hash: eb7fda753645af0a8eae3ba7b019b5581eb6558510b79b4d5762d208db1647f3
Instruction Fuzzy Hash: 58D0C9B480111DEACF90DB90DCC8EDDB77CBB04305F100192F506A2080D73095488F10

Function 00C6CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 2e4aaa0dc24c72af3e1761edff497053ddfc0fd43fdfbcee4ee5b77056f55a23
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: FF021D71E001199FDF24CFA9C8C06ADFBF5EF88314F25816AD969E7380D731AA418B94

Function 00CB68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CB6918
FindClose.KERNEL32(00000000), ref: 00CB6961

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 53bc7742223a29ffc69a7e7affe0d19b259e8b5f395370d97b04c7fb3530a954
Instruction ID: 62d8aa909fa6b8d5c0625bab5ac8efc21f246631bacfe593444c7efe443b8aee
Opcode Fuzzy Hash: 53bc7742223a29ffc69a7e7affe0d19b259e8b5f395370d97b04c7fb3530a954
Instruction Fuzzy Hash: 61119031A042119FD710DF69D4C4A1ABBE5FF85328F14C699E8698F3A2C734EC05CB91

Function 00CB37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CC4891,?,?,00000035,?), ref: 00CB37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00CC4891,?,?,00000035,?), ref: 00CB37F4

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 45a06a9f60f57f270738440ea4cf790cdd2b59f0da3bfeafd075629e108423eb
Instruction ID: 191c9bb589c4c8188eeaab5cdcec83f78ddd5ad9bb1668e2d96a532b8c745e6a
Opcode Fuzzy Hash: 45a06a9f60f57f270738440ea4cf790cdd2b59f0da3bfeafd075629e108423eb
Instruction Fuzzy Hash: 75F0E5B07052296AE72067A69C8DFEB7BAEEFC5761F000265F509E22D1D9609904C7B0

Function 00CAB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00CAB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00CAB270

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: a3ec0cc031314ffe1db49f9d219ab9fd7f781e77de52d1eeb1bdbcaec2c62133
Instruction ID: 36376ddccbb0b0dc43bdf9780d7245ffe586e8d863e122798076514b144acca0
Opcode Fuzzy Hash: a3ec0cc031314ffe1db49f9d219ab9fd7f781e77de52d1eeb1bdbcaec2c62133
Instruction Fuzzy Hash: CEF0177180428EABDB059FA1C806BEE7BB4FF09309F00814AF965A61A2D3798611DF94

Function 00CA10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CA11FC), ref: 00CA10D4
CloseHandle.KERNEL32(?,?,00CA11FC), ref: 00CA10E9

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 09eafcf02e95ab328684cda6f04e95365bc976467a348546edee706996057fb5
Instruction ID: 94dbeb2f16d28cea83d877133086363cb42b6caa99754f190d78b29485046ceb
Opcode Fuzzy Hash: 09eafcf02e95ab328684cda6f04e95365bc976467a348546edee706996057fb5
Instruction Fuzzy Hash: 22E04F32004601AEE7252B11FC06F7777A9EB04321F14882EF8A5804B1DB626CD0EB14

Function 00C4CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00C90C40

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: dfca6e65fce441d6756c4f8d01e0a8a7229f5cd7b0f58de88732a5c3ad0cc40c
Instruction ID: 9357aee4c36c90184b2b714c459cf38dfd883c838ae8bedd243b8140ef3e503c
Opcode Fuzzy Hash: dfca6e65fce441d6756c4f8d01e0a8a7229f5cd7b0f58de88732a5c3ad0cc40c
Instruction Fuzzy Hash: 29329B34901218DFDF54DF94C8C5AEDB7B5FF04304F248069E816AB2A2DB35AE4ADB61

Function 00C7676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C76766,?,?,00000008,?,?,00C7FEFE,00000000), ref: 00C76998

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d8af8c6513a82da0d3c12c57b05989fe52303cd9ab5dd202a80b7ab8159a38d6
Instruction ID: d8d07284e3023c4d3d2e4c9d3040cbf1608c35c69b43e67275eb5f8cbb70c8c6
Opcode Fuzzy Hash: d8af8c6513a82da0d3c12c57b05989fe52303cd9ab5dd202a80b7ab8159a38d6
Instruction Fuzzy Hash: 98B12B31610A099FD719CF28C48AB657BE0FF45364F25C658E9ADCF2A2C335EA95CB40

Function 00C5B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00C9851F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b2406fbc1d7b5b889b307434dad2e8de7e453138c4bfffbaca57b7e87ec88436
Instruction ID: dd2b090d8cbff4e5b04f7a69b0bbb89d0edb2590205080dbba53eb51587abc1a
Opcode Fuzzy Hash: b2406fbc1d7b5b889b307434dad2e8de7e453138c4bfffbaca57b7e87ec88436
Instruction Fuzzy Hash: 03126F759002299FDF24CF59C880AEEBBB5FF48710F14819AE849EB251DB309E85CF94

Function 00CBEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00CBEABD

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f5cd090d1a0b50e25ba04dd12694178f8bc79f43c3adc250ced1d73caea5304c
Instruction ID: 9f1ba8ceffa8bd9db9ea1a6029d85d53624a7f245b18dbe0f2b7e7262cf3e74a
Opcode Fuzzy Hash: f5cd090d1a0b50e25ba04dd12694178f8bc79f43c3adc250ced1d73caea5304c
Instruction Fuzzy Hash: 7DE01A312002059FD710EFAAD844E9AFBEDBF98760F008416FC49C72A1DA70E8419B90

Function 00C609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C603EE), ref: 00C609DA

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 739fbec3dba136c01a9bee28fef0bba61062ea15f8f19100fedb500cfd60b539
Instruction ID: 46590d03dd5d666e24811d9d3f7e19266f4dfafe6eb052a96e798d364a1eaa02
Opcode Fuzzy Hash: 739fbec3dba136c01a9bee28fef0bba61062ea15f8f19100fedb500cfd60b539
Instruction Fuzzy Hash:

Function 00C6781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C6798B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 7f623229a8ab4901c19615f5f6baaea0d5a034561e0b744288959aeea5c6b948
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 1C51677160C6055BDB38867989D97BE23D59B0A34CF180F09E8A2EB2C3C615EF45E352

Function 00C76DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff29d71d35d85a4d5ae4ba165491abf723d5e47facdbd208441b533af75622d7
Instruction ID: bf00d81b3d1f58a647f36acec741f45635167a44c6f1b78c1bb039824641c66d
Opcode Fuzzy Hash: ff29d71d35d85a4d5ae4ba165491abf723d5e47facdbd208441b533af75622d7
Instruction Fuzzy Hash: E5324522D29F454DDB239634CC62339A64DAFB73C5F15D737F82AB99A6EB28C5834100

Function 00C5CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c70d355e80cbd3e0af888334d92b1357da96c0fb8186285782e3252a12ec195
Instruction ID: 75ac4446874f38bce778a222a210bf0ec699ce4c268fd7520f8dd0f699d354b0
Opcode Fuzzy Hash: 7c70d355e80cbd3e0af888334d92b1357da96c0fb8186285782e3252a12ec195
Instruction Fuzzy Hash: CF323932A002458FDF28CF2DC4D867D7BA1EB45301F28856AD87ACB692D730EE85DB55

Function 00C47920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4709b7660de2a2f10adf9b142229860fbd805405d65c2381a83fabb109aa36ff
Instruction ID: c0301701bea87789a4bf5c211d84e3b89c23c0e9634162dfe854fcd47e332a0b
Opcode Fuzzy Hash: 4709b7660de2a2f10adf9b142229860fbd805405d65c2381a83fabb109aa36ff
Instruction Fuzzy Hash: F82203B0A00609DFDF14DF65C881AAEB3F6FF44304F204229E816E7291EB76AE55DB54

Function 00C491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112c3f5ae3e7eea4eef3b9c30c90d3ae8d597e29cc73cfa4f33d3151c1f773c6
Instruction ID: bc47e24388f45ba7e35eec0f31111c2be971631a962567470e14412a68f670ad
Opcode Fuzzy Hash: 112c3f5ae3e7eea4eef3b9c30c90d3ae8d597e29cc73cfa4f33d3151c1f773c6
Instruction Fuzzy Hash: 8202F5B0E00219EFCB04EF55D881AAEBBB5FF44304F108169E816DB290EB31EE55DB94

Function 00C79EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d606560a20e8e802808310eedb12947783798c61aae9d3ab6bdb1d596e475ac
Instruction ID: 367c1c6e81de0834b13efe2a09ab7c0b12f4492b5fa2d85951af6bb976c93d76
Opcode Fuzzy Hash: 1d606560a20e8e802808310eedb12947783798c61aae9d3ab6bdb1d596e475ac
Instruction Fuzzy Hash: E4B11420D2AF804DD3239639887533AB65C6FBB2D5F91D31BFC2679D72EB2195834140

Function 00C61C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 37451cd673e3a5f815debd682dc6e4879209a14519bd1301a3def48bca5054a5
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B69146725080E34ADB3E463A85B447DFFE15A523A331E079EDCF2CA1C5EE14DA54E620

Function 00C61F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 1d6ea6664e374746dbf419d4cb672a19be85459ac1d67dae49de933de104f9e8
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6A91697220D4E349DB7D467A85B403EFFE15A923A231E079DD8F2CB1D5EE24CA54E620

Function 00C619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 44c454abc3301b8de0855e4a376f2194c6515188fce5f23b3e67b8a10d561bc1
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 439113722090E34EDB7D467A85B403DFFE15A923A331E079DD8F2CA1C5FD149654E620

Function 00C67A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9195c52477d6a7e4ad3c907d33ac68116cd6bea3ef1947b9fcbe2b780e5c8083
Instruction ID: 1832f5624247da37e581ab58408b592f6e8e36b2005cab04e011bc83cbeb647b
Opcode Fuzzy Hash: 9195c52477d6a7e4ad3c907d33ac68116cd6bea3ef1947b9fcbe2b780e5c8083
Instruction Fuzzy Hash: DF61783120C70967DE349AA88DE5BBE2394DF8170CF241F1AE863DB282DA11DF46E355

Function 00C67CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87be47c57b14b5418073ce3c9890ac0f1ba3b7ab7fe06ef8ceecea97d3f627bc
Instruction ID: 9c7dac58b5f4efc2b8af98c85950e180458a6449c44cbfc5eec48e3fbc9432fd
Opcode Fuzzy Hash: 87be47c57b14b5418073ce3c9890ac0f1ba3b7ab7fe06ef8ceecea97d3f627bc
Instruction Fuzzy Hash: D4617C7160C7095BDF388A2888D5BBF2394DF4270CF100F59E963DB281EA16DF4A9355

Function 00C61706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 90a718e8972a2556868df05600b062ee6f0c640a385325fb0f0d5ec702509aed
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 0B8142726090E349DB7D863A85B443EFFE15A923A331E079DD8F2CB1C1EE249754E620

Function 00CB2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73938c072bfd5611aa98d5c0b37a47b5656fc4818e5700a5859f3935d403f1bf
Instruction ID: 0a043e1c01aeae6039e575897a8a11c3f4948e858563a3e7c8fc891635c7d723
Opcode Fuzzy Hash: 73938c072bfd5611aa98d5c0b37a47b5656fc4818e5700a5859f3935d403f1bf
Instruction Fuzzy Hash: 3021BB326206158BD728CF79D8136BE73E5A754310F15862EE4A7C37D0DE36A905C750

Function 00CC2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CC2B30
DeleteObject.GDI32(00000000), ref: 00CC2B43
DestroyWindow.USER32 ref: 00CC2B52
GetDesktopWindow.USER32 ref: 00CC2B6D
GetWindowRect.USER32(00000000), ref: 00CC2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00CC2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00CC2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CC2CF8
GetClientRect.USER32(00000000,?), ref: 00CC2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CC2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CC2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CC2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CC2D80
GlobalLock.KERNEL32(00000000), ref: 00CC2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CC2D98
GlobalUnlock.KERNEL32(00000000), ref: 00CC2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CC2DA8
GlobalFree.KERNEL32(00000000), ref: 00CC2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CC2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CDFC38,00000000), ref: 00CC2DDB
GlobalFree.KERNEL32(00000000), ref: 00CC2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00CC2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00CC2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CC2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CC303F

Strings

DISPLAY, xrefs: 00CC2EA2
AutoIt v3, xrefs: 00CC2CF2
, xrefs: 00CC2FC5
static, xrefs: 00CC2D3A, 00CC2E91

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b7d8e77be10da66eba2225bdcdc1f036fb302911ee1937e407301eb9dff32cbb
Instruction ID: ccce1ebb7cfe02bffea6cbe523fee973b25dbad921e1eab88fd917e0956ec860
Opcode Fuzzy Hash: b7d8e77be10da66eba2225bdcdc1f036fb302911ee1937e407301eb9dff32cbb
Instruction Fuzzy Hash: 0A025D75A00219AFDB14DFA4CC89FAE7BB9FB48710F048559F915AB2A1CB74ED01CB60

Function 00CD70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CD712F
GetSysColorBrush.USER32(0000000F), ref: 00CD7160
GetSysColor.USER32(0000000F), ref: 00CD716C
SetBkColor.GDI32(?,000000FF), ref: 00CD7186
SelectObject.GDI32(?,?), ref: 00CD7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00CD71C0
GetSysColor.USER32(00000010), ref: 00CD71C8
CreateSolidBrush.GDI32(00000000), ref: 00CD71CF
FrameRect.USER32(?,?,00000000), ref: 00CD71DE
DeleteObject.GDI32(00000000), ref: 00CD71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00CD7230
FillRect.USER32(?,?,?), ref: 00CD7262
GetWindowLongW.USER32(?,000000F0), ref: 00CD7284

Part of subcall function 00CD73E8: GetSysColor.USER32(00000012), ref: 00CD7421
Part of subcall function 00CD73E8: SetTextColor.GDI32(?,?), ref: 00CD7425
Part of subcall function 00CD73E8: GetSysColorBrush.USER32(0000000F), ref: 00CD743B
Part of subcall function 00CD73E8: GetSysColor.USER32(0000000F), ref: 00CD7446
Part of subcall function 00CD73E8: GetSysColor.USER32(00000011), ref: 00CD7463
Part of subcall function 00CD73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CD7471
Part of subcall function 00CD73E8: SelectObject.GDI32(?,00000000), ref: 00CD7482
Part of subcall function 00CD73E8: SetBkColor.GDI32(?,00000000), ref: 00CD748B
Part of subcall function 00CD73E8: SelectObject.GDI32(?,?), ref: 00CD7498
Part of subcall function 00CD73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00CD74B7
Part of subcall function 00CD73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CD74CE
Part of subcall function 00CD73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00CD74DB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 489a0e516dcca39504bb25801bd579a8fa9cad5e83ed19678e6794a66b938483
Instruction ID: 2b81bad52db8ce6a1d732f4723ae3204061a92207292c73ed8187ee1eb69c3f3
Opcode Fuzzy Hash: 489a0e516dcca39504bb25801bd579a8fa9cad5e83ed19678e6794a66b938483
Instruction Fuzzy Hash: 8BA18272009312EFDB109F60DC88B5FBBA9FB49321F100B1AFA62961E1E771E944DB51

Function 00C58D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C58E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C96AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C96AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C96F43

Part of subcall function 00C58F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C58BE8,?,00000000,?,?,?,?,00C58BBA,00000000,?), ref: 00C58FC5

SendMessageW.USER32(?,00001053), ref: 00C96F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C96F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C96FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C96FB7

Strings

0, xrefs: 00C96DCF

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: bfb8f83a4636fc08dc86f5dad4ea5d253300e846d7917ebcb0e0153d3ad9dbe7
Instruction ID: 1bbf54e8d6a94251ae9a55bba4a75b40de33326fc9fd2e6b7df7d9f25ca17d88
Opcode Fuzzy Hash: bfb8f83a4636fc08dc86f5dad4ea5d253300e846d7917ebcb0e0153d3ad9dbe7
Instruction Fuzzy Hash: 3D12BC38201201EFCB25CF24D899BA9B7B1FB44301F148469F5A5DB2A1CB71EE96DF91

Function 00CC2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00CC273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CC286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00CC28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00CC28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00CC2900
GetClientRect.USER32(00000000,?), ref: 00CC290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00CC2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CC2964
GetStockObject.GDI32(00000011), ref: 00CC2974
SelectObject.GDI32(00000000,00000000), ref: 00CC2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00CC2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CC2991
DeleteDC.GDI32(00000000), ref: 00CC299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CC29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00CC29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00CC2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CC2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00CC2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00CC2A77
GetStockObject.GDI32(00000011), ref: 00CC2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CC2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00CC2A97

Strings

DISPLAY, xrefs: 00CC295A
AutoIt v3, xrefs: 00CC28F8
msctls_progress32, xrefs: 00CC2A13
static, xrefs: 00CC294F, 00CC2A71

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 64ed19a83f36890bf1165ad113dec45e38a7c84a3a659441d26120564bd794c3
Instruction ID: f09cb287a9dd789119a509b8937ba9e9e5c125f1f8d8eeb7ba21c3fd3e9fa85c
Opcode Fuzzy Hash: 64ed19a83f36890bf1165ad113dec45e38a7c84a3a659441d26120564bd794c3
Instruction Fuzzy Hash: D4B12C75A40215AFEB14DF68DC85FAEBBA9EB08710F008619FA15E7290DB74ED41CB60

Function 00CB4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CB4AED
GetDriveTypeW.KERNEL32(?,00CDCB68,?,\\.\,00CDCC08), ref: 00CB4BCA
SetErrorMode.KERNEL32(00000000,00CDCB68,?,\\.\,00CDCC08), ref: 00CB4D36

Strings

SAS, xrefs: 00CB4CC9
Virtual, xrefs: 00CB4CE5
Unknown, xrefs: 00CB4BED, 00CB4C83
\\.\, xrefs: 00CB4B3F
1394, xrefs: 00CB4C9F
Fibre, xrefs: 00CB4CAD
Network, xrefs: 00CB4C02
Removable, xrefs: 00CB4C10, 00CB4C15
CDROM, xrefs: 00CB4BFB
PhysicalDrive, xrefs: 00CB4B76
USB, xrefs: 00CB4CB4
RAID, xrefs: 00CB4CBB
SCSI, xrefs: 00CB4C8A
SSA, xrefs: 00CB4CA6
Fixed, xrefs: 00CB4C09
ATA, xrefs: 00CB4C98
FileBackedVirtual, xrefs: 00CB4CEC
MMC, xrefs: 00CB4CDE
SSD, xrefs: 00CB4C4A
ATAPI, xrefs: 00CB4C91
RAMDisk, xrefs: 00CB4BF4
SATA, xrefs: 00CB4CD0
iSCSI, xrefs: 00CB4CC2

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8612b6c60d632047e1cd4b13b762a7421d79415b74ba58b96b8d4122baa388bb
Instruction ID: 2d56d52c00f50cc391cb2351d5d0c4dd472fa98abb2292c9b9b11ea6655a17e2
Opcode Fuzzy Hash: 8612b6c60d632047e1cd4b13b762a7421d79415b74ba58b96b8d4122baa388bb
Instruction Fuzzy Hash: F1619030649106DFCB0CDF25CA82AFD7BA1EB44B04F244415F80AAB693DB71DE59EB61

Function 00CD73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CD7421
SetTextColor.GDI32(?,?), ref: 00CD7425
GetSysColorBrush.USER32(0000000F), ref: 00CD743B
GetSysColor.USER32(0000000F), ref: 00CD7446
CreateSolidBrush.GDI32(?), ref: 00CD744B
GetSysColor.USER32(00000011), ref: 00CD7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CD7471
SelectObject.GDI32(?,00000000), ref: 00CD7482
SetBkColor.GDI32(?,00000000), ref: 00CD748B
SelectObject.GDI32(?,?), ref: 00CD7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00CD74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CD74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00CD74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CD752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CD7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00CD7572
DrawFocusRect.USER32(?,?), ref: 00CD757D
GetSysColor.USER32(00000011), ref: 00CD758E
SetTextColor.GDI32(?,00000000), ref: 00CD7596
DrawTextW.USER32(?,00CD70F5,000000FF,?,00000000), ref: 00CD75A8
SelectObject.GDI32(?,?), ref: 00CD75BF
DeleteObject.GDI32(?), ref: 00CD75CA
SelectObject.GDI32(?,?), ref: 00CD75D0
DeleteObject.GDI32(?), ref: 00CD75D5
SetTextColor.GDI32(?,?), ref: 00CD75DB
SetBkColor.GDI32(?,?), ref: 00CD75E5

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c6e8231aa765df7797254d144f4d1e7ce371d3cac3a73427729c689cdc033717
Instruction ID: b45f1ed43dc9839b002c89d9d869b78acb3601217f80ba2fe229bd94050e45b9
Opcode Fuzzy Hash: c6e8231aa765df7797254d144f4d1e7ce371d3cac3a73427729c689cdc033717
Instruction Fuzzy Hash: F4615375901219AFDF019FA4DC49FDEBF79EB08320F114216FA15AB2A1E7749940DF90

Function 00CD0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CD1128
GetDesktopWindow.USER32 ref: 00CD113D
GetWindowRect.USER32(00000000), ref: 00CD1144
GetWindowLongW.USER32(?,000000F0), ref: 00CD1199
DestroyWindow.USER32(?), ref: 00CD11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CD11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CD120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CD121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00CD1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00CD1245
IsWindowVisible.USER32(00000000), ref: 00CD12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00CD12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00CD12D0
GetWindowRect.USER32(00000000,?), ref: 00CD12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00CD130E
GetMonitorInfoW.USER32(00000000,?), ref: 00CD1328
CopyRect.USER32(?,?), ref: 00CD133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00CD13AA

Strings

0, xrefs: 00CD10D3
(, xrefs: 00CD131B
tooltips_class32, xrefs: 00CD11E6

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9e0fe2ac0840458a5b3d1850403c1bcd50de0c33fd880313a1b6e56cdec1a7b5
Instruction ID: a18ab7215a53c3575b7e58e93a5917253105698faf40f326c157e68b1700b13f
Opcode Fuzzy Hash: 9e0fe2ac0840458a5b3d1850403c1bcd50de0c33fd880313a1b6e56cdec1a7b5
Instruction Fuzzy Hash: CBB17A71608341AFD714DF64C884B6EFBE4FF88350F04891AFA999B2A1CB31E945DB91

Function 00C58891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C58968
GetSystemMetrics.USER32(00000007), ref: 00C58970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C5899B
GetSystemMetrics.USER32(00000008), ref: 00C589A3
GetSystemMetrics.USER32(00000004), ref: 00C589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C58A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C58A3C
GetClientRect.USER32(00000000,000000FF), ref: 00C58A5A
GetStockObject.GDI32(00000011), ref: 00C58A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C58A81

Part of subcall function 00C5912D: GetCursorPos.USER32(?), ref: 00C59141
Part of subcall function 00C5912D: ScreenToClient.USER32(00000000,?), ref: 00C5915E
Part of subcall function 00C5912D: GetAsyncKeyState.USER32(00000001), ref: 00C59183
Part of subcall function 00C5912D: GetAsyncKeyState.USER32(00000002), ref: 00C5919D

SetTimer.USER32(00000000,00000000,00000028,00C590FC), ref: 00C58AA8

Strings

AutoIt v3 GUI, xrefs: 00C58A20

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 56d4b1f8df3b5c9561fbc54b8ebef97ded8fb6ac78df6bdb879d45183347822c
Instruction ID: f67f07261082c152e66446421ff10e139c12505747590b0eba48f0f931055a62
Opcode Fuzzy Hash: 56d4b1f8df3b5c9561fbc54b8ebef97ded8fb6ac78df6bdb879d45183347822c
Instruction Fuzzy Hash: 61B17D7960020AAFDF14DFA8D889BAE3BB5FB48315F10421AFA25E72D0DB349945CF54

Function 00CA0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CA1114
Part of subcall function 00CA10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CA0B9B,?,?,?), ref: 00CA1120
Part of subcall function 00CA10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CA0B9B,?,?,?), ref: 00CA112F
Part of subcall function 00CA10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CA0B9B,?,?,?), ref: 00CA1136
Part of subcall function 00CA10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CA114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CA0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CA0E29
GetLengthSid.ADVAPI32(?), ref: 00CA0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00CA0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CA0E96
GetLengthSid.ADVAPI32(?), ref: 00CA0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CA0EB5
HeapAlloc.KERNEL32(00000000), ref: 00CA0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CA0EDD
CopySid.ADVAPI32(00000000), ref: 00CA0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CA0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CA0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CA0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CA0F6E
HeapFree.KERNEL32(00000000), ref: 00CA0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CA0F7E
HeapFree.KERNEL32(00000000), ref: 00CA0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CA0F8E
HeapFree.KERNEL32(00000000), ref: 00CA0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00CA0FA1
HeapFree.KERNEL32(00000000), ref: 00CA0FA8

Part of subcall function 00CA1193: GetProcessHeap.KERNEL32(00000008,00CA0BB1,?,00000000,?,00CA0BB1,?), ref: 00CA11A1
Part of subcall function 00CA1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CA0BB1,?), ref: 00CA11A8
Part of subcall function 00CA1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CA0BB1,?), ref: 00CA11B7

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0d0648e9cbd3d6be4621455274447064efe7f5b06a5d277dbce50751956749d5
Instruction ID: cfa1fc28928337838de9d814e56bc660fb5337b3afb5ba1e175f9aebee6b383d
Opcode Fuzzy Hash: 0d0648e9cbd3d6be4621455274447064efe7f5b06a5d277dbce50751956749d5
Instruction Fuzzy Hash: 83717C7290121BEFDF20DFA4DC85BAEBBB8BF06345F144116F929B6191D730AA15CB60

Function 00CCC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CCC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CDCC08,00000000,?,00000000,?,?), ref: 00CCC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CCC5A4
_wcslen.LIBCMT ref: 00CCC5F4
_wcslen.LIBCMT ref: 00CCC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00CCC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CCC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CCC84D
RegCloseKey.ADVAPI32(?), ref: 00CCC881
RegCloseKey.ADVAPI32(00000000), ref: 00CCC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CCC960

Strings

REG_DWORD, xrefs: 00CCC804
REG_SZ, xrefs: 00CCC644
REG_MULTI_SZ, xrefs: 00CCC6F5
REG_BINARY, xrefs: 00CCC913
REG_QWORD, xrefs: 00CCC8C3
REG_EXPAND_SZ, xrefs: 00CCC5CD

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a2d8debb66698ca42e3ad4eac1262fe618de9153d15b8a78bf751556a482c9c1
Instruction ID: 1c435852fc2fe826ff1446f266f53e5dcc67f478026d81b478c7196a8dba0887
Opcode Fuzzy Hash: a2d8debb66698ca42e3ad4eac1262fe618de9153d15b8a78bf751556a482c9c1
Instruction Fuzzy Hash: 001244356042119FDB14DF24C881F2AB7E5FF88714F08899DF89A9B2A2DB31ED45DB81

Function 00CD091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CD09C6
_wcslen.LIBCMT ref: 00CD0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CD0A54
_wcslen.LIBCMT ref: 00CD0A8A
_wcslen.LIBCMT ref: 00CD0B06
_wcslen.LIBCMT ref: 00CD0B81

Part of subcall function 00C5F9F2: _wcslen.LIBCMT ref: 00C5F9FD

Part of subcall function 00CA2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CA2BFA

Strings

ISCHECKED, xrefs: 00CD0CE1
EXISTS, xrefs: 00CD0B7C, 00CD0B97
GETTEXT, xrefs: 00CD0C97
GETTOTALCOUNT, xrefs: 00CD09F2, 00CD0A17
UNCHECK, xrefs: 00CD0D3E
GETSELECTED, xrefs: 00CD0C4E
COLLAPSE, xrefs: 00CD0B01, 00CD0B1C
EXPAND, xrefs: 00CD0BF8
CHECK, xrefs: 00CD0A85, 00CD0AA0
SELECT, xrefs: 00CD0D11
GETITEMCOUNT, xrefs: 00CD0C1E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 77e6a2ff38a5d98b357957b45da7d0ce1d9de1637eda6b874e5d493a60b23df3
Instruction ID: e460e9c9b9ce831fffbfcf1334c2bcf72cd161e06551686b81384b53e673ea76
Opcode Fuzzy Hash: 77e6a2ff38a5d98b357957b45da7d0ce1d9de1637eda6b874e5d493a60b23df3
Instruction Fuzzy Hash: 9DE1C1356087119FC714DF28C490A2AB7E2FF98314F20495EF9AA5B3A2D730EE45DB91

Function 00CCC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CCB6AE,?,?), ref: 00CCC9B5
_wcslen.LIBCMT ref: 00CCC9F1
_wcslen.LIBCMT ref: 00CCCA68
_wcslen.LIBCMT ref: 00CCCA9E
_wcslen.LIBCMT ref: 00CCCAF9
_wcslen.LIBCMT ref: 00CCCB2F
_wcslen.LIBCMT ref: 00CCCB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 00CCCAF3, 00CCCAF8
HKCC, xrefs: 00CCCBAC
HKCR, xrefs: 00CCCB29, 00CCCB2E
HKLM, xrefs: 00CCCA98, 00CCCA9D
HKEY_CURRENT_CONFIG, xrefs: 00CCCB79, 00CCCB7E
HKEY_LOCAL_MACHINE, xrefs: 00CCCA62, 00CCCA67
HKEY_CURRENT_USER, xrefs: 00CCCBBD
HKCU, xrefs: 00CCCBCE
HKEY_USERS, xrefs: 00CCCBDF
HKU, xrefs: 00CCCBF0

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 57ac9013c572df9146923d65979ef07b179f663e7e169cfcb4b201f11ede5ce0
Instruction ID: fe3376d9311760a8faa2e1104d2ef5a64e59faf9c0252ad54e70c9ca3ee7e750
Opcode Fuzzy Hash: 57ac9013c572df9146923d65979ef07b179f663e7e169cfcb4b201f11ede5ce0
Instruction Fuzzy Hash: 9B71C832A0056A8BCB20DE7DC9D1FBE3395AB60754B15052CF87E9B284E631DE45D360

Function 00CD833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CD835A
_wcslen.LIBCMT ref: 00CD836E
_wcslen.LIBCMT ref: 00CD8391
_wcslen.LIBCMT ref: 00CD83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CD83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CD361A,?), ref: 00CD844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CD8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CD84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CD8501
FreeLibrary.KERNEL32(?), ref: 00CD850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CD851D
DestroyIcon.USER32(?), ref: 00CD852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CD8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CD8555

Strings

.icl, xrefs: 00CD8368
.exe, xrefs: 00CD8388
.dll, xrefs: 00CD83AB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 30ea6bfd03aa7647a4402290077b0acecea4a5843aba1483674d50b2a056f144
Instruction ID: b264a02d33fdc09386f4e6976db3b9be45ce366dde41117142a0f9f7b87f272c
Opcode Fuzzy Hash: 30ea6bfd03aa7647a4402290077b0acecea4a5843aba1483674d50b2a056f144
Instruction Fuzzy Hash: 5561D271940216BEEB14DF64DC81BBF77ACFB04B11F10460AFA25DA1D1EB74AA84D7A0

Function 00C47778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00C47817
#pragma compile, xrefs: 00C477D3
#requireadmin, xrefs: 00C477FF
#ce, xrefs: 00C478ED
#comments-start, xrefs: 00C4785F, 00C478B1
", xrefs: 00C85153
#cs, xrefs: 00C47873, 00C478C5
Unterminated group of comments, xrefs: 00C8528C
Cannot parse #include, xrefs: 00C85279
#include, xrefs: 00C47847
Bad directive syntax error, xrefs: 00C8519A
', xrefs: 00C85169
#comments-end, xrefs: 00C478D9
#include-once, xrefs: 00C4782F
#notrayicon, xrefs: 00C477E7

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: aeeefaeb43ededbf3bbe810679791115a3a22b1b77d9f4f931dbe851896bfaca
Instruction ID: 12f1c8864aa1a6f45173232e07da2bb12de946713d73b9a687ef9d6af290969f
Opcode Fuzzy Hash: aeeefaeb43ededbf3bbe810679791115a3a22b1b77d9f4f931dbe851896bfaca
Instruction Fuzzy Hash: 8681F171A00205BBDF21AF60CC82FAE37A8BF15300F004125FD05AA292EBB1DA55E7A5

Function 00CB3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00CB3EF8
_wcslen.LIBCMT ref: 00CB3F03
_wcslen.LIBCMT ref: 00CB3F5A
_wcslen.LIBCMT ref: 00CB3F98
GetDriveTypeW.KERNEL32(?), ref: 00CB3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CB401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CB4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CB4087

Strings

open, xrefs: 00CB3F54, 00CB3F59
close cd wait, xrefs: 00CB4072
open , xrefs: 00CB3FE5
close, xrefs: 00CB3EFE, 00CB3F18
set cd door , xrefs: 00CB4028
closed, xrefs: 00CB3F08, 00CB3F2D, 00CB3F46, 00CB3F7E, 00CB3F97
type cdaudio alias cd wait, xrefs: 00CB4001
wait, xrefs: 00CB4044

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 845609601adf7c51ea3bdab246b923c47f56babeda08c8a30e5c0795d7234f3c
Instruction ID: ac82a4ebda5d8845add0386198cc1466550f2164b0dfa9f1fd66848cfd687ed2
Opcode Fuzzy Hash: 845609601adf7c51ea3bdab246b923c47f56babeda08c8a30e5c0795d7234f3c
Instruction Fuzzy Hash: 6671C1326042129FD314EF24C8819BAB7F4FF94754F00492DF9A5972A1EB31DE49DB91

Function 00CA5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00CA5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CA5A40
SetWindowTextW.USER32(?,?), ref: 00CA5A57
GetDlgItem.USER32(?,000003EA), ref: 00CA5A6C
SetWindowTextW.USER32(00000000,?), ref: 00CA5A72
GetDlgItem.USER32(?,000003E9), ref: 00CA5A82
SetWindowTextW.USER32(00000000,?), ref: 00CA5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CA5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CA5AC3
GetWindowRect.USER32(?,?), ref: 00CA5ACC
_wcslen.LIBCMT ref: 00CA5B33
SetWindowTextW.USER32(?,?), ref: 00CA5B6F
GetDesktopWindow.USER32 ref: 00CA5B75
GetWindowRect.USER32(00000000), ref: 00CA5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00CA5BD3
GetClientRect.USER32(?,?), ref: 00CA5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00CA5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CA5C2F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 9b199063782ca424982a42ca8aeb52b6c7601219bf86658eed8ee9d75d11ad26
Instruction ID: df6d86399ad5450d1f5468e81149ce1339732d9c942693ae58559ac0afced5a7
Opcode Fuzzy Hash: 9b199063782ca424982a42ca8aeb52b6c7601219bf86658eed8ee9d75d11ad26
Instruction Fuzzy Hash: 41718131900B0AEFDB20DFA9CD85BAEBBF5FF48709F104519E152A25A0D775E944CB60

Function 00CBFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00CBFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00CBFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00CBFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00CBFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00CBFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00CBFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00CBFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00CBFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00CBFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00CBFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00CBFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00CBFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00CBFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00CBFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00CBFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00CBFECC
GetCursorInfo.USER32(?), ref: 00CBFEDC
GetLastError.KERNEL32 ref: 00CBFF1E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: bd77c53f97fd44e6b1f897c0183fd02848e04349d63b2fe0b8263b3fc4862703
Instruction ID: 7027947939432bb597316bfc5f00ad7dd1c238b55237851a34d0b3e9f35938b3
Opcode Fuzzy Hash: bd77c53f97fd44e6b1f897c0183fd02848e04349d63b2fe0b8263b3fc4862703
Instruction Fuzzy Hash: 524161B0D053196ADB109FBA8C8986EBFE8FF04754B50452AE119E7291DB78A901CE91

Function 00C600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C600C6

Part of subcall function 00C600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D1070C,00000FA0,8316778A,?,?,?,?,00C823B3,000000FF), ref: 00C6011C
Part of subcall function 00C600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C823B3,000000FF), ref: 00C60127
Part of subcall function 00C600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C823B3,000000FF), ref: 00C60138
Part of subcall function 00C600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C6014E
Part of subcall function 00C600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C6015C
Part of subcall function 00C600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C6016A
Part of subcall function 00C600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C60195
Part of subcall function 00C600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C601A0

___scrt_fastfail.LIBCMT ref: 00C600E7

Part of subcall function 00C600A3: __onexit.LIBCMT ref: 00C600A9

Strings

kernel32.dll, xrefs: 00C60133
SleepConditionVariableCS, xrefs: 00C60154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C60122
InitializeConditionVariable, xrefs: 00C60148
WakeAllConditionVariable, xrefs: 00C60162

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b841aab0f06e1f9089c9a12a8ceb193ba709f5879e50b12c7a995f6ebfe43482
Instruction ID: a9598c774171a27c01b20079b9b4938d3a6aa66700319e6b77624952da913662
Opcode Fuzzy Hash: b841aab0f06e1f9089c9a12a8ceb193ba709f5879e50b12c7a995f6ebfe43482
Instruction Fuzzy Hash: 8421F9336457116BD7216BA4ACC6B6F3795EB06B51F20413BF902F33D1DFA09841CAA0

Function 00CA30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CA318D
_wcslen.LIBCMT ref: 00CA31F8

Strings

TEXT, xrefs: 00CA347C
NAME, xrefs: 00CA3335, 00CA3346
CLASSNN, xrefs: 00CA31F3, 00CA3204
REGEXPCLASS, xrefs: 00CA3255, 00CA3266
CLASS, xrefs: 00CA3188, 00CA31A5
INSTANCE, xrefs: 00CA3453

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: afb7cdff433b182ff3006c4e10f65c7aa64297f311ad1c47c8a8fb6fe9a00645
Instruction ID: 5cf1503dca6ef5e0c3f9f5a0c5cc1302308bc4901dc086a7c3dd26566a2bb4f5
Opcode Fuzzy Hash: afb7cdff433b182ff3006c4e10f65c7aa64297f311ad1c47c8a8fb6fe9a00645
Instruction Fuzzy Hash: 9BE1E731A005579BCB18DFB8C4617EEFBB4BF56714F148119F866A7240DB30AF8597A0

Function 00CB44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00CDCC08), ref: 00CB4527
_wcslen.LIBCMT ref: 00CB453B
_wcslen.LIBCMT ref: 00CB4599
_wcslen.LIBCMT ref: 00CB45F4
_wcslen.LIBCMT ref: 00CB463F
_wcslen.LIBCMT ref: 00CB46A7

Part of subcall function 00C5F9F2: _wcslen.LIBCMT ref: 00C5F9FD

GetDriveTypeW.KERNEL32(?,00D06BF0,00000061), ref: 00CB4743

Strings

unknown, xrefs: 00CB4708
cdrom, xrefs: 00CB458F, 00CB4594
fixed, xrefs: 00CB4635, 00CB463A
removable, xrefs: 00CB45EA, 00CB45EF
network, xrefs: 00CB469D, 00CB46A2
ramdisk, xrefs: 00CB46F1
all, xrefs: 00CB4531, 00CB4536

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 23423b1f13d4b191d95de1e9a5bd0c080da907caf020fcf8f95ac22ea1e29e7a
Instruction ID: 405cf3ab000a67849a2e3d5f4df613ae49b4ddbc0ad5095f9e0a310a2dae2551
Opcode Fuzzy Hash: 23423b1f13d4b191d95de1e9a5bd0c080da907caf020fcf8f95ac22ea1e29e7a
Instruction Fuzzy Hash: 2AB1E37160C3129FC728DF28C890AAEB7E5BFA5720F50491DF4A6D7292DB30D945CB62

Function 00CC3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CDCC08), ref: 00CC40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CC40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00CDCC08), ref: 00CC40F2
FreeLibrary.KERNEL32(00000000,?,00CDCC08), ref: 00CC413E
StringFromGUID2.OLE32(?,?,00000028,?,00CDCC08), ref: 00CC41A8
SysFreeString.OLEAUT32(00000009), ref: 00CC4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CC42C8
SysFreeString.OLEAUT32(?), ref: 00CC42F2

Strings

kernel32.dll, xrefs: 00CC40B6
GetModuleHandleExW, xrefs: 00CC40C7

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: a7bed83db556704c15f9b6cd2e170e58831d4a29b85c71b856e62522946f27c5
Instruction ID: 06cb1b3011c413044389f35b01fad854a6b29e7840e407499cc63a715bab84f4
Opcode Fuzzy Hash: a7bed83db556704c15f9b6cd2e170e58831d4a29b85c71b856e62522946f27c5
Instruction Fuzzy Hash: C1122775A00115EFDB18CF94C894FAEBBB5BF85314F24C099E915AB261C731EE42CBA0

Function 00C4326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D11990), ref: 00C82F8D
GetMenuItemCount.USER32(00D11990), ref: 00C8303D
GetCursorPos.USER32(?), ref: 00C83081
SetForegroundWindow.USER32(00000000), ref: 00C8308A
TrackPopupMenuEx.USER32(00D11990,00000000,?,00000000,00000000,00000000), ref: 00C8309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C830A9

Strings

0, xrefs: 00C4327D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 6f8b7e7220ee01df7b0d1df35b8c5b7fea0ce3b69eb81ef1149c11134eafae67
Instruction ID: eb3951affbc7dbcbb260a6e96263a1a4148fabefc371d8bdb4373086d9764dd7
Opcode Fuzzy Hash: 6f8b7e7220ee01df7b0d1df35b8c5b7fea0ce3b69eb81ef1149c11134eafae67
Instruction Fuzzy Hash: 50712930640256BEEB319F65CC8DF9ABF64FF41328F204216F624AA1E1C7B1AE10DB54

Function 00CD6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00CD6DEB

Part of subcall function 00C46B57: _wcslen.LIBCMT ref: 00C46B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CD6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CD6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CD6E94
DestroyWindow.USER32(?), ref: 00CD6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C40000,00000000), ref: 00CD6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CD6EFD
GetDesktopWindow.USER32 ref: 00CD6F16
GetWindowRect.USER32(00000000), ref: 00CD6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CD6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CD6F4D

Part of subcall function 00C59944: GetWindowLongW.USER32(?,000000EB), ref: 00C59952

Strings

0, xrefs: 00CD6D98
tooltips_class32, xrefs: 00CD6E58, 00CD6EDD

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 71c948a53ddf689ad095103de7037d7c4924cdbb056741a046bb0287656e040f
Instruction ID: 861de4ccbb0105b1422fd81031c88e2ecdc4fdfca9bf9de188b942b8eed86c96
Opcode Fuzzy Hash: 71c948a53ddf689ad095103de7037d7c4924cdbb056741a046bb0287656e040f
Instruction Fuzzy Hash: B3714A74144345AFDB21CF58D884BAABBF9FB89304F04451EFAA987361CB70E906DB21

Function 00CD911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C59BB2

DragQueryPoint.SHELL32(?,?), ref: 00CD9147

Part of subcall function 00CD7674: ClientToScreen.USER32(?,?), ref: 00CD769A
Part of subcall function 00CD7674: GetWindowRect.USER32(?,?), ref: 00CD7710
Part of subcall function 00CD7674: PtInRect.USER32(?,?,00CD8B89), ref: 00CD7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00CD91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CD91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CD91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CD9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00CD923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CD9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00CD9277
DragFinish.SHELL32(?), ref: 00CD927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CD9371

Strings

@GUI_DRAGFILE, xrefs: 00CD9320
@GUI_DRAGID, xrefs: 00CD92E9
@GUI_DROPID, xrefs: 00CD929E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 544ea7f04bb644088562c0001e84440362a72b8de313b3285eb74a8f3de605e3
Instruction ID: 4189de84b7fd214ecde36e404dc0275269c6a27cf02e7882a6e85618aeae5b4e
Opcode Fuzzy Hash: 544ea7f04bb644088562c0001e84440362a72b8de313b3285eb74a8f3de605e3
Instruction Fuzzy Hash: 2D615C71108301AFD701DF64DC85EAFBBE8FF89750F00091EF695922A1DB709A49DB62

Function 00CBC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CBC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CBC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CBC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CBC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00CBC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CBC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CBC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CBC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CBC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CBC5F0
InternetCloseHandle.WININET(00000000), ref: 00CBC5FB

Strings

, xrefs: 00CBC575

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: c06e8f73c1416db8387aa9377acde6af4eb693d0c4929fe275f25ef31e19c723
Instruction ID: 42951fce67f012d62a9cb954ad39b3bce7b59466f304b10677328ee66c4811a2
Opcode Fuzzy Hash: c06e8f73c1416db8387aa9377acde6af4eb693d0c4929fe275f25ef31e19c723
Instruction Fuzzy Hash: 8B512BB1501609BFDB219F65C9C8BEB7BBCEF08754F00441AF955D6250DB34EA48EB60

Function 00CD856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00CD8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00CD85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00CD85AD
CloseHandle.KERNEL32(00000000), ref: 00CD85BA
GlobalLock.KERNEL32(00000000), ref: 00CD85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CD85D7
GlobalUnlock.KERNEL32(00000000), ref: 00CD85E0
CloseHandle.KERNEL32(00000000), ref: 00CD85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CD85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CDFC38,?), ref: 00CD8611
GlobalFree.KERNEL32(00000000), ref: 00CD8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00CD8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CD8671
DeleteObject.GDI32(00000000), ref: 00CD8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CD86AF

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: f83d896ac39da8d914a1518f73a71a2ce16c8c8b4b04bac1c5b711feb60eeaa6
Instruction ID: 41e271c781147c79bd6d078227ede85a5777a32dfe0e50ecd2efce0ccee01e2d
Opcode Fuzzy Hash: f83d896ac39da8d914a1518f73a71a2ce16c8c8b4b04bac1c5b711feb60eeaa6
Instruction Fuzzy Hash: AB412975601205AFDB119FA5DC88FAE7BBCFF89B11F10415AF915E7260DB309A05DB20

Function 00CB14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00CB1502
VariantCopy.OLEAUT32(?,?), ref: 00CB150B
VariantClear.OLEAUT32(?), ref: 00CB1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00CB15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00CB1657
VariantInit.OLEAUT32(?), ref: 00CB1708
SysFreeString.OLEAUT32(?), ref: 00CB178C
VariantClear.OLEAUT32(?), ref: 00CB17D8
VariantClear.OLEAUT32(?), ref: 00CB17E7
VariantInit.OLEAUT32(00000000), ref: 00CB1823

Strings

Default, xrefs: 00CB16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00CB1625

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 81c8a4a6f8cd3edb24639a11e32c3c4c00b215642645ee1b4edf7466f70f235b
Instruction ID: 864d31cdefd8ac661357a3006d6587b3f5fc79e5c7f24af239a72dd89f9923af
Opcode Fuzzy Hash: 81c8a4a6f8cd3edb24639a11e32c3c4c00b215642645ee1b4edf7466f70f235b
Instruction Fuzzy Hash: BED11531A00115DBDB249F66E895BBEB7B5BF44700F98805AFC07AB180DB30DD49EB61

Function 00CCB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Part of subcall function 00CCC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CCB6AE,?,?), ref: 00CCC9B5
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCC9F1
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCCA68
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CCB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CCB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00CCB80A
RegCloseKey.ADVAPI32(?), ref: 00CCB87E
RegCloseKey.ADVAPI32(?), ref: 00CCB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00CCB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CCB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00CCB922
FreeLibrary.KERNEL32(00000000), ref: 00CCB983
RegCloseKey.ADVAPI32(00000000), ref: 00CCB994

Strings

RegDeleteKeyExW, xrefs: 00CCB8FE
advapi32.dll, xrefs: 00CCB8ED

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 1e3c4df39f2d93973132b613ddf65599f5c8f7c3f38fcf5a609080ac790ff0de
Instruction ID: 5eb82a87441149f570b1c51f4ae6372a1544b80040458c6eb1cfabb22df39646
Opcode Fuzzy Hash: 1e3c4df39f2d93973132b613ddf65599f5c8f7c3f38fcf5a609080ac790ff0de
Instruction Fuzzy Hash: BEC18E30209201AFD714DF64C495F2ABBE5FF84318F14859CF8AA8B2A2CB35ED45DB91

Function 00CC255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CC25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CC25E8
CreateCompatibleDC.GDI32(?), ref: 00CC25F4
SelectObject.GDI32(00000000,?), ref: 00CC2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CC266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CC26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CC26D0
SelectObject.GDI32(?,?), ref: 00CC26D8
DeleteObject.GDI32(?), ref: 00CC26E1
DeleteDC.GDI32(?), ref: 00CC26E8
ReleaseDC.USER32(00000000,?), ref: 00CC26F3

Strings

(, xrefs: 00CC268D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 52b408bef604cdac57139c6db6a4c44ad584aa16c0df95de969329647c8df6aa
Instruction ID: dc65f75e6012d6e33884e3b8bcd732b946dcf24a063e165cbd9e2c7b829e82c6
Opcode Fuzzy Hash: 52b408bef604cdac57139c6db6a4c44ad584aa16c0df95de969329647c8df6aa
Instruction Fuzzy Hash: 9B61E275D0121AEFCF04CFA8D885EAEBBB5FF48310F20852AE955A7250D770A941DF60

Function 00C7DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00C7DAA1

Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D659
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D66B
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D67D
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D68F
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D6A1
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D6B3
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D6C5
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D6D7
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D6E9
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D6FB
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D70D
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D71F
Part of subcall function 00C7D63C: _free.LIBCMT ref: 00C7D731

_free.LIBCMT ref: 00C7DA96

Part of subcall function 00C729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000), ref: 00C729DE
Part of subcall function 00C729C8: GetLastError.KERNEL32(00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000,00000000), ref: 00C729F0

_free.LIBCMT ref: 00C7DAB8
_free.LIBCMT ref: 00C7DACD
_free.LIBCMT ref: 00C7DAD8
_free.LIBCMT ref: 00C7DAFA
_free.LIBCMT ref: 00C7DB0D
_free.LIBCMT ref: 00C7DB1B
_free.LIBCMT ref: 00C7DB26
_free.LIBCMT ref: 00C7DB5E
_free.LIBCMT ref: 00C7DB65
_free.LIBCMT ref: 00C7DB82
_free.LIBCMT ref: 00C7DB9A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b4f85b18cafbce41d66baf79523182c47a2dd0ac09df47a0a7baa74812ad3919
Instruction ID: a4de2aa178aafd0a33b0be6646a0d75ec20ef08f2dfde6709071124f3792af82
Opcode Fuzzy Hash: b4f85b18cafbce41d66baf79523182c47a2dd0ac09df47a0a7baa74812ad3919
Instruction Fuzzy Hash: 33314B316043059FEB21AA39E845B5AB7F9FF00320F15C819F56ED7191DF31AE80A720

Function 00CA365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00CA369C
_wcslen.LIBCMT ref: 00CA36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00CA3797
GetClassNameW.USER32(?,?,00000400), ref: 00CA380C
GetDlgCtrlID.USER32(?), ref: 00CA385D
GetWindowRect.USER32(?,?), ref: 00CA3882
GetParent.USER32(?), ref: 00CA38A0
ScreenToClient.USER32(00000000), ref: 00CA38A7
GetClassNameW.USER32(?,?,00000100), ref: 00CA3921
GetWindowTextW.USER32(?,?,00000400), ref: 00CA395D

Strings

%s%u, xrefs: 00CA3734

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 1ada0617d9f6b8b2b2bc6f21b22a51dfec56e0dee09b7b54fc200f34137202d9
Instruction ID: 84788148d960825765221822b4d6acdbd5a7cc6f21cf36c772d695c3c521ae4e
Opcode Fuzzy Hash: 1ada0617d9f6b8b2b2bc6f21b22a51dfec56e0dee09b7b54fc200f34137202d9
Instruction Fuzzy Hash: DB91E471204647AFD719DF24C895FAAF7A8FF45348F004629F9A9C2190DB34EB46CB91

Function 00CA4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00CA4994
GetWindowTextW.USER32(?,?,00000400), ref: 00CA49DA
_wcslen.LIBCMT ref: 00CA49EB
CharUpperBuffW.USER32(?,00000000), ref: 00CA49F7
_wcsstr.LIBVCRUNTIME ref: 00CA4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00CA4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00CA4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00CA4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00CA4B20
GetWindowRect.USER32(?,?), ref: 00CA4B8B

Strings

ThumbnailClass, xrefs: 00CA4A6F, 00CA4AF1

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 2facbebd7e9a5a3436efb1bf612df49915deecb91b9f0a37517a6dee089d47dd
Instruction ID: 29efbe853b1f9cac9344d1e10c705ffddaee903926209434707262c92f79bbb2
Opcode Fuzzy Hash: 2facbebd7e9a5a3436efb1bf612df49915deecb91b9f0a37517a6dee089d47dd
Instruction Fuzzy Hash: BB91D3711042069FDB08CF14D985FAAB7E8FFC6318F04446AFD959A095DB70EE46CBA1

Function 00CABF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00D11990,000000FF,00000000,00000030), ref: 00CABFAC
SetMenuItemInfoW.USER32(00D11990,00000004,00000000,00000030), ref: 00CABFE1
Sleep.KERNEL32(000001F4), ref: 00CABFF3
GetMenuItemCount.USER32(?), ref: 00CAC039
GetMenuItemID.USER32(?,00000000), ref: 00CAC056
GetMenuItemID.USER32(?,-00000001), ref: 00CAC082
GetMenuItemID.USER32(?,?), ref: 00CAC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CAC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CAC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CAC145

Strings

0, xrefs: 00CABF3D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: c12abec4bf6cfa8581a6e620a64d38339b3e360c83bbd366b2f5a415d9d6bb12
Instruction ID: a9aed286a9d0727f2c851967170a5a753b250979d4a4ee10e6f7f99028d50963
Opcode Fuzzy Hash: c12abec4bf6cfa8581a6e620a64d38339b3e360c83bbd366b2f5a415d9d6bb12
Instruction Fuzzy Hash: F96171B0A0024BAFDF11CF64DDC8AEE7BB8EB06348F144155F961A3292D735AE45DB60

Function 00CCCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CCCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00CCCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CCCD48

Part of subcall function 00CCCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CCCCAA
Part of subcall function 00CCCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00CCCCBD
Part of subcall function 00CCCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CCCCCF
Part of subcall function 00CCCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CCCD05
Part of subcall function 00CCCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CCCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CCCCF3

Strings

RegDeleteKeyExW, xrefs: 00CCCCC9
advapi32.dll, xrefs: 00CCCCB8

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: b3472e90ef1c4d6aa46c7df3221993cdcafc61d93224bf02dfc85a9ae856555d
Instruction ID: fa7e605e16adaadab485d32c3753b18b85b71e1d28a94ea6c5aa40cdc9be6e34
Opcode Fuzzy Hash: b3472e90ef1c4d6aa46c7df3221993cdcafc61d93224bf02dfc85a9ae856555d
Instruction Fuzzy Hash: 9E316C7190212ABBDB208B55DCC8FFFBB7CEF55750F00416AE91AE2240DB349A45DAA0

Function 00CB3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CB3D40
_wcslen.LIBCMT ref: 00CB3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CB3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CB3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00CB3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CB3E55
CloseHandle.KERNEL32(00000000), ref: 00CB3E60
CloseHandle.KERNEL32(00000000), ref: 00CB3E6B

Strings

\??\%s, xrefs: 00CB3D5B
\, xrefs: 00CB3D77
:, xrefs: 00CB3D82

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 6ebb23c22303eb5ebe788482569049fd5b5dade8f55fe70a27f8b119d68c18ef
Instruction ID: 28b7d6305e7a8ad58a27302865f0062d684197136050419b29bbb9141a2bf700
Opcode Fuzzy Hash: 6ebb23c22303eb5ebe788482569049fd5b5dade8f55fe70a27f8b119d68c18ef
Instruction Fuzzy Hash: 1F31A175A5025AABDB219BA0DC89FEF37BCEF88700F5041B6F619D6060EB749744CB24

Function 00CAE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00CAE6B4

Part of subcall function 00C5E551: timeGetTime.WINMM(?,?,00CAE6D4), ref: 00C5E555

Sleep.KERNEL32(0000000A), ref: 00CAE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00CAE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CAE727
SetActiveWindow.USER32 ref: 00CAE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CAE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00CAE773
Sleep.KERNEL32(000000FA), ref: 00CAE77E
IsWindow.USER32 ref: 00CAE78A
EndDialog.USER32(00000000), ref: 00CAE79B

Strings

BUTTON, xrefs: 00CAE719

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5837e8b99dcb63bb6d6b6e7a792fb2736c96afaf9bb8c00a242be8e72bd7a78a
Instruction ID: bd7df19deb06e7599183ae703583b4f5f024d230f6e0f79e9d92746e40b8fe40
Opcode Fuzzy Hash: 5837e8b99dcb63bb6d6b6e7a792fb2736c96afaf9bb8c00a242be8e72bd7a78a
Instruction Fuzzy Hash: 7E216FB420030BBFEB006F60ECCAB793B69E79634DB104426F515C22A1DF72AD11DA74

Function 00CAE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CAEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CAEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CAEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CAEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CAEAA7

Strings

status PlayMe mode, xrefs: 00CAEA58
close PlayMe, xrefs: 00CAEA6E, 00CAEA9B
open , xrefs: 00CAEA0C
play PlayMe, xrefs: 00CAEAA2
play PlayMe wait, xrefs: 00CAEA91
alias PlayMe, xrefs: 00CAEA36

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: f7f327d311303815219ad96416f89170305fbfe669a7e39c6c84dd2be9f861b0
Instruction ID: 341c5597dce7fe2e95071adf84c51e0bd9309a54f59162a4193a946fbe5fa57b
Opcode Fuzzy Hash: f7f327d311303815219ad96416f89170305fbfe669a7e39c6c84dd2be9f861b0
Instruction Fuzzy Hash: A211773169026A7DD710A765EC4AFFF6EBCFBD2B04F0004297415A20D1DE704E19D9B0

Function 00CA9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CAA012
SetKeyboardState.USER32(?), ref: 00CAA07D
GetAsyncKeyState.USER32(000000A0), ref: 00CAA09D
GetKeyState.USER32(000000A0), ref: 00CAA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00CAA0E3
GetKeyState.USER32(000000A1), ref: 00CAA0F4
GetAsyncKeyState.USER32(00000011), ref: 00CAA120
GetKeyState.USER32(00000011), ref: 00CAA12E
GetAsyncKeyState.USER32(00000012), ref: 00CAA157
GetKeyState.USER32(00000012), ref: 00CAA165
GetAsyncKeyState.USER32(0000005B), ref: 00CAA18E
GetKeyState.USER32(0000005B), ref: 00CAA19C

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 50461e58d861e70905f1b0e48eadfb12e9e403d8b6ceaeb7b895ed119b5ae7f8
Instruction ID: 5b5f4dd4c6ccd17861c803b8e6df50e4091c3ac5afbd0068eb600234357f4a29
Opcode Fuzzy Hash: 50461e58d861e70905f1b0e48eadfb12e9e403d8b6ceaeb7b895ed119b5ae7f8
Instruction Fuzzy Hash: 9A51CA3050478A6AFB35DBA088157EEBFB49F13388F08459AD5D2571C2DB649B4CC762

Function 00CA5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00CA5CE2
GetWindowRect.USER32(00000000,?), ref: 00CA5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00CA5D59
GetDlgItem.USER32(?,00000002), ref: 00CA5D69
GetWindowRect.USER32(00000000,?), ref: 00CA5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00CA5DCF
GetDlgItem.USER32(?,000003E9), ref: 00CA5DDD
GetWindowRect.USER32(00000000,?), ref: 00CA5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00CA5E31
GetDlgItem.USER32(?,000003EA), ref: 00CA5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CA5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00CA5E67

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9e69d869f2dcf538edc10168575cce44d637b8ac9ba269019896f1d52edeb77e
Instruction ID: b26b04eb93522c51148477ff7bb33d1f95be468dad6abaa8f013b4e6e93016d2
Opcode Fuzzy Hash: 9e69d869f2dcf538edc10168575cce44d637b8ac9ba269019896f1d52edeb77e
Instruction Fuzzy Hash: 3051FCB1A0060AAFDF18CF68DD89BAEBBB5FB49314F148129F915E6290D7709E05CB50

Function 00C58BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C58F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C58BE8,?,00000000,?,?,?,?,00C58BBA,00000000,?), ref: 00C58FC5

DestroyWindow.USER32(?), ref: 00C58C81
KillTimer.USER32(00000000,?,?,?,?,00C58BBA,00000000,?), ref: 00C58D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00C96973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C58BBA,00000000,?), ref: 00C969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C58BBA,00000000,?), ref: 00C969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C58BBA,00000000), ref: 00C969D4
DeleteObject.GDI32(00000000), ref: 00C969E6

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: caff4efcc653e285f5b0cecf2c758c12ff5676190cfc9aed762e4fff1362a431
Instruction ID: bcc0ed21db48ff68ad077b6a780c4c1cecebbbf3a24c29669f6f3cca2dc27c96
Opcode Fuzzy Hash: caff4efcc653e285f5b0cecf2c758c12ff5676190cfc9aed762e4fff1362a431
Instruction Fuzzy Hash: 48619C38102701EFCF219F15D948B6977F1FB44312F10851DE562AA6A0CB35BAC9DF68

Function 00C59838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C59944: GetWindowLongW.USER32(?,000000EB), ref: 00C59952

GetSysColor.USER32(0000000F), ref: 00C59862

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: ec47360131758f111b041d7d576ce7dc52503fa4e1c607d5c2bd5467f857339d
Instruction ID: 3bfcbefa830b924747e75c55cbb27cd8c6ca0ab8b3e35147b276c3a36879fe00
Opcode Fuzzy Hash: ec47360131758f111b041d7d576ce7dc52503fa4e1c607d5c2bd5467f857339d
Instruction Fuzzy Hash: 8C41A035105610EFDF205F389C88BB93BA5EB16332F14468AF9B28B2E1D7319D86DB14

Function 00CA96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C8F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00CA9717
LoadStringW.USER32(00000000,?,00C8F7F8,00000001), ref: 00CA9720

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C8F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00CA9742
LoadStringW.USER32(00000000,?,00C8F7F8,00000001), ref: 00CA9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00CA9866

Strings

Error: , xrefs: 00CA981D
^ ERROR, xrefs: 00CA97FB
Line %d (File "%s"):, xrefs: 00CA978F
%s (%d) : ==> %s: %s %s, xrefs: 00CA984A
Line %d:, xrefs: 00CA97A0

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: abf422c2f39d9a41b4d163ca5b0f857ae0e5d20d7b10eaf7aa9e5c8022a50aae
Instruction ID: fa6e48a17d0dd9debdd4a7cff3bc3df584114332b71a2b1650d21d36a2ec1bf0
Opcode Fuzzy Hash: abf422c2f39d9a41b4d163ca5b0f857ae0e5d20d7b10eaf7aa9e5c8022a50aae
Instruction Fuzzy Hash: 4E414D7290021AAADF04EFE0DD87EEEB778EF55344F100065F605720A2EA356F49EB61

Function 00CA06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C46B57: _wcslen.LIBCMT ref: 00C46B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00CA07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00CA07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00CA07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00CA0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00CA082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CA0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CA083C

Strings

\CLSID, xrefs: 00CA0724
\IPC$, xrefs: 00CA0784
SOFTWARE\Classes\, xrefs: 00CA070E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2feedf5308e9684ab6a7c1ac5fc4c918437d3d8fe660453070ea0c83cb446000
Instruction ID: 4e42a94b53bbe5574debe93c34b1117526d386e425908eb27112f9a413f10368
Opcode Fuzzy Hash: 2feedf5308e9684ab6a7c1ac5fc4c918437d3d8fe660453070ea0c83cb446000
Instruction Fuzzy Hash: 1E41F772C10229ABDF11EFA4DC959EEB778FF44354F14412AE915A31A1EB30AE04DFA0

Function 00CD3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CD403B
CreateCompatibleDC.GDI32(00000000), ref: 00CD4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CD4055
SelectObject.GDI32(00000000,00000000), ref: 00CD405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CD4068
DeleteDC.GDI32(00000000), ref: 00CD4072
GetWindowLongW.USER32(?,000000EC), ref: 00CD407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00CD4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00CD409E

Strings

static, xrefs: 00CD3FD3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 747983b54387c07538cd19280554de30c4a7640317027b5748f1c69784c636b7
Instruction ID: 46c332e8180641db0de5f9ea9b248d5aca0e1d3b1c696d5d0210fda0c1ea1e6d
Opcode Fuzzy Hash: 747983b54387c07538cd19280554de30c4a7640317027b5748f1c69784c636b7
Instruction Fuzzy Hash: B2314B3250121AABDF219FA4DC49FDE3BA8EF09320F110216FB65A62A0C775D911DB54

Function 00CC3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CC3C5C
CoInitialize.OLE32(00000000), ref: 00CC3C8A
CoUninitialize.OLE32 ref: 00CC3C94
_wcslen.LIBCMT ref: 00CC3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00CC3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00CC3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CC3F0E
CoGetObject.OLE32(?,00000000,00CDFB98,?), ref: 00CC3F2D
SetErrorMode.KERNEL32(00000000), ref: 00CC3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CC3FC4
VariantClear.OLEAUT32(?), ref: 00CC3FD8

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 3f0c79e0bcc46aa776baa1bf9c62843008710781836156ef2fdb11f8847f9c36
Instruction ID: 7f914b0cf7375f0a3a674f3c3f06ca60d97cee8e5740458ba1656870f970f7f3
Opcode Fuzzy Hash: 3f0c79e0bcc46aa776baa1bf9c62843008710781836156ef2fdb11f8847f9c36
Instruction Fuzzy Hash: 18C12271608241AFD700DF68D884E2BBBE9FF89748F10895DF98A9B250D730EE45CB52

Function 00CB7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CB7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CB7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00CB7BA3
CoCreateInstance.OLE32(00CDFD08,00000000,00000001,00D06E6C,?), ref: 00CB7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CB7C74
CoTaskMemFree.OLE32(?,?), ref: 00CB7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00CB7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CB7D7A
CoTaskMemFree.OLE32(00000000), ref: 00CB7D81
CoTaskMemFree.OLE32(00000000), ref: 00CB7DD6
CoUninitialize.OLE32 ref: 00CB7DDC

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: d4f17e786a3b84ff6f2fc28abee0a9ac70663281fb37c028a70f5dbd8a757339
Instruction ID: 4cc346ff5b389cac5527b20b6d6b6d9b90b4940be1b8bfd90a61cf1089d09a9a
Opcode Fuzzy Hash: d4f17e786a3b84ff6f2fc28abee0a9ac70663281fb37c028a70f5dbd8a757339
Instruction Fuzzy Hash: 3FC10A75A04119AFCB14DFA4C888DAEBBB9FF48304F148599F9199B361D730EE45CB90

Function 00CD541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CD5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CD5515
CharNextW.USER32(00000158), ref: 00CD5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CD5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CD559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CD55AC

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 6ec4cfa7c583529210a8076338718dd8db2da08d5302093ca48d5303068376a9
Instruction ID: 8897ed77257b73fcebab25056652a831922247ecc05e69b4833a9b899ee7df1b
Opcode Fuzzy Hash: 6ec4cfa7c583529210a8076338718dd8db2da08d5302093ca48d5303068376a9
Instruction Fuzzy Hash: 8A619E74901609EFDF119F95CC84EFE7BB9EB09760F10814BFA25A6390D7708A82DB61

Function 00C9FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C9FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00C9FB08
VariantInit.OLEAUT32(?), ref: 00C9FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C9FB3A
VariantCopy.OLEAUT32(?,?), ref: 00C9FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C9FBA1
VariantClear.OLEAUT32(?), ref: 00C9FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C9FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C9FBCC
VariantClear.OLEAUT32(?), ref: 00C9FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C9FBE9

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6c0b931448a32289636dd94f2d3b7b35792b3a4a39ecc88fde5d3a9380cee59c
Instruction ID: 844f8313a32248d210f53620ac7314d5fee6640f9a117c398b4b17f23fed6596
Opcode Fuzzy Hash: 6c0b931448a32289636dd94f2d3b7b35792b3a4a39ecc88fde5d3a9380cee59c
Instruction Fuzzy Hash: 7A414335A012199FCF00DF64C898ABDBBB9FF48344F008069E955E7261CB34A946DF90

Function 00CA9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CA9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00CA9D22
GetKeyState.USER32(000000A0), ref: 00CA9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00CA9D57
GetKeyState.USER32(000000A1), ref: 00CA9D6C
GetAsyncKeyState.USER32(00000011), ref: 00CA9D84
GetKeyState.USER32(00000011), ref: 00CA9D96
GetAsyncKeyState.USER32(00000012), ref: 00CA9DAE
GetKeyState.USER32(00000012), ref: 00CA9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00CA9DD8
GetKeyState.USER32(0000005B), ref: 00CA9DEA

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f671505a26f4704629e8d794cf316690c0f6d3d2d0289c6d93d2f89188ac2829
Instruction ID: 57c959f5cf9e56dcdc4916e2c2ab31d010fc2525c8967210e26d41b6c6e709b7
Opcode Fuzzy Hash: f671505a26f4704629e8d794cf316690c0f6d3d2d0289c6d93d2f89188ac2829
Instruction Fuzzy Hash: BA41D834904BCB69FF30866488463B5BEE0EF1335CF04805ADAD6565C2EBB49BC8C792

Function 00CC055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CC05BC
inet_addr.WSOCK32(?), ref: 00CC061C
gethostbyname.WSOCK32(?), ref: 00CC0628
IcmpCreateFile.IPHLPAPI ref: 00CC0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CC06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CC06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00CC07B9
WSACleanup.WSOCK32 ref: 00CC07BF

Strings

Ping, xrefs: 00CC0676

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b7bda742173568958a8ba81089ca722a3b01c9a10a96645d014ee0ed39d27b66
Instruction ID: a51e5d897c27444d60a1d4761f7ed9c0002a2c25ef62b657ac78104df21446cd
Opcode Fuzzy Hash: b7bda742173568958a8ba81089ca722a3b01c9a10a96645d014ee0ed39d27b66
Instruction Fuzzy Hash: 42915975608202DFD724DF15C889F1ABBE0AF44318F2485ADF8699B6A2C734EE45CF91

Function 00CC8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00CC8CF3

Part of subcall function 00CA8E54: _wcslen.LIBCMT ref: 00CA8E77

_wcslen.LIBCMT ref: 00CC8D4E
_wcslen.LIBCMT ref: 00CC8D9C
_wcslen.LIBCMT ref: 00CC8DDC
_wcslen.LIBCMT ref: 00CC8E6E

Strings

winapi, xrefs: 00CC8D96, 00CC8D9B
none, xrefs: 00CC8E65, 00CC8E6A
cdecl, xrefs: 00CC8D48, 00CC8D4D
stdcall, xrefs: 00CC8DD6, 00CC8DDB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 95fc0483e8c3bdbe7482ac1a023b1ba653a54039e16322cb1092f7be31de2afe
Instruction ID: 967c2b971dee1fd4d44520a6e32f62140ae9efaf0f332855c0ff3937007ac196
Opcode Fuzzy Hash: 95fc0483e8c3bdbe7482ac1a023b1ba653a54039e16322cb1092f7be31de2afe
Instruction Fuzzy Hash: 08519035A001179BCB24DF6CC940ABFB7A5BF65724B60422DE426E72C5DB31DE48D790

Function 00CC372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00CC3774
CoUninitialize.OLE32 ref: 00CC377F
CoCreateInstance.OLE32(?,00000000,00000017,00CDFB78,?), ref: 00CC37D9
IIDFromString.OLE32(?,?), ref: 00CC384C
VariantInit.OLEAUT32(?), ref: 00CC38E4
VariantClear.OLEAUT32(?), ref: 00CC3936

Strings

NULL Pointer assignment, xrefs: 00CC381E
Failed to create object, xrefs: 00CC37E4, 00CC389A
Invalid parameter, xrefs: 00CC3865

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c534c9613aed5dfd7095858958a69e9fb4e8f1f3e070ecedda8b34d362bac561
Instruction ID: bef7b176d1bf8d7853c59f9f6245ae50681ac04f0d9437c02c1c0182025116f5
Opcode Fuzzy Hash: c534c9613aed5dfd7095858958a69e9fb4e8f1f3e070ecedda8b34d362bac561
Instruction Fuzzy Hash: D961B070608351AFD310DF64D888F6ABBE4EF49714F10890EF9959B291C770EE88DB96

Function 00CB3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00CB33CF

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00CB33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00CB3522
Error: , xrefs: 00CB34D1
Line %d (File "%s"):, xrefs: 00CB3443, 00CB345C
^ ERROR , xrefs: 00CB349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00CB3504
Incorrect parameters to object property !, xrefs: 00CB34AB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 9466e8890c95a85bf29b41ecd25927c80e8ed156bf216c0e217d970ad9348f50
Instruction ID: 36a452bfdc49a299fe0ffa93150c2453def4549f5aa5e6d28bef235057aceaff
Opcode Fuzzy Hash: 9466e8890c95a85bf29b41ecd25927c80e8ed156bf216c0e217d970ad9348f50
Instruction Fuzzy Hash: 2D518D3294024ABADF14EBA0CD86EEEB778FF04340F104165F505721A2EB316F59EB61

Function 00CAB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CAB5FC
_wcslen.LIBCMT ref: 00CAB608
_wcslen.LIBCMT ref: 00CAB64D
_wcslen.LIBCMT ref: 00CAB68C
_wcslen.LIBCMT ref: 00CAB6C7

Strings

REMOVE, xrefs: 00CAB602, 00CAB607
EXISTS, xrefs: 00CAB686, 00CAB68B
KEYS, xrefs: 00CAB647, 00CAB64C
APPEND, xrefs: 00CAB6C1, 00CAB6C6

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: f50996ee7a6cb1c836104465e786da27d273cbbd319d6b8469358e6411e320e0
Instruction ID: 123f14858a7da37db7f69c588e20817ef49fbd3f08f58b9e7c2274340009109d
Opcode Fuzzy Hash: f50996ee7a6cb1c836104465e786da27d273cbbd319d6b8469358e6411e320e0
Instruction Fuzzy Hash: C341D532A000279ACB245F7D88905BEB7B5AFA275CB244129F435DB286E731CE81C7A0

Function 00CB5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CB53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CB5416
GetLastError.KERNEL32 ref: 00CB5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00CB54A7

Strings

READY, xrefs: 00CB5460, 00CB5468
NOTREADY, xrefs: 00CB544B
INVALID, xrefs: 00CB5459
READONLY, xrefs: 00CB5452
UNKNOWN, xrefs: 00CB5444

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 70cd5fc74c6fb41e59079e30fc8fd4a30b4e3e94971428cb1dfb01871e5cfd75
Instruction ID: ab04a18e4f458f92624e7abbf8f8003635cdf021a68fe5fa7010744166adbc5d
Opcode Fuzzy Hash: 70cd5fc74c6fb41e59079e30fc8fd4a30b4e3e94971428cb1dfb01871e5cfd75
Instruction Fuzzy Hash: 7B318C75A006059FDB10DF68C484BEABBB4FB45305F18806AE416CB292DB71DE86CFA0

Function 00CD3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00CD3C79
SetMenu.USER32(?,00000000), ref: 00CD3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CD3D10
IsMenu.USER32(?), ref: 00CD3D24
CreatePopupMenu.USER32 ref: 00CD3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CD3D5B
DrawMenuBar.USER32 ref: 00CD3D63

Strings

0, xrefs: 00CD3C54
F, xrefs: 00CD3D4E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d9cd0f2f50ba50b30007d492ede2f169b467cb999b4d714cf6df6e3a2dbca71f
Instruction ID: 3c16c4a6099f0d027c3114b81bbd78c28de8a965c5a661c7e0401a70dce1b94c
Opcode Fuzzy Hash: d9cd0f2f50ba50b30007d492ede2f169b467cb999b4d714cf6df6e3a2dbca71f
Instruction Fuzzy Hash: AE418DB9A0120AAFDB14DF64E884BEA77B6FF49350F14002AFA1697360D730AA10DF51

Function 00CA1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Part of subcall function 00CA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CA3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00CA1F64
GetDlgCtrlID.USER32 ref: 00CA1F6F
GetParent.USER32 ref: 00CA1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CA1F8E
GetDlgCtrlID.USER32(?), ref: 00CA1F97
GetParent.USER32(?), ref: 00CA1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CA1FAE

Strings

ComboBox, xrefs: 00CA1EEC
ListBox, xrefs: 00CA1F21

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f4bf8b63c6912bc17fee9b44999cdd7f36a4d777980e8c52974a2c04ce9a5b61
Instruction ID: c031c7c4fac60109d45c270f585599bc73fa823ecee486d208ae0618b6470945
Opcode Fuzzy Hash: f4bf8b63c6912bc17fee9b44999cdd7f36a4d777980e8c52974a2c04ce9a5b61
Instruction Fuzzy Hash: 3921B074A00225BFCF04AFA0DC85AEEBBB8EF06354F040116B965672D1CB349909DB60

Function 00CA1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Part of subcall function 00CA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CA3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00CA2043
GetDlgCtrlID.USER32 ref: 00CA204E
GetParent.USER32 ref: 00CA206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CA206D
GetDlgCtrlID.USER32(?), ref: 00CA2076
GetParent.USER32(?), ref: 00CA208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CA208D

Strings

ComboBox, xrefs: 00CA1FCD
ListBox, xrefs: 00CA2002

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f0b4817de466303955ab299ed9abe1774497482f3d0caa0fd5d393d6102356f1
Instruction ID: 36221b8369d5c55f72ffdf64fa04525ade5990769befd485f8a1d25eef721f6c
Opcode Fuzzy Hash: f0b4817de466303955ab299ed9abe1774497482f3d0caa0fd5d393d6102356f1
Instruction Fuzzy Hash: AF219275A00229BBCF10AFA4DC85FEEBFB8EF06344F004016B955A71A1DB759915EB60

Function 00CD3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CD3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CD3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00CD3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CD3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CD3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CD3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CD3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CD3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CD3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CD3C13

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 482dc8b31423521bab31dfdab020f24b7a0a8362663433e4bc4a67dfac4f9b71
Instruction ID: b78c720601d4b1b2bc6b9459aeb74e9e75c450556a93b0de42d8bedc65b856c5
Opcode Fuzzy Hash: 482dc8b31423521bab31dfdab020f24b7a0a8362663433e4bc4a67dfac4f9b71
Instruction Fuzzy Hash: 36616B75900248AFDB10DFA8CC81EEE77B8EB49700F10419AFA25E73A1D770AA45DB60

Function 00C72C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C72C94

Part of subcall function 00C729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000), ref: 00C729DE
Part of subcall function 00C729C8: GetLastError.KERNEL32(00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000,00000000), ref: 00C729F0

_free.LIBCMT ref: 00C72CA0
_free.LIBCMT ref: 00C72CAB
_free.LIBCMT ref: 00C72CB6
_free.LIBCMT ref: 00C72CC1
_free.LIBCMT ref: 00C72CCC
_free.LIBCMT ref: 00C72CD7
_free.LIBCMT ref: 00C72CE2
_free.LIBCMT ref: 00C72CED
_free.LIBCMT ref: 00C72CFB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 529a434bbb297d74d54010d5f9ddfe5d0c010e985934e54b5885fe6b50fec52f
Instruction ID: 10bb8bd1a3e1ac672cdc6de9195e59344bf17ffad19521d244793b672b8b4e84
Opcode Fuzzy Hash: 529a434bbb297d74d54010d5f9ddfe5d0c010e985934e54b5885fe6b50fec52f
Instruction Fuzzy Hash: 02118676500108BFCB02EF64D982CDD7BA5FF09350F5585A5FA4D9F222DA31EE90AB90

Function 00CB7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CB7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00CB7FC1
GetFileAttributesW.KERNEL32(?), ref: 00CB7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CB8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00CB8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00CB8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CB80B0

Strings

*.*, xrefs: 00CB8066

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 32b033f574bab4a1936f757caa7521f7915630d4766bbdb005c2dd4bfb7b90b6
Instruction ID: d2a7dafba627dbe1cf12db3bb5b54f7a59e7f470eff5a75896fb54835170b0f7
Opcode Fuzzy Hash: 32b033f574bab4a1936f757caa7521f7915630d4766bbdb005c2dd4bfb7b90b6
Instruction Fuzzy Hash: 29819D725082819FCB20EF55C884AEEB3E8BFC8354F14495AF895D7250EB35DE49CB52

Function 00C45BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C45C7A

Part of subcall function 00C45D0A: GetClientRect.USER32(?,?), ref: 00C45D30
Part of subcall function 00C45D0A: GetWindowRect.USER32(?,?), ref: 00C45D71
Part of subcall function 00C45D0A: ScreenToClient.USER32(?,?), ref: 00C45D99

GetDC.USER32 ref: 00C846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C84708
SelectObject.GDI32(00000000,00000000), ref: 00C84716
SelectObject.GDI32(00000000,00000000), ref: 00C8472B
ReleaseDC.USER32(?,00000000), ref: 00C84733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C847C4

Strings

U, xrefs: 00C84693

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: fafde05d3fcc6291c852883f2c8a6d32b399d44edf45107db332d8cbac0124f0
Instruction ID: 8fb6d6d62584ce3228fc779cd8b735ab023a36a865489dbcd0d9bde08c0c1224
Opcode Fuzzy Hash: fafde05d3fcc6291c852883f2c8a6d32b399d44edf45107db332d8cbac0124f0
Instruction Fuzzy Hash: 26710534400206EFCF29AF64C984AFA7BB1FF4A318F14426AFD615A2A6D7319D41DF60

Function 00CB359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00CB35E4

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

LoadStringW.USER32(00D12390,?,00000FFF,?), ref: 00CB360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00CB3742
Error: , xrefs: 00CB36EF
^ ERROR, xrefs: 00CB36C9
Line %d (File "%s"):, xrefs: 00CB366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00CB3724

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 7dcbe03451218ab743a66f533c1a6b59df99a8926776fcdfc91f5a0f0c4b535d
Instruction ID: 72da02f1f09ba462d42b08e8fc60783b1391e75ff6db327db864347dfaebed78
Opcode Fuzzy Hash: 7dcbe03451218ab743a66f533c1a6b59df99a8926776fcdfc91f5a0f0c4b535d
Instruction Fuzzy Hash: DE516F7194025ABBDF14EBA0DC82EEEBB74FF45300F044125F515721A2DB305B99EB61

Function 00CBC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CBC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CBC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CBC2CA
GetLastError.KERNEL32 ref: 00CBC322
SetEvent.KERNEL32(?), ref: 00CBC336
InternetCloseHandle.WININET(00000000), ref: 00CBC341

Strings

, xrefs: 00CBC2BB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d18d0d447d3bb36e906d41f496e44c9ca3f1723a2567767d784cc1953b713a42
Instruction ID: 54104a85125e7b2dbdea53f29c61149c8793ab58cfae218946e4ff4229dc1d05
Opcode Fuzzy Hash: d18d0d447d3bb36e906d41f496e44c9ca3f1723a2567767d784cc1953b713a42
Instruction Fuzzy Hash: 973167B1601608AFDB219FA588C8BEF7BFCEB49744F54851EF496D2210DB34DE049BA1

Function 00CA989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C83AAF,?,?,Bad directive syntax error,00CDCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00CA98BC
LoadStringW.USER32(00000000,?,00C83AAF,?), ref: 00CA98C3

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CA9987

Strings

Line %d (File "%s"):, xrefs: 00CA992D
%s (%d) : ==> %s.: %s %s, xrefs: 00CA98F1
Error: , xrefs: 00CA9955
Line %d:, xrefs: 00CA9912
., xrefs: 00CA996D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 897d58f07e7a3358c7103b7f24664d3da9214c955de15761edca7cbbc7a61d46
Instruction ID: 44d65e9ebd1d1fec759fccaa5aacba6638f7af1a5f15c2c63b68815933b8702b
Opcode Fuzzy Hash: 897d58f07e7a3358c7103b7f24664d3da9214c955de15761edca7cbbc7a61d46
Instruction Fuzzy Hash: FE21713294021AFBDF15AF90CC4AFEE7775FF15304F04445AF519660A2EB319668EB60

Function 00CA209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00CA20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00CA20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CA214D

Strings

largeicons, xrefs: 00CA20E1
smallicons, xrefs: 00CA2115
SHELLDLL_DefView, xrefs: 00CA20CC
list, xrefs: 00CA212F
details, xrefs: 00CA20FB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 6f69c69dec91705bd7949348e3a5729783dbfae2fa65f08a7dbeca7bd463172e
Instruction ID: cea75ea2d6d06d7758154984c1e4eff835b99b7710de04e3b47ee57d755e3c63
Opcode Fuzzy Hash: 6f69c69dec91705bd7949348e3a5729783dbfae2fa65f08a7dbeca7bd463172e
Instruction Fuzzy Hash: A4118076288317BDFA152224EC07FEF379CCF06328F200016FB09A40D2FE61AC066A14

Function 00C78D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579033ab507a5393c6ee996fd0ed5e24a4e7c664bb47ca1353426f185fa9584e
Instruction ID: 3d5ccc521529a8ea448fcbf62aec5fa2dc1ee19f12b4a6f4502d570bd818ecd7
Opcode Fuzzy Hash: 579033ab507a5393c6ee996fd0ed5e24a4e7c664bb47ca1353426f185fa9584e
Instruction Fuzzy Hash: 66C1E474944349AFCB21DFA8D895BADBFB0FF0D310F048059E529A7392CB749A42DB61

Function 00C7CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C7CEB7
_free.LIBCMT ref: 00C7CF22
_free.LIBCMT ref: 00C7CF48
_free.LIBCMT ref: 00C7CF71
_free.LIBCMT ref: 00C7CFA9
_free.LIBCMT ref: 00C7CFDA
_free.LIBCMT ref: 00C7D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00C7D09C
_free.LIBCMT ref: 00C7D0B5

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 06e26ea5572af5f479923d9874bb74bea22622fa60405dd983505367d1698d0c
Instruction ID: 6f93daae88ecb2db0cca4eaf94ce7b9f7e6637cdf4a93ab86686c0d0ba93d612
Opcode Fuzzy Hash: 06e26ea5572af5f479923d9874bb74bea22622fa60405dd983505367d1698d0c
Instruction Fuzzy Hash: 24612B71A043026FDB25AFF4ACC1AAD7BA5AF05360F08C16EF95DD7281DB319E429760

Function 00CD50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00CD5186
ShowWindow.USER32(?,00000000), ref: 00CD51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00CD51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00CD51D1

Part of subcall function 00CD6FBA: DeleteObject.GDI32(00000000), ref: 00CD6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00CD520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CD521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CD524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00CD5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00CD5296

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 4a6c09f92d7f9b1ce255dc31879209d6c42008b54abf83bae912ec91abe1ad7a
Instruction ID: 8fbdca749a7ce6f8bf003faf6e471147565e8a7b8aa2bf57879061f0930a9673
Opcode Fuzzy Hash: 4a6c09f92d7f9b1ce255dc31879209d6c42008b54abf83bae912ec91abe1ad7a
Instruction Fuzzy Hash: 5F517B34A41A09BEEF209F25CC4ABDD3B65EB05361F148113FB25963E0C775AA88EB40

Function 00C58B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C96890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C58874,00000000,00000000,00000000,000000FF,00000000), ref: 00C96901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C9691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C58874,00000000,00000000,00000000,000000FF,00000000), ref: 00C9692D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 04afcd8806ce4daa0de185088e6c73299395a7df4e173c45690b20798378ad00
Instruction ID: 6d813c40ab133df74132c66db557fbe28c4eb073df148b70f0ecbb06840518b9
Opcode Fuzzy Hash: 04afcd8806ce4daa0de185088e6c73299395a7df4e173c45690b20798378ad00
Instruction Fuzzy Hash: FC519A74600205EFDF20CF25CC95FAA7BB9EB48361F104518F962A72E0DB70EA85DB54

Function 00CBC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CBC182
GetLastError.KERNEL32 ref: 00CBC195
SetEvent.KERNEL32(?), ref: 00CBC1A9

Part of subcall function 00CBC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CBC272
Part of subcall function 00CBC253: GetLastError.KERNEL32 ref: 00CBC322
Part of subcall function 00CBC253: SetEvent.KERNEL32(?), ref: 00CBC336
Part of subcall function 00CBC253: InternetCloseHandle.WININET(00000000), ref: 00CBC341

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 5d2e5b38e539b159bf237788a18924c34cf7a894f05fe8afdde4313230c756c5
Instruction ID: 6d4d012f2d96549208bdcd2a7105f0f0f2ec56612fbc0af79f300ce3abb60519
Opcode Fuzzy Hash: 5d2e5b38e539b159bf237788a18924c34cf7a894f05fe8afdde4313230c756c5
Instruction Fuzzy Hash: 15317A71201606AFDB219FA5DC84BABBBE9FF58300F00441EF966C7620D730E914EBA1

Function 00CA25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CA3A57
Part of subcall function 00CA3A3D: GetCurrentThreadId.KERNEL32 ref: 00CA3A5E
Part of subcall function 00CA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CA25B3), ref: 00CA3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00CA25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CA25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00CA25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CA25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CA2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00CA2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CA260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CA2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00CA2627

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d5d2fc3244843269f94ea53b2d1ea8b4bd6b9178e7699066b6826a0498ccc5dd
Instruction ID: 1ef21681ff962334640b783c803293d9d7304c0a607a2f4802b58b1e7d2bc48e
Opcode Fuzzy Hash: d5d2fc3244843269f94ea53b2d1ea8b4bd6b9178e7699066b6826a0498ccc5dd
Instruction Fuzzy Hash: 3601D430790721BBFB2067699CCAF5D3F59DB4EB16F100002F318AF0D1C9E26845DA69

Function 00CA1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00CA1449,?,?,00000000), ref: 00CA180C
HeapAlloc.KERNEL32(00000000,?,00CA1449,?,?,00000000), ref: 00CA1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CA1449,?,?,00000000), ref: 00CA1828
GetCurrentProcess.KERNEL32(?,00000000,?,00CA1449,?,?,00000000), ref: 00CA1830
DuplicateHandle.KERNEL32(00000000,?,00CA1449,?,?,00000000), ref: 00CA1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CA1449,?,?,00000000), ref: 00CA1843
GetCurrentProcess.KERNEL32(00CA1449,00000000,?,00CA1449,?,?,00000000), ref: 00CA184B
DuplicateHandle.KERNEL32(00000000,?,00CA1449,?,?,00000000), ref: 00CA184E
CreateThread.KERNEL32(00000000,00000000,00CA1874,00000000,00000000,00000000), ref: 00CA1868

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 68c9f4936ffa883390065cf55f8b800adb3e6373e51fa8994911373501110c89
Instruction ID: 0e60cf548c68a3a1868e31efab6f75b5223d27a59bd2a37fc49c67a15fbea65a
Opcode Fuzzy Hash: 68c9f4936ffa883390065cf55f8b800adb3e6373e51fa8994911373501110c89
Instruction Fuzzy Hash: 7C01BBB5281319BFE710ABA5DC8DF6F3BACEB89B11F014411FA05DB1A1CA749810CB20

Function 00CCA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00CAD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00CAD501
Part of subcall function 00CAD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00CAD50F
Part of subcall function 00CAD4DC: CloseHandle.KERNELBASE(00000000), ref: 00CAD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CCA16D
GetLastError.KERNEL32 ref: 00CCA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CCA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CCA268
GetLastError.KERNEL32(00000000), ref: 00CCA273
CloseHandle.KERNEL32(00000000), ref: 00CCA2C4

Strings

SeDebugPrivilege, xrefs: 00CCA18F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e9430d13829e68026f0920d6e7f84a5fb01a658d9ee59b9deaf3f29fee562a4c
Instruction ID: 467c7867c34301e435a5feef1a6443de2d71c8aa0f18e119fcebefb5a7b1f172
Opcode Fuzzy Hash: e9430d13829e68026f0920d6e7f84a5fb01a658d9ee59b9deaf3f29fee562a4c
Instruction Fuzzy Hash: 2F617E712052529FD720DF19C498F19BBE1AF4431CF18849CE46A8B7A3C776ED49CB92

Function 00CD3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CD3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00CD393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CD3954
_wcslen.LIBCMT ref: 00CD3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CD39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CD39F4

Strings

SysListView32, xrefs: 00CD38F7

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 9f322fa164128a759c65eadf84db4ff055f23bfd21d1c157fedbe70a5877b998
Instruction ID: 2bd59be9229b95cc6e824138e44d31031331233646848f953a9e85667aa489c7
Opcode Fuzzy Hash: 9f322fa164128a759c65eadf84db4ff055f23bfd21d1c157fedbe70a5877b998
Instruction Fuzzy Hash: 54419371A00259ABEF219F64CC85BEE7BA9EF08350F100527FA58E7281D771DA84DB90

Function 00CABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CABCFD
IsMenu.USER32(00000000), ref: 00CABD1D
CreatePopupMenu.USER32 ref: 00CABD53
GetMenuItemCount.USER32(01816B70), ref: 00CABDA4
InsertMenuItemW.USER32(01816B70,?,00000001,00000030), ref: 00CABDCC

Strings

2, xrefs: 00CABD37
0, xrefs: 00CABCA8

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 46d49f326b0559331af6efa49d7767999d58bebf6d42b43338cb1f6fd43cf98c
Instruction ID: abc17c2892d53602140ab2ab537dd8b9507036b5e578c7e6aad0aa08f1b851eb
Opcode Fuzzy Hash: 46d49f326b0559331af6efa49d7767999d58bebf6d42b43338cb1f6fd43cf98c
Instruction Fuzzy Hash: 9D518F70A002069BDF10CFB9D8C8BAEBBF4BF46318F14425AE4219B296D770AE41CB51

Function 00CAC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00CAC913

Strings

warning, xrefs: 00CAC8FC
info, xrefs: 00CAC8B4
question, xrefs: 00CAC8CC
stop, xrefs: 00CAC8E4
blank, xrefs: 00CAC895

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ec20549b1f3a440d9c720cae944b05dcdf27ac2f8368b730a28efbec5493d610
Instruction ID: aade149e5164bcfc4c4bce3c7169e4ee183a2db41087bf7a2a4aa79263fcee5e
Opcode Fuzzy Hash: ec20549b1f3a440d9c720cae944b05dcdf27ac2f8368b730a28efbec5493d610
Instruction Fuzzy Hash: D3112736689307BEE7059B649CC2EAF37DCDF16328B20002EF514A62C2E7A49E006275

Function 00CADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CADE42
gethostname.WSOCK32(?,00000100), ref: 00CADE5C
gethostbyname.WSOCK32(?), ref: 00CADE69
inet_ntoa.WSOCK32(?), ref: 00CADEAB
_strcat.LIBCMT ref: 00CADEB9
WSACleanup.WSOCK32 ref: 00CADEDE

Strings

0.0.0.0, xrefs: 00CADE87

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 5858f05ca3dc57a17514695e6937668272c10903b4b24f247796ebabba7696f1
Instruction ID: 87f95c0cbd48b42206d197501372d864899414a675e6ce671d278e86fd1c391c
Opcode Fuzzy Hash: 5858f05ca3dc57a17514695e6937668272c10903b4b24f247796ebabba7696f1
Instruction Fuzzy Hash: 60110671904116AFCB34AB709C8AFEF77BCDF12715F01016AF557A6091EF718A81DA60

Function 00CD9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C59BB2

GetSystemMetrics.USER32(0000000F), ref: 00CD9FC7
GetSystemMetrics.USER32(0000000F), ref: 00CD9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CDA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CDA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CDA263
ShowWindow.USER32(00000003,00000000), ref: 00CDA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00CDA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CDA2CA

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: a269d8b48fbec9183b49df706ffe8f5d4764a7bd7e79d5e07844e765bcf2db06
Instruction ID: 842cd257ddb7f0b71e8474e82d15602b6636d8e74cdf1fec0e231beef1a2e6e4
Opcode Fuzzy Hash: a269d8b48fbec9183b49df706ffe8f5d4764a7bd7e79d5e07844e765bcf2db06
Instruction Fuzzy Hash: 8EB18835600215EBDF18CF69C9C57AE7BB2FF44701F08806AEE599B395DB31AA40CB61

Function 00CAED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00CAED2A
_wcslen.LIBCMT ref: 00CAED3B
_wcslen.LIBCMT ref: 00CAED79
_wcslen.LIBCMT ref: 00CAEDAF
_wcslen.LIBCMT ref: 00CAEDDF
_wcslen.LIBCMT ref: 00CAEDEF
_wcslen.LIBCMT ref: 00CAEE2B
_wcslen.LIBCMT ref: 00CAEE5A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 38a3c5b37f9cd8446a3e147800082d1dfe56eb8ca5149072547bd4c127cda326
Instruction ID: 970bb05428bf9190032b1b9a9f665b1bcd5c7c876b2f9f0802718d84750147fc
Opcode Fuzzy Hash: 38a3c5b37f9cd8446a3e147800082d1dfe56eb8ca5149072547bd4c127cda326
Instruction Fuzzy Hash: 22419165D1021975DB21EBF4C8CAACFB7ACAF46710F508462E518E3121FB34E656C3E5

Function 00C5F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C9682C,00000004,00000000,00000000), ref: 00C5F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C9682C,00000004,00000000,00000000), ref: 00C9F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C9682C,00000004,00000000,00000000), ref: 00C9F454

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4dfb076929fec8e57260a51baa4b632de509937bf019b6e142e271b4d656ff5f
Instruction ID: 5545d03c1c32ce2fcf6a3be19b811c4751ec0065f28a76605db585dc74f19ee9
Opcode Fuzzy Hash: 4dfb076929fec8e57260a51baa4b632de509937bf019b6e142e271b4d656ff5f
Instruction Fuzzy Hash: CA414039104B80BACB3C8B29C8CC76E7B91BB46312F14443DE9A792560D67195CBDB15

Function 00CD2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CD2D1B
GetDC.USER32(00000000), ref: 00CD2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CD2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00CD2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CD2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CD2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CD5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00CD2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CD2DE1

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ae89e4691fe0f597f7164adc2a630ca40efa113afa45e1baa622a0ab82d9858e
Instruction ID: 4fa878ec9fc734dda2321d8ba4e1d2eec3052e2954b98363a0cee6f73c1d8388
Opcode Fuzzy Hash: ae89e4691fe0f597f7164adc2a630ca40efa113afa45e1baa622a0ab82d9858e
Instruction Fuzzy Hash: 60318C72202214BFEB218F50CC8AFEB3FADEF19715F084056FE089A291D6759C51CBA4

Function 00CA5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00CA5637
_memcmp.LIBVCRUNTIME ref: 00CA5659
_memcmp.LIBVCRUNTIME ref: 00CA5671
_memcmp.LIBVCRUNTIME ref: 00CA5684
_memcmp.LIBVCRUNTIME ref: 00CA569E
_memcmp.LIBVCRUNTIME ref: 00CA56B1
_memcmp.LIBVCRUNTIME ref: 00CA56C9
_memcmp.LIBVCRUNTIME ref: 00CA56E4

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d4bab299bf147511a990bef4bcf4904d3f6898aacb9b881697e6946b5b75636d
Instruction ID: c69229bb6f0527bdd7f569e4f8d4386277c03acdc8fb1530bcc519ea58bc8324
Opcode Fuzzy Hash: d4bab299bf147511a990bef4bcf4904d3f6898aacb9b881697e6946b5b75636d
Instruction Fuzzy Hash: 3A21C961750A0AB7D23855218EC2FFA335CBF62389F58C035FE169A781F720EE2191A5

Function 00CC4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00CC5007
NULL Pointer assignment, xrefs: 00CC502E, 00CC5383

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 22ffff8aa3092862e7db7cb42476797077348b7acabc0e2205f09dd28f1b99ab
Instruction ID: 73a9a9f78a0c6ce16ac55634d0f0c3ee32a516f9789a5058cbbd2c13066681a6
Opcode Fuzzy Hash: 22ffff8aa3092862e7db7cb42476797077348b7acabc0e2205f09dd28f1b99ab
Instruction Fuzzy Hash: 05D19F75A0060A9FDF10CFA8C885FAEB7B5BF48344F14816DE915AB291D770EE85CB90

Function 00C81522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00C815CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C81651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C816E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C816FB

Part of subcall function 00C73820: RtlAllocateHeap.NTDLL(00000000,?,00D11444,?,00C5FDF5,?,?,00C4A976,00000010,00D11440,00C413FC,?,00C413C6,?,00C41129), ref: 00C73852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C81777
__freea.LIBCMT ref: 00C817A2
__freea.LIBCMT ref: 00C817AE

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 41320744ddf3da33cfe57ac08e8d3038e56ec57c5e76dcebe94a7585a0468cbb
Instruction ID: 245e3adc2ebb62579ba6e27c561b9a8ed92c4fcb15862984bd4fca2d5dc90d70
Opcode Fuzzy Hash: 41320744ddf3da33cfe57ac08e8d3038e56ec57c5e76dcebe94a7585a0468cbb
Instruction Fuzzy Hash: F791D471E00216AADB20AE64C881AEEBBF9DF49318F1C4629EC15E7181D735DE42CB64

Function 00CC4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CC4648
VariantInit.OLEAUT32(?), ref: 00CC4749
VariantClear.OLEAUT32(?), ref: 00CC4753
VariantClear.OLEAUT32(?), ref: 00CC47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00CC472C
Null Object assignment in FOR..IN loop, xrefs: 00CC45D8, 00CC4706, 00CC47BE

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 802af28387edd28ab3e3f44c858aa0edef6de2d2d29c7393481f879bfbf9b156
Instruction ID: 8cfb41e97ff9ee1b612ffcf5382b2e3c0689e8b81c45bf0bc81316fa413c0b2d
Opcode Fuzzy Hash: 802af28387edd28ab3e3f44c858aa0edef6de2d2d29c7393481f879bfbf9b156
Instruction Fuzzy Hash: 8F916F71E00219ABDF28CFA5C898FAEBBB8EF46714F10855DF515AB280D7709945CFA0

Function 00CB1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00CB125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CB1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00CB12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CB12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CB135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CB13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CB1430

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 281ca544d3f361323dcb2862d3fea3186faf13b1bf783e906cf0a720b9ba03af
Instruction ID: de6e39b2892b3aa54485955ffa896b7b863bb727682b0a9306c7ed37b070e1ff
Opcode Fuzzy Hash: 281ca544d3f361323dcb2862d3fea3186faf13b1bf783e906cf0a720b9ba03af
Instruction Fuzzy Hash: A991F071A00219AFDB00DFA8C8A4BFEB7B5FF45321F294029ED10EB291D774A941DB91

Function 00C5948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 788f90d86674bdd22a9e118712f650f5dc4ea23e8fdcf77885ae1f9d02d05a8c
Instruction ID: dafb34007fe7a03a1275e7722a0ea59d42fcd6a5ce3444c386668b8ba7ea6fed
Opcode Fuzzy Hash: 788f90d86674bdd22a9e118712f650f5dc4ea23e8fdcf77885ae1f9d02d05a8c
Instruction Fuzzy Hash: 78916B75D00219EFCB10CFA9CC88AEEBBB8FF48320F144195E915B7251D334AA95DB64

Function 00CC3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CC396B
CharUpperBuffW.USER32(?,?), ref: 00CC3A7A
_wcslen.LIBCMT ref: 00CC3A8A
VariantClear.OLEAUT32(?), ref: 00CC3C1F

Part of subcall function 00CB0CDF: VariantInit.OLEAUT32(00000000), ref: 00CB0D1F
Part of subcall function 00CB0CDF: VariantCopy.OLEAUT32(?,?), ref: 00CB0D28
Part of subcall function 00CB0CDF: VariantClear.OLEAUT32(?), ref: 00CB0D34

Strings

AUTOIT.ERROR, xrefs: 00CC3A80, 00CC3A85
Incorrect Parameter format, xrefs: 00CC39A6, 00CC3BA1

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 928e95656c6ea519618b68f9b60cdb5aa48e267074a009fd49a579964724ec1c
Instruction ID: 49dc563c92330548f311cb891ff0531485ec4bdfba431daf836c0e69fc3b3c22
Opcode Fuzzy Hash: 928e95656c6ea519618b68f9b60cdb5aa48e267074a009fd49a579964724ec1c
Instruction Fuzzy Hash: 97918874A083419FC704EF28D490A6AB7E4FF88314F14892DF89A8B351DB30EE45DB92

Function 00CC4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00CA000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C9FF41,80070057,?,?,?,00CA035E), ref: 00CA002B
Part of subcall function 00CA000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C9FF41,80070057,?,?), ref: 00CA0046
Part of subcall function 00CA000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C9FF41,80070057,?,?), ref: 00CA0054
Part of subcall function 00CA000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C9FF41,80070057,?), ref: 00CA0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00CC4C51
_wcslen.LIBCMT ref: 00CC4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00CC4DCF
CoTaskMemFree.OLE32(?), ref: 00CC4DDA

Strings

NULL Pointer assignment, xrefs: 00CC4E23, 00CC4E52

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 84fb483406ae481a5f4bb0ff0c2f900d5a8ed0baf70dc6d599af6d9aee8240d2
Instruction ID: 8dbd668b8b5fb837767c73519dac5be2d4c309b839eca54fbc9c30cc203b1a0e
Opcode Fuzzy Hash: 84fb483406ae481a5f4bb0ff0c2f900d5a8ed0baf70dc6d599af6d9aee8240d2
Instruction Fuzzy Hash: B4910671D00229AFDF14DFA4D891EEEB7B9FF08314F10816AE915A7291DB309A45DF60

Function 00CD20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CD2183
GetMenuItemCount.USER32(00000000), ref: 00CD21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CD21DD
_wcslen.LIBCMT ref: 00CD2213
GetMenuItemID.USER32(?,?), ref: 00CD224D
GetSubMenu.USER32(?,?), ref: 00CD225B

Part of subcall function 00CA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CA3A57
Part of subcall function 00CA3A3D: GetCurrentThreadId.KERNEL32 ref: 00CA3A5E
Part of subcall function 00CA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CA25B3), ref: 00CA3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CD22E3

Part of subcall function 00CAE97B: Sleep.KERNEL32 ref: 00CAE9F3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: addbafbe8771c9e24e62d9ce87b4e53b1aac0fa7fbe32f69d907901934ca5402
Instruction ID: d8f335af105a9e39950a588457bcd042135861a5edc50b1356bf6bf4cd40a90e
Opcode Fuzzy Hash: addbafbe8771c9e24e62d9ce87b4e53b1aac0fa7fbe32f69d907901934ca5402
Instruction Fuzzy Hash: 94719E35A00205AFCB10DFA5C881AAEB7F5FF58320F14845AE926EB351D734EE419B90

Function 00CD7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01816B48), ref: 00CD7F37
IsWindowEnabled.USER32(01816B48), ref: 00CD7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00CD801E
SendMessageW.USER32(01816B48,000000B0,?,?), ref: 00CD8051
IsDlgButtonChecked.USER32(?,?), ref: 00CD8089
GetWindowLongW.USER32(01816B48,000000EC), ref: 00CD80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CD80C3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c532d957a18715ca2c50a2560910acc365f09be10655fe6e18cb95e5c537d6af
Instruction ID: 713c5fa6087b3a2b7aeec1049cff6168cce3a7cd5f236f12914636455a6296f8
Opcode Fuzzy Hash: c532d957a18715ca2c50a2560910acc365f09be10655fe6e18cb95e5c537d6af
Instruction Fuzzy Hash: E2717034609205AFEB31DF94C884FBABBB5EF09300F14455BFA6597361DB31AA49DB20

Function 00CAAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00CAAEF9
GetKeyboardState.USER32(?), ref: 00CAAF0E
SetKeyboardState.USER32(?), ref: 00CAAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00CAAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00CAAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00CAAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CAB020

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c567bbdb9e359a003b18b01939c721be9494c1ee2cdba3b16cd9c4698c963753
Instruction ID: 660da2cfdd6f4ba704b1ff11909d4caac864beade7d71627acf26eb38d6431ac
Opcode Fuzzy Hash: c567bbdb9e359a003b18b01939c721be9494c1ee2cdba3b16cd9c4698c963753
Instruction Fuzzy Hash: 4251B1E06047D73EFB3682748C45BBABEA95B07308F08858AF1E9558C3C398AED4D751

Function 00CAACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00CAAD19
GetKeyboardState.USER32(?), ref: 00CAAD2E
SetKeyboardState.USER32(?), ref: 00CAAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CAADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CAADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CAAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CAAE38

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a873a251d2ff23e628f82e4630a41c7fa6da297c0c42a1f7ccd0b7f9a63f91a5
Instruction ID: 147ed0924ebe231606006d57848281f7003c691bdaa86ce010056a6946feb980
Opcode Fuzzy Hash: a873a251d2ff23e628f82e4630a41c7fa6da297c0c42a1f7ccd0b7f9a63f91a5
Instruction Fuzzy Hash: BD51D6A19047D73DFB3783348C95B7ABEA85B47308F088589E1E5468C3D394EE94E762

Function 00C7542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00C83CD6,?,?,?,?,?,?,?,?,00C75BA3,?,?,00C83CD6,?,?), ref: 00C75470
__fassign.LIBCMT ref: 00C754EB
__fassign.LIBCMT ref: 00C75506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C83CD6,00000005,00000000,00000000), ref: 00C7552C
WriteFile.KERNEL32(?,00C83CD6,00000000,00C75BA3,00000000,?,?,?,?,?,?,?,?,?,00C75BA3,?), ref: 00C7554B
WriteFile.KERNEL32(?,?,00000001,00C75BA3,00000000,?,?,?,?,?,?,?,?,?,00C75BA3,?), ref: 00C75584

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3671ef84c0633de413ae43bc21e729ac5e04bb8daf23d0b0e1d1ba6e9653a12b
Instruction ID: 9822f15c34645671dfa3d5b74b7af7996603bea59b6153615b99ef0181866ff6
Opcode Fuzzy Hash: 3671ef84c0633de413ae43bc21e729ac5e04bb8daf23d0b0e1d1ba6e9653a12b
Instruction Fuzzy Hash: A551A371A00649AFDB10CFA8D885BEEBBF9EF09300F14855AF559E7291D7709A41CB60

Function 00C62D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C62D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C62D53
_ValidateLocalCookies.LIBCMT ref: 00C62DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C62E0C
_ValidateLocalCookies.LIBCMT ref: 00C62E61

Strings

csm, xrefs: 00C62DF6

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5a2c49a18fb30b587609dc270997456b6dca7251dfe74cce2347989316b56d56
Instruction ID: 87c80a68ac00e61124fe4c627477658e0e1d957e20c93539f227e7046f89679a
Opcode Fuzzy Hash: 5a2c49a18fb30b587609dc270997456b6dca7251dfe74cce2347989316b56d56
Instruction Fuzzy Hash: 1E41B434E00649ABCF20DF68CCC5ADEBBB5BF45364F148165E924AB392D731AA45CBD0

Function 00CC10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CC307A
Part of subcall function 00CC304E: _wcslen.LIBCMT ref: 00CC309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CC1112
WSAGetLastError.WSOCK32 ref: 00CC1121
WSAGetLastError.WSOCK32 ref: 00CC11C9
closesocket.WSOCK32(00000000), ref: 00CC11F9

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 40ca33f165018c0ac2b7e0f83cffcf55f0bdbabe9d39c434898adffc16be358a
Instruction ID: 4f774d6bed147c804a9028c0aebb691ebe2e3be09fa177420ba397f89bf6db96
Opcode Fuzzy Hash: 40ca33f165018c0ac2b7e0f83cffcf55f0bdbabe9d39c434898adffc16be358a
Instruction Fuzzy Hash: 4341C131600205AFDB109F55C884FAEBBE9FF46324F188159FD169B292C778EE41CBA1

Function 00CACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CACF22,?), ref: 00CADDFD

Part of subcall function 00CADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CACF22,?), ref: 00CADE16

lstrcmpiW.KERNEL32(?,?), ref: 00CACF45
MoveFileW.KERNEL32(?,?), ref: 00CACF7F
_wcslen.LIBCMT ref: 00CAD005
_wcslen.LIBCMT ref: 00CAD01B
SHFileOperationW.SHELL32(?), ref: 00CAD061

Strings

\*.*, xrefs: 00CACFF3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 88dcc6f505d60ed626e579d0b5cf801fb2506921012ec2e8d4e538b329840b61
Instruction ID: 8f0f36040c2114306e22a2f180aa7dfe9331bc37bc73d658ae1ccae98ad8f965
Opcode Fuzzy Hash: 88dcc6f505d60ed626e579d0b5cf801fb2506921012ec2e8d4e538b329840b61
Instruction Fuzzy Hash: C641537194521A9EDF12EBA4DDC1BDEB7B8AF09384F1000E6E515EB142EA34AB48DB50

Function 00CD2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00CD2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00CD2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00CD2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00CD2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00CD2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00CD2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CD2F0B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 6557273fed19a97b3ce8a480ba2d01b1f5be8e97f08f5da53f3defe06c5276dc
Instruction ID: 91b21f538f183145b18cabba6fd9e25af9dc8bf6a5b41f2fe26c03bef79ba0e7
Opcode Fuzzy Hash: 6557273fed19a97b3ce8a480ba2d01b1f5be8e97f08f5da53f3defe06c5276dc
Instruction Fuzzy Hash: CD311434645251AFDB218F58DC84FA937E0EBAA712F1441A6FA20CB3B1CB71ED41DB10

Function 00CA7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CA7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CA778F
SysAllocString.OLEAUT32(00000000), ref: 00CA7792
SysAllocString.OLEAUT32(?), ref: 00CA77B0
SysFreeString.OLEAUT32(?), ref: 00CA77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00CA77DE
SysAllocString.OLEAUT32(?), ref: 00CA77EC

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b499e2304ae40cfc31fa9b533f68f013fd4568046147b42991a38dc7f41411ba
Instruction ID: 3d0b4411c3f8e538cf2f6e8d346030034f37764db7e9ab73381bbf709a06e6bb
Opcode Fuzzy Hash: b499e2304ae40cfc31fa9b533f68f013fd4568046147b42991a38dc7f41411ba
Instruction Fuzzy Hash: 9C21A17660521AAFDB11DFA8CC88EBF73ACFB0A3687008226B914DB150D670DD41C764

Function 00CA77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CA7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CA7868
SysAllocString.OLEAUT32(00000000), ref: 00CA786B
SysAllocString.OLEAUT32 ref: 00CA788C
SysFreeString.OLEAUT32 ref: 00CA7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00CA78AF
SysAllocString.OLEAUT32(?), ref: 00CA78BD

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1876bc55882fe834207675be824a5361ecab1c018f54b965ac6662406455579e
Instruction ID: 1d98e70585a778bdf30f0fbcf9aa1f962aa553d920c7d072fbc086c40c940993
Opcode Fuzzy Hash: 1876bc55882fe834207675be824a5361ecab1c018f54b965ac6662406455579e
Instruction Fuzzy Hash: 8D21B031608206AFDB109FA8CC88EBA77ACFF0A3647108225F914DB2A5D678DD41CB64

Function 00CB04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00CB04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CB052E

Strings

nul, xrefs: 00CB0567

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 736e908efa97467f8a04fe54a805ac3e14521d940401c02fe7fa6439d8552d57
Instruction ID: 50b819b1de5b43313acd18ac7878d695a0e5d49e84af1581c8fb36a68f5988e0
Opcode Fuzzy Hash: 736e908efa97467f8a04fe54a805ac3e14521d940401c02fe7fa6439d8552d57
Instruction Fuzzy Hash: 8B212CB5500306AFDB309F69DC45BDB77A4AF54724F304A19E8B1D62E0D7709A58CF24

Function 00CB05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00CB05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CB0601

Strings

nul, xrefs: 00CB0639

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d3dd79c6a5d3e8ef76d171b87662aea8b26991b3b85e3539829fb1686017dbc1
Instruction ID: c330e1d5885341acaed8e9605f4083edb0a54f7bdff3cd1d75838b821be25743
Opcode Fuzzy Hash: d3dd79c6a5d3e8ef76d171b87662aea8b26991b3b85e3539829fb1686017dbc1
Instruction Fuzzy Hash: 4A213D755002169BDB209F699844BDB77E4AF95721F300A19FCB1E72E0D6709960CB20

Function 00CD40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C4604C
Part of subcall function 00C4600E: GetStockObject.GDI32(00000011), ref: 00C46060
Part of subcall function 00C4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C4606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CD4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CD411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CD412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CD4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CD4145

Strings

Msctls_Progress32, xrefs: 00CD40E3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 11c068cdcfabbb3689ef669d1583ff159830a1162463c6eaf5aa32e0ede6b855
Instruction ID: f0f038fb881b317c5ae774cab1b8de715a3aec5badfc3d6babdf55cb09006c91
Opcode Fuzzy Hash: 11c068cdcfabbb3689ef669d1583ff159830a1162463c6eaf5aa32e0ede6b855
Instruction Fuzzy Hash: 0E1163B1150219BFEF119E64CC85EEB7F6DEF09798F014111F718A6190CA729C61DBA4

Function 00C7D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C7D7A3: _free.LIBCMT ref: 00C7D7CC

_free.LIBCMT ref: 00C7D82D

Part of subcall function 00C729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000), ref: 00C729DE
Part of subcall function 00C729C8: GetLastError.KERNEL32(00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000,00000000), ref: 00C729F0

_free.LIBCMT ref: 00C7D838
_free.LIBCMT ref: 00C7D843
_free.LIBCMT ref: 00C7D897
_free.LIBCMT ref: 00C7D8A2
_free.LIBCMT ref: 00C7D8AD
_free.LIBCMT ref: 00C7D8B8

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c5abc04a584c21cb84e9491548d0bc1e597319c27ab1ccc8d819b3e7c2e4ad81
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 24115B71940B04AADA21BFB4CC47FCBBBECBF40700F448865B29EE6092DA65B545A660

Function 00CADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CADA74
LoadStringW.USER32(00000000), ref: 00CADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CADA91
LoadStringW.USER32(00000000), ref: 00CADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00CADAB9

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f7e12bb4342e6e4570087efaada7933b38025a882a0f137ca29d29ad21b77d7c
Instruction ID: 254d0c24735b83526a95fbe6f94721d56ee996bbeef63f1e689fb283b204bc2d
Opcode Fuzzy Hash: f7e12bb4342e6e4570087efaada7933b38025a882a0f137ca29d29ad21b77d7c
Instruction Fuzzy Hash: FF014BF29002197FEB10ABA09DC9FEA336CEB09705F400592B706E2041EA749E848B74

Function 00CB096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0180D860,0180D860), ref: 00CB097B
EnterCriticalSection.KERNEL32(0180D840,00000000), ref: 00CB098D
TerminateThread.KERNEL32(?,000001F6), ref: 00CB099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00CB09A9
CloseHandle.KERNEL32(?), ref: 00CB09B8
InterlockedExchange.KERNEL32(0180D860,000001F6), ref: 00CB09C8
LeaveCriticalSection.KERNEL32(0180D840), ref: 00CB09CF

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: d4c8101f789cd2e1436f57327a1605e73c7221e321483e601a6c0e6641faa1e7
Instruction ID: 96c3d07c29ff1d9d32488c672e2714c39c822390bbe2801d7970e4bc1d81705b
Opcode Fuzzy Hash: d4c8101f789cd2e1436f57327a1605e73c7221e321483e601a6c0e6641faa1e7
Instruction Fuzzy Hash: F3F0C932483A13ABD7516BA4EEC9BDABB29BF05702F502126F202908A1C7759575CF90

Function 00C45D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C45D30
GetWindowRect.USER32(?,?), ref: 00C45D71
ScreenToClient.USER32(?,?), ref: 00C45D99
GetClientRect.USER32(?,?), ref: 00C45ED7
GetWindowRect.USER32(?,?), ref: 00C45EF8

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7957714dcd4a713d8b92fa0dfa10bbb57c583e50d9f6cc064dd0dc45f5229f51
Instruction ID: 6e45e58f46cf994499ea7a3db4c692869707f4531cb75b406d4b2b3d745df29d
Opcode Fuzzy Hash: 7957714dcd4a713d8b92fa0dfa10bbb57c583e50d9f6cc064dd0dc45f5229f51
Instruction Fuzzy Hash: 37B18874A00B4ADBDB14DFA9C4807EEB7F1FF48314F14841AE8AAD7290DB34AA51DB54

Function 00C701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C700D6
__allrem.LIBCMT ref: 00C700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C7010B
__allrem.LIBCMT ref: 00C70122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C70140

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 3bdc76a030cba5ee1a78225c2816d5dc67cfe22ffb89322ff40d5a23fc6876de
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: C581F772A00706DBE724AF79DC82B6F73E9AF41364F24813EF529D6281EB70DA019751

Function 00CC1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00CC101C,00000000,?,?,00000000), ref: 00CC3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CC1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CC1DE1
WSAGetLastError.WSOCK32 ref: 00CC1DF2
inet_ntoa.WSOCK32(?), ref: 00CC1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00CC1EDB
_strlen.LIBCMT ref: 00CC1F35

Part of subcall function 00CA39E8: _strlen.LIBCMT ref: 00CA39F2

Part of subcall function 00C46D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00C5CF58,?,?,?), ref: 00C46DBA
Part of subcall function 00C46D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00C5CF58,?,?,?), ref: 00C46DED

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 12bd6d82de370b67b828e369208e54062596a3ddbbeb659246cae774aebd23d8
Instruction ID: 0e02634b92b65f5c7b3d604dbe744b2e8e80a2cfc70a7c11bd4a53c02f73a7c5
Opcode Fuzzy Hash: 12bd6d82de370b67b828e369208e54062596a3ddbbeb659246cae774aebd23d8
Instruction Fuzzy Hash: FBA1C030104341AFC324DF65C895F2AB7E5AF86318F58894CF8565B2A3CB71EE46DB92

Function 00C761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C682D9,00C682D9,?,?,?,00C7644F,00000001,00000001,8BE85006), ref: 00C76258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C7644F,00000001,00000001,8BE85006,?,?,?), ref: 00C762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C763D8
__freea.LIBCMT ref: 00C763E5

Part of subcall function 00C73820: RtlAllocateHeap.NTDLL(00000000,?,00D11444,?,00C5FDF5,?,?,00C4A976,00000010,00D11440,00C413FC,?,00C413C6,?,00C41129), ref: 00C73852

__freea.LIBCMT ref: 00C763EE
__freea.LIBCMT ref: 00C76413

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c32ae24ffead501258466af840bd9e59f9f00117cb0d3b34cdcd959cba35846c
Instruction ID: f3a082990da35fd15a9c2a45cfef024e149b90544e9d27f176e30ca4ecaca782
Opcode Fuzzy Hash: c32ae24ffead501258466af840bd9e59f9f00117cb0d3b34cdcd959cba35846c
Instruction Fuzzy Hash: 93510072A00A16ABEB258F64CC81EAF7BA9EF44710F248229FD19D7151EB34DD40D7A0

Function 00CCBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Part of subcall function 00CCC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CCB6AE,?,?), ref: 00CCC9B5
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCC9F1
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCCA68
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CCBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CCBD25
RegCloseKey.ADVAPI32(00000000), ref: 00CCBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CCBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CCBDF3
RegCloseKey.ADVAPI32(?), ref: 00CCBDFF

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 6560bb9ec6aa82b42e48a633797a2eb0c2e4691e230ff7c68be43c23f1ffdeac
Instruction ID: b9ab0f839ac15404ae624175a3112adb2a1e516dd49f9508a70ed2622cba0bb3
Opcode Fuzzy Hash: 6560bb9ec6aa82b42e48a633797a2eb0c2e4691e230ff7c68be43c23f1ffdeac
Instruction Fuzzy Hash: 3A818E70208241AFD714DF64C886F2ABBE5FF84308F14895DF55A8B2A2DB31ED45DB92

Function 00C9F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00C9F7B9
SysAllocString.OLEAUT32(00000001), ref: 00C9F860
VariantCopy.OLEAUT32(00C9FA64,00000000), ref: 00C9F889
VariantClear.OLEAUT32(00C9FA64), ref: 00C9F8AD
VariantCopy.OLEAUT32(00C9FA64,00000000), ref: 00C9F8B1
VariantClear.OLEAUT32(?), ref: 00C9F8BB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 77f61d11dc0309666518a32872f2e52ced4e2b03a43300417e190da88fc79a28
Instruction ID: 92770a96e5b4e7e3c84e534e2e5e9f3a34881a7e6ac006a3815a1fa3e5764525
Opcode Fuzzy Hash: 77f61d11dc0309666518a32872f2e52ced4e2b03a43300417e190da88fc79a28
Instruction Fuzzy Hash: 2151D735500310BACF24AF66D899B69B3A4EF45320F24846FE805DF291DB70CC42D796

Function 00CB910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C47620: _wcslen.LIBCMT ref: 00C47625

Part of subcall function 00C46B57: _wcslen.LIBCMT ref: 00C46B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00CB94E5
_wcslen.LIBCMT ref: 00CB9506
_wcslen.LIBCMT ref: 00CB952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00CB9585

Strings

X, xrefs: 00CB9412

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 946edb13e6f1a1af33e54f8a13a798d8c561bc19730ac7e1ee8b2cf5597e87f7
Instruction ID: ea8f2786b2d897cc79545e4cd3038006d12971000409a032c3b7f13b7908b873
Opcode Fuzzy Hash: 946edb13e6f1a1af33e54f8a13a798d8c561bc19730ac7e1ee8b2cf5597e87f7
Instruction Fuzzy Hash: E0E1AF31A083518FD724DF24C881BAAB7E4FF85314F14896DF9999B2A2DB31DD05CB92

Function 00C5920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C59BB2

BeginPaint.USER32(?,?,?), ref: 00C59241
GetWindowRect.USER32(?,?), ref: 00C592A5
ScreenToClient.USER32(?,?), ref: 00C592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C592D3
EndPaint.USER32(?,?,?,?,?), ref: 00C59321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C971EA

Part of subcall function 00C59339: BeginPath.GDI32(00000000), ref: 00C59357

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: abd0cff49b48ec25f7a2d962f2276807528773c88a95ee32df7116efa5d7ed6d
Instruction ID: 5ee3a7034eb04403dcc1fa0abfa97941c50f951797a7eee37262f9f4163bfd88
Opcode Fuzzy Hash: abd0cff49b48ec25f7a2d962f2276807528773c88a95ee32df7116efa5d7ed6d
Instruction Fuzzy Hash: 3B41AE75105301EFDB10DF24CC88FAA7BA8EB55321F040269FA64C72A1CB30998AEB61

Function 00CB07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00CB080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00CB0847
EnterCriticalSection.KERNEL32(?), ref: 00CB0863
LeaveCriticalSection.KERNEL32(?), ref: 00CB08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00CB08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00CB0921

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 1b14dfd5d80aae46775075a50d4dc9ad2d2825e2f1a59ea2302fa598a48f80ed
Instruction ID: a830f43096ba749544f300d0f6ea8999183a6113059e0e7b82a3b8302bca760b
Opcode Fuzzy Hash: 1b14dfd5d80aae46775075a50d4dc9ad2d2825e2f1a59ea2302fa598a48f80ed
Instruction Fuzzy Hash: 87416771900205EFDF14AF54DC85AAAB7B8FF04300F2440A9ED04AA297DB71DE65DBA4

Function 00CD81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C9F3AB,00000000,?,?,00000000,?,00C9682C,00000004,00000000,00000000), ref: 00CD824C
EnableWindow.USER32(?,00000000), ref: 00CD8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CD82D1
ShowWindow.USER32(?,00000004), ref: 00CD82E5
EnableWindow.USER32(?,00000001), ref: 00CD830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CD832F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 091021e4647253eb170f2b11971ba1d69626f2c8fa22ed49552012eea08ecfb1
Instruction ID: fab68fb3dbb7e3d123d6f0c921ac907c594a9d8c85c26640fc691ef39546e960
Opcode Fuzzy Hash: 091021e4647253eb170f2b11971ba1d69626f2c8fa22ed49552012eea08ecfb1
Instruction Fuzzy Hash: 0D416574601644AFDF15CF15CC95BE87BE1BB06715F18426AE7288B372CB319949CF50

Function 00CA4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00CA4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CA4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CA4CEA
_wcslen.LIBCMT ref: 00CA4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CA4D10
_wcsstr.LIBVCRUNTIME ref: 00CA4D1A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 3f9c627bbbac2dfb52545fa815997454b54ac41c51264f148d333d097e69af58
Instruction ID: bd8c9dc76c6ac9879e211a6be41717164bf7a2f35c415f182b631d2d21b1ae34
Opcode Fuzzy Hash: 3f9c627bbbac2dfb52545fa815997454b54ac41c51264f148d333d097e69af58
Instruction Fuzzy Hash: 5221D731605202BBEB295B39DC4AF7F7BACDF86754F10402AF809CA191DBA1DD41D6A0

Function 00CB581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C43AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C43A97,?,?,00C42E7F,?,?,?,00000000), ref: 00C43AC2

_wcslen.LIBCMT ref: 00CB587B
CoInitialize.OLE32(00000000), ref: 00CB5995
CoCreateInstance.OLE32(00CDFCF8,00000000,00000001,00CDFB68,?), ref: 00CB59AE
CoUninitialize.OLE32 ref: 00CB59CC

Strings

.lnk, xrefs: 00CB5876, 00CB58C1, 00CB5985

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: a30c4cbb98eeccc1ec25b2e8d0f9dc0055a2950966fa48714c066f148233cec1
Instruction ID: 6d7c973d7adc86ff76ad70f33bb106976cc9053b5eaaf6c4b31453cf5b488bd0
Opcode Fuzzy Hash: a30c4cbb98eeccc1ec25b2e8d0f9dc0055a2950966fa48714c066f148233cec1
Instruction Fuzzy Hash: D2D16471A087019FC714DF24C480A6ABBE1FF89710F14895DF89A9B3A1DB31ED46CB92

Function 00CA175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CA0FCA
Part of subcall function 00CA0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CA0FD6
Part of subcall function 00CA0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CA0FE5
Part of subcall function 00CA0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CA0FEC
Part of subcall function 00CA0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CA1002

GetLengthSid.ADVAPI32(?,00000000,00CA1335), ref: 00CA17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00CA17BA
HeapAlloc.KERNEL32(00000000), ref: 00CA17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00CA17DA
GetProcessHeap.KERNEL32(00000000,00000000,00CA1335), ref: 00CA17EE
HeapFree.KERNEL32(00000000), ref: 00CA17F5

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: a006fd3c9575d2f18a703c9b10bfcc099f65c45103c23f4047772c5882be772a
Instruction ID: 06d492bafe8f77bafa9482670949044aaaf6a858560013e3d1d9a7bafe50dc71
Opcode Fuzzy Hash: a006fd3c9575d2f18a703c9b10bfcc099f65c45103c23f4047772c5882be772a
Instruction Fuzzy Hash: 9F11BE31501216FFDB109FA4CC89FAE7BB9EB42359F184019F881E7290C735AA40CB60

Function 00CA14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00CA14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00CA1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00CA1515
CloseHandle.KERNEL32(00000004), ref: 00CA1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CA154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00CA1563

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 056945362a57b11ebdbb167db1ee5ee63057eef0ca251e1158f542c26df7c0ab
Instruction ID: cf4259346486f3f4e759a195a79c9c770236ece1ed2ece6d18a3cc08e456cfa4
Opcode Fuzzy Hash: 056945362a57b11ebdbb167db1ee5ee63057eef0ca251e1158f542c26df7c0ab
Instruction Fuzzy Hash: 3F11297250120AABDF118F98DD89BDE7BA9EF49758F088115FE15A20A0C375DE60DB60

Function 00C63382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C63379,00C62FE5), ref: 00C63390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C6339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C633B7
SetLastError.KERNEL32(00000000,?,00C63379,00C62FE5), ref: 00C63409

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: fd56ccf9e3918a4a257123a097cbc910d3e418b7919ba4e8d6a97319331bf11f
Instruction ID: 4de877bda6653bf94f52489c9846c51e093fb0725f6502da6a4fac61ebaf8c80
Opcode Fuzzy Hash: fd56ccf9e3918a4a257123a097cbc910d3e418b7919ba4e8d6a97319331bf11f
Instruction Fuzzy Hash: 9C01DF32619352BEEA3527B5BCC5B6B2A94EB0537A720033AF524C13F0EF118E12A564

Function 00C72D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C75686,00C83CD6,?,00000000,?,00C75B6A,?,?,?,?,?,00C6E6D1,?,00D08A48), ref: 00C72D78
_free.LIBCMT ref: 00C72DAB
_free.LIBCMT ref: 00C72DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C6E6D1,?,00D08A48,00000010,00C44F4A,?,?,00000000,00C83CD6), ref: 00C72DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C6E6D1,?,00D08A48,00000010,00C44F4A,?,?,00000000,00C83CD6), ref: 00C72DEC
_abort.LIBCMT ref: 00C72DF2

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 41afc8a1e5d6ca24145b369fa4f3d82710ecb52c1b7a24cb9868c4ac26f941e2
Instruction ID: 6849e76999d02c049004141782d6eaed80356d3518c19d335403b7e9dc7be271
Opcode Fuzzy Hash: 41afc8a1e5d6ca24145b369fa4f3d82710ecb52c1b7a24cb9868c4ac26f941e2
Instruction Fuzzy Hash: C2F0A4329056017BC6323779BC06B5E2669ABD17A1F24C519F83CD21E6EF248941E161

Function 00CD8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C59639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C59693
Part of subcall function 00C59639: SelectObject.GDI32(?,00000000), ref: 00C596A2
Part of subcall function 00C59639: BeginPath.GDI32(?), ref: 00C596B9
Part of subcall function 00C59639: SelectObject.GDI32(?,00000000), ref: 00C596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CD8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00CD8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CD8A70
LineTo.GDI32(?,00000000,00000003), ref: 00CD8A80
EndPath.GDI32(?), ref: 00CD8A90
StrokePath.GDI32(?), ref: 00CD8AA0

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 35806c24d6afa72c9641c0c4103c9a80ac4efb58db13f4df75ff4b5144c2bdc9
Instruction ID: 3d75dc5b70ce07609622ce1b1d6e708bb1b3b0aea749440d4d26999ab2e50c06
Opcode Fuzzy Hash: 35806c24d6afa72c9641c0c4103c9a80ac4efb58db13f4df75ff4b5144c2bdc9
Instruction Fuzzy Hash: D8110976001149FFDF129F90DC88FAA7F6CEB08350F008012FA199A1A1C771AE55DFA0

Function 00CA51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CA5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00CA5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA5230
ReleaseDC.USER32(00000000,00000000), ref: 00CA5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00CA524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00CA5261

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: af8dac94d7748afb0f75245f865aa9b42ed31e90768f2ff90021f77652a6e0d2
Instruction ID: ddf1b2b1dba37d7f3f0ce0f4cbfc828150c4f3adc18fa6a92d0df14abc82e737
Opcode Fuzzy Hash: af8dac94d7748afb0f75245f865aa9b42ed31e90768f2ff90021f77652a6e0d2
Instruction Fuzzy Hash: 30018F75A01719BBEB109BA59C89B8EBFB8EF48351F044166FA04A7281D6709901CBA0

Function 00C41BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C41BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C41BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C41C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C41C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C41C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C41C22

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ff39923718691d692e91842ebdd8eacd679b5e041b54b72d63898ab591578c1d
Instruction ID: cee3ed8c1d25e69ac688bcc12c516688c84395bd9820d3751043e6205ea2aaff
Opcode Fuzzy Hash: ff39923718691d692e91842ebdd8eacd679b5e041b54b72d63898ab591578c1d
Instruction Fuzzy Hash: 5B0167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00CAEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CAEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CAEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00CAEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CAEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CAEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CAEB75

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 25f590040fefd5cec6aa5dc6179ffc2b1334c66ee530085e2e8ebde2840e494f
Instruction ID: f6535074e7e8c79110fdf538f97717a9d4f23b5ab1078835f9fff2e366de252c
Opcode Fuzzy Hash: 25f590040fefd5cec6aa5dc6179ffc2b1334c66ee530085e2e8ebde2840e494f
Instruction Fuzzy Hash: C6F0307214216ABBEB215B529C4DFEF7B7CEFCAB11F00015AF611D1091D7A05A02C6B5

Function 00C97439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00C97452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C97469
GetWindowDC.USER32(?), ref: 00C97475
GetPixel.GDI32(00000000,?,?), ref: 00C97484
ReleaseDC.USER32(?,00000000), ref: 00C97496
GetSysColor.USER32(00000005), ref: 00C974B0

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f951b4d9091de6adcb4be97accf9fa8f6bdae036d9ed8d9747f2658714af470c
Instruction ID: 954fe36ce3835e56886b83fd145950a1787f4f1fda0b36a33a99057305ea2699
Opcode Fuzzy Hash: f951b4d9091de6adcb4be97accf9fa8f6bdae036d9ed8d9747f2658714af470c
Instruction Fuzzy Hash: FA018B31405216EFDB105FA4DC48BAE7BB5FB04311F100165F926A21A1CB311E42EF10

Function 00CA1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CA187F
UnloadUserProfile.USERENV(?,?), ref: 00CA188B
CloseHandle.KERNEL32(?), ref: 00CA1894
CloseHandle.KERNEL32(?), ref: 00CA189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00CA18A5
HeapFree.KERNEL32(00000000), ref: 00CA18AC

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 28e3ba463aa1d34c22c94a0d6501f743f9286513ebe8119e79577b997b8bb633
Instruction ID: 0487c84cc5cc934a7369222acf95bf62b10263857c3948a17b09b85058bfc876
Opcode Fuzzy Hash: 28e3ba463aa1d34c22c94a0d6501f743f9286513ebe8119e79577b997b8bb633
Instruction Fuzzy Hash: 78E0C236045112BBDA016BA1ED4CB4EBB29FB49B22B108222F225810B0CB329420DB50

Function 00CAC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C47620: _wcslen.LIBCMT ref: 00C47625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CAC6EE
_wcslen.LIBCMT ref: 00CAC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CAC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CAC7CA

Strings

0, xrefs: 00CAC6AF

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e053790ef85e1dbd3dbddfbeabd918711d132446007dab484fd70311dfeb95b1
Instruction ID: 5ea9e121eb2097eb30797f04bf41025c892269b882fe2e0111de774490c81089
Opcode Fuzzy Hash: e053790ef85e1dbd3dbddfbeabd918711d132446007dab484fd70311dfeb95b1
Instruction Fuzzy Hash: E851DE716043029BD715DF28C8C5BAB77E8AF4A318F040A2DF9A5D32A1DB74DA44DF92

Function 00CCAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00CCAEA3

Part of subcall function 00C47620: _wcslen.LIBCMT ref: 00C47625

GetProcessId.KERNEL32(00000000), ref: 00CCAF38
CloseHandle.KERNEL32(00000000), ref: 00CCAF67

Strings

@, xrefs: 00CCAE72
<, xrefs: 00CCAE6B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 53447c4638414e6b392dc06c1bc4c8673ccfd9b66947fba5c8d3458e24f1658b
Instruction ID: 7f4ff97134fb66f8a39d35e2a10f3efdfd0e691a303c22c2777cb0b12a99f809
Opcode Fuzzy Hash: 53447c4638414e6b392dc06c1bc4c8673ccfd9b66947fba5c8d3458e24f1658b
Instruction Fuzzy Hash: EB713575A00619DFCB14DF94C489A9EBBB0FF08314F04849DE816AB3A2C775EE45DB91

Function 00CA719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CA7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CA723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CA724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CA72CF

Strings

DllGetClassObject, xrefs: 00CA7242

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b00c8252a06dbe2a0e1034ff7405b049110473dd012f989da0cf26a9dec1a21a
Instruction ID: 44f3b395f4b780a62c19eb1baa3ed8a994a678fafb386ae0c892b741555d451e
Opcode Fuzzy Hash: b00c8252a06dbe2a0e1034ff7405b049110473dd012f989da0cf26a9dec1a21a
Instruction Fuzzy Hash: 9A416E71604206EFDB15CF54CC84B9A7BA9FF45318F1482AABD05DF20AD7B0DA45DBA0

Function 00CD3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CD3E35
IsMenu.USER32(?), ref: 00CD3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CD3E92
DrawMenuBar.USER32 ref: 00CD3EA5

Strings

0, xrefs: 00CD3D89

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 93bdb7c8e4a0d145624c479242c30910d38f6add0179526f70f8b16d573b3576
Instruction ID: db5643aab5d980d49e92e7f245bbe6ede6454dd0ee3e719e4f83143a5223e144
Opcode Fuzzy Hash: 93bdb7c8e4a0d145624c479242c30910d38f6add0179526f70f8b16d573b3576
Instruction Fuzzy Hash: 5E416875A01249AFDB10DF50D884AEABBB9FF49350F04412AEA25A7390D730EE41DF61

Function 00CA1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Part of subcall function 00CA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CA3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CA1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CA1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00CA1EA9

Part of subcall function 00C46B57: _wcslen.LIBCMT ref: 00C46B6A

Strings

ComboBox, xrefs: 00CA1DF0
ListBox, xrefs: 00CA1E25

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: cb7d5fbdbaf945ba668def57e1aecf331d0e2bafaebed6b1322016edfe15c4f1
Instruction ID: fb74e348f569352786ad78a2c4a935ac0c10fc52623376297d8619687f5afdef
Opcode Fuzzy Hash: cb7d5fbdbaf945ba668def57e1aecf331d0e2bafaebed6b1322016edfe15c4f1
Instruction Fuzzy Hash: A2210571A00105BEDB14AB64DC8ADFFBBB9EF46368F144119FC25A71E1DB344A0AA620

Function 00CCC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CCC9F1
_wcslen.LIBCMT ref: 00CCCA68
_wcslen.LIBCMT ref: 00CCCA9E
_wcslen.LIBCMT ref: 00CCCAF9
_wcslen.LIBCMT ref: 00CCCB2F
_wcslen.LIBCMT ref: 00CCCB7F

Strings

HKLM, xrefs: 00CCCA98, 00CCCA9D
HKEY_LOCAL_MACHINE, xrefs: 00CCCA62, 00CCCA67

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 97a92f2a58df171c2a8435af296002be07834a4b4734e9753521d66cf3632d30
Instruction ID: c447e405292b7fc1e8402f84e7e8c712a29d69ab2a8e56b5ae0b81b606f58f08
Opcode Fuzzy Hash: 97a92f2a58df171c2a8435af296002be07834a4b4734e9753521d66cf3632d30
Instruction Fuzzy Hash: 4E31E673A4056A4BCB20DF2DC9C4BBF33919BA1750B55402DE86DAB385EA71CF41B3A0

Function 00CD2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CD2F8D
LoadLibraryW.KERNEL32(?), ref: 00CD2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CD2FA9
DestroyWindow.USER32(?), ref: 00CD2FB1

Strings

SysAnimate32, xrefs: 00CD2F68

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 3c8dbd8105a6a022fa5f89a696680bbbe730bdb8997d813b3ec882d81049357c
Instruction ID: 7330c86a16ac001df3dcc25064830960828969cdd4b1c62d0cb9ffb9dca37885
Opcode Fuzzy Hash: 3c8dbd8105a6a022fa5f89a696680bbbe730bdb8997d813b3ec882d81049357c
Instruction Fuzzy Hash: B1219D71204225AFEB104FA4DC80FBB77BDEF69364F104A1AFA64D6290D771DC52A760

Function 00C64D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C64D1E,00C728E9,?,00C64CBE,00C728E9,00D088B8,0000000C,00C64E15,00C728E9,00000002), ref: 00C64D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C64DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C64D1E,00C728E9,?,00C64CBE,00C728E9,00D088B8,0000000C,00C64E15,00C728E9,00000002,00000000), ref: 00C64DC3

Strings

mscoree.dll, xrefs: 00C64D86
CorExitProcess, xrefs: 00C64D98

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9315a803502ce0cbb5986b8144360d84eb8358ded74f2fc6371b1282588b188e
Instruction ID: 3676667a74282e7cde3ebb2a69531e7936b264312bf993b8486abed96c00a8e5
Opcode Fuzzy Hash: 9315a803502ce0cbb5986b8144360d84eb8358ded74f2fc6371b1282588b188e
Instruction Fuzzy Hash: 40F04F35A41219BBDB259F91DC89BAEBBB9EF44751F1001A5F809A2260CF705A80DA90

Function 00C9D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00C9D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C9D3BF
FreeLibrary.KERNEL32(00000000), ref: 00C9D3E5

Strings

X64, xrefs: 00C9D2A8
GetSystemWow64DirectoryW, xrefs: 00C9D3B9

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 3a5f5726f474e41e5520e0c35b7c70ac0deb46da065c2288c7d133fd5b6626ec
Instruction ID: e0d64d2858ac13cd6e7e961244e42bd3f9a9281c7e3a41b71905f11bb33db557
Opcode Fuzzy Hash: 3a5f5726f474e41e5520e0c35b7c70ac0deb46da065c2288c7d133fd5b6626ec
Instruction Fuzzy Hash: 8BF0E575806E229BDF7517218C9CB6D7324AF10B03BA5825AF917F2164DB20CE85C692

Function 00C44E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C44EDD,?,00D11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C44E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C44EAE
FreeLibrary.KERNEL32(00000000,?,?,00C44EDD,?,00D11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C44EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C44EA8
kernel32.dll, xrefs: 00C44E94

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0a0c6ea6509160f4beb31e301fc2df64cf596f42fb71222a30e640db2568fd39
Instruction ID: 2699abc0865587a978a3df5bb7e0725493273031fba60af1141d53b912d5fe9c
Opcode Fuzzy Hash: 0a0c6ea6509160f4beb31e301fc2df64cf596f42fb71222a30e640db2568fd39
Instruction Fuzzy Hash: 05E0C236A03633ABD2321B25AC5CB6FA758BF81F62B150127FD14E2290DF60CE02C0B0

Function 00C44E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C83CDE,?,00D11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C44E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C44E74
FreeLibrary.KERNEL32(00000000,?,?,00C83CDE,?,00D11418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C44E87

Strings

kernel32.dll, xrefs: 00C44E5B
Wow64RevertWow64FsRedirection, xrefs: 00C44E6E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c48754e282f71d74d507354458a1df6270a0ac5a5c84bcc8eb41ebc394b6d280
Instruction ID: dce883d2fbdde654427e51e612e970b1a8c3a87f857317c596cce21fea1069d1
Opcode Fuzzy Hash: c48754e282f71d74d507354458a1df6270a0ac5a5c84bcc8eb41ebc394b6d280
Instruction Fuzzy Hash: 57D01236503633679A261B256C5CF8FAB1CBF85B513150627B915E3155CF60CE01C5E0

Function 00CB2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CB2C05
DeleteFileW.KERNEL32(?), ref: 00CB2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CB2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CB2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CB2CC0

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 1690813f69132848b125adcf3fafa25b4436a71cde74b471974c17e45b719ff4
Instruction ID: 48eec5eeb1c1aab546eee137e0cc5cc2433521319f98b0bb1cb0d4317c871602
Opcode Fuzzy Hash: 1690813f69132848b125adcf3fafa25b4436a71cde74b471974c17e45b719ff4
Instruction Fuzzy Hash: 21B15D72E00129ABDF25DFA4CC85EDEBBBDEF48350F1040A6F609E6151EA319A449F61

Function 00CCA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00CCA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CCA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CCA468
CloseHandle.KERNEL32(?), ref: 00CCA63D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: c890972e2449485315758600c65e92f0a9f4a706adad3b7e1d0ec755c0f81a4b
Instruction ID: 1fcb407b0e99186e4a7c08285e44666256f518ce2abbde4502106fc6ab0e75e0
Opcode Fuzzy Hash: c890972e2449485315758600c65e92f0a9f4a706adad3b7e1d0ec755c0f81a4b
Instruction Fuzzy Hash: 54A1A0716043019FE720DF28C886F2AB7E5AF84714F14885DF96A9B392D771ED45CB82

Function 00CAE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CACF22,?), ref: 00CADDFD

Part of subcall function 00CADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CACF22,?), ref: 00CADE16

Part of subcall function 00CAE199: GetFileAttributesW.KERNEL32(?,00CACF95), ref: 00CAE19A

lstrcmpiW.KERNEL32(?,?), ref: 00CAE473
MoveFileW.KERNEL32(?,?), ref: 00CAE4AC
_wcslen.LIBCMT ref: 00CAE5EB
_wcslen.LIBCMT ref: 00CAE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00CAE650

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: a093bba0b323360089072fe5f17b52cc99e6df5e065b2944c591150aad50beee
Instruction ID: 036894c104d39c3e8713b10eedef318068244712e2530ffd640260de90209853
Opcode Fuzzy Hash: a093bba0b323360089072fe5f17b52cc99e6df5e065b2944c591150aad50beee
Instruction Fuzzy Hash: 7A5182B24083465BC724EB94DC819DFB3ECAF85344F00491EF699D3191EF74A688C7A6

Function 00CCB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Part of subcall function 00CCC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CCB6AE,?,?), ref: 00CCC9B5
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCC9F1
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCCA68
Part of subcall function 00CCC998: _wcslen.LIBCMT ref: 00CCCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CCBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CCBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CCBB63
RegCloseKey.ADVAPI32(?,?), ref: 00CCBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00CCBBB3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: b4e50d5b9a82f83297135a40aca0818e46e1045e55e4ed96df4c0c77755aac63
Instruction ID: 1e3d8ab7ba1f1442bd30551839d8ac93335f08d47c3e0e5e2497abe3f3b7cc89
Opcode Fuzzy Hash: b4e50d5b9a82f83297135a40aca0818e46e1045e55e4ed96df4c0c77755aac63
Instruction Fuzzy Hash: D1618E31208241AFD714DF64C491F2ABBE5FF84308F54899DF49A8B2A2DB31ED45DB92

Function 00CA8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CA8BCD
VariantClear.OLEAUT32 ref: 00CA8C3E
VariantClear.OLEAUT32 ref: 00CA8C9D
VariantClear.OLEAUT32(?), ref: 00CA8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CA8D3B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ce6bc190a107c7632a488be277fa448e1376652005c3709d74fd6227948c9144
Instruction ID: d4c57cf4595f344943484798e93ccd5d38a7db67bc5cef71a43f9b866a5b4ba1
Opcode Fuzzy Hash: ce6bc190a107c7632a488be277fa448e1376652005c3709d74fd6227948c9144
Instruction Fuzzy Hash: 43516BB5A0021AEFCB14DF68C894AAAB7F8FF89314B158559F915DB350E730E911CF90

Function 00CB8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CB8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00CB8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CB8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CB8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CB8C5F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c62b048f4844be55df2e3008784a6056cb6279cb9962b78f68a540d23088e01a
Instruction ID: 8a9cfe488f4bcb09d2bd6ba13499b739890605fa0b63420005181258c069d27c
Opcode Fuzzy Hash: c62b048f4844be55df2e3008784a6056cb6279cb9962b78f68a540d23088e01a
Instruction Fuzzy Hash: 5F515975A00215AFCB04DF64C881EAEBBF5FF48314F088459E849AB362CB35ED45DB90

Function 00CC8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00CC8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00CC8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CC8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00CC9032
FreeLibrary.KERNEL32(00000000), ref: 00CC9052

Part of subcall function 00C5F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00CB1043,?,753CE610), ref: 00C5F6E6
Part of subcall function 00C5F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C9FA64,00000000,00000000,?,?,00CB1043,?,753CE610,?,00C9FA64), ref: 00C5F70D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 702eb427381d28aa1228a0c095b5a90d9ba8058b694ef6893f2e523394bdf859
Instruction ID: ffd113f63cf55d2d1b36f5cc1481d84dbfdd4622b6157efebb2cf11dc35086c4
Opcode Fuzzy Hash: 702eb427381d28aa1228a0c095b5a90d9ba8058b694ef6893f2e523394bdf859
Instruction Fuzzy Hash: EE513835601215DFC715DF58C494EAEBBB1FF49314B0480A9E81A9B362DB31EE86CB90

Function 00CD6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CD6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00CD6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CD6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00CBAB79,00000000,00000000), ref: 00CD6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CD6CC7

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: b90b7f6344a7cc971a89c00fe5057d7fa7682bd5d223b1a747efd07aab73faa1
Instruction ID: 6d5462b81c08a8b6ed5dd7894c5f94a83b8ccd7ad3d82b6ffffbebd1942c541c
Opcode Fuzzy Hash: b90b7f6344a7cc971a89c00fe5057d7fa7682bd5d223b1a747efd07aab73faa1
Instruction Fuzzy Hash: E141E435610104BFDB24CF28CC98FBA7BA5EB49350F15026AFAA5A73E0C771EE41DA50

Function 00C72051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C720C3
_free.LIBCMT ref: 00C720E3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: aa9fe866a086e02002ff66f68c61ed517974f027b6063a69cf924dca4973b14e
Instruction ID: ce0c65c332e94a1a7251158519698be9cab8eabd3bcd289fc18ee5be7639392e
Opcode Fuzzy Hash: aa9fe866a086e02002ff66f68c61ed517974f027b6063a69cf924dca4973b14e
Instruction Fuzzy Hash: 2D41E432A002009FCB24DF78C881A5DB7F5FF89314F558569EA19EB396D731AE01DB90

Function 00C5912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C59141
ScreenToClient.USER32(00000000,?), ref: 00C5915E
GetAsyncKeyState.USER32(00000001), ref: 00C59183
GetAsyncKeyState.USER32(00000002), ref: 00C5919D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 2b728da503bd4bf050b0c9fe6e6947f79dffe940efcf82900ae26174221c57f1
Instruction ID: d205dabbaad59c2b44c59fb3a7526e11c50318595390a4e0ae85a957424bce72
Opcode Fuzzy Hash: 2b728da503bd4bf050b0c9fe6e6947f79dffe940efcf82900ae26174221c57f1
Instruction Fuzzy Hash: E9416F35A0861BFBDF159F64C848BEEB774FB05321F208356E829A7290C7306E94DB95

Function 00CB3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CB38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00CB3922
TranslateMessage.USER32(?), ref: 00CB394B
DispatchMessageW.USER32(?), ref: 00CB3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CB3966

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d7c9eee93f0ef1263e5d3673f4a01a47f237fcb6bc9b0a67d5aa98823d09384b
Instruction ID: 33dd614afa09b6b58ae5cc3217fcfe616348613ab6fca4885be24f5de8eb5a31
Opcode Fuzzy Hash: d7c9eee93f0ef1263e5d3673f4a01a47f237fcb6bc9b0a67d5aa98823d09384b
Instruction Fuzzy Hash: 5A31A674D043C2BEEB25CB359848BF637A8AB05304F04456EE572C21E0EBB5AB85CB21

Function 00CBCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00CBC21E,00000000), ref: 00CBCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00CBCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00CBC21E,00000000), ref: 00CBCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CBC21E,00000000), ref: 00CBCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CBC21E,00000000), ref: 00CBCFF2

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 1a95f2c624782af8785e2e052da505158363c76667a60bcec0a719d203d667aa
Instruction ID: 210ae264db0404d312a3b76664ce41f85e529edaa2a3177d5b7e499ea83cebd1
Opcode Fuzzy Hash: 1a95f2c624782af8785e2e052da505158363c76667a60bcec0a719d203d667aa
Instruction Fuzzy Hash: 02313871A00206AFDB24DFE5C8C4ABABBF9EB14351F1044AEF516D2150DB30AE41DB60

Function 00CA1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CA1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00CA19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00CA19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00CA19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00CA19E2

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 377c483995a4617aa5df2d1e6dba72e8398134c252d2367da502267968ff755d
Instruction ID: 0763fda864c18f335b1c842b68bfda5cc4ced5543463703a9124a90858f37e91
Opcode Fuzzy Hash: 377c483995a4617aa5df2d1e6dba72e8398134c252d2367da502267968ff755d
Instruction Fuzzy Hash: 30318D71A0021AEFCB04CFB8C999BDE7BB5EB45319F144229FD21AB2D1C7709A54DB90

Function 00CD5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CD5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CD579D
_wcslen.LIBCMT ref: 00CD57AF
_wcslen.LIBCMT ref: 00CD57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CD5816

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: fcf370852572a539959329e553adde3eb6d6d9842f925617fbc9c5aadd643556
Instruction ID: 737dba68d46be273a6cb1cc0e9c6b15646880bbfb30e8dfd44aaeaa7ea601ab6
Opcode Fuzzy Hash: fcf370852572a539959329e553adde3eb6d6d9842f925617fbc9c5aadd643556
Instruction Fuzzy Hash: C3218575904618EADB209F65DC85AED77B8FF04724F108217FA29EA2C0D7708A85CF51

Function 00CC0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CC0951
GetForegroundWindow.USER32 ref: 00CC0968
GetDC.USER32(00000000), ref: 00CC09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00CC09B0
ReleaseDC.USER32(00000000,00000003), ref: 00CC09E8

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: bd0fd43f85980cd2dcdaf2932e6096fc3f377a09931545ef911459840e8e5aaf
Instruction ID: 6f10e482660a824d091f302f927895cd9a42696f785346fe637ec53b9287cc1c
Opcode Fuzzy Hash: bd0fd43f85980cd2dcdaf2932e6096fc3f377a09931545ef911459840e8e5aaf
Instruction Fuzzy Hash: D8215B35600214AFD704EFA9C888BAEBBE9EF48700F14806DF85A97362CA34ED04DB50

Function 00C7CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C7CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C7CDE9

Part of subcall function 00C73820: RtlAllocateHeap.NTDLL(00000000,?,00D11444,?,00C5FDF5,?,?,00C4A976,00000010,00D11440,00C413FC,?,00C413C6,?,00C41129), ref: 00C73852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C7CE0F
_free.LIBCMT ref: 00C7CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C7CE31

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: bcf2b15325f8b3b7af10e5d504de8ece798bae6ae86a780929a2f0789dcb4f6d
Instruction ID: 04b437442b541af9c01ccda225a283d442e70232b56bf44cd9c0ff47a8605f62
Opcode Fuzzy Hash: bcf2b15325f8b3b7af10e5d504de8ece798bae6ae86a780929a2f0789dcb4f6d
Instruction Fuzzy Hash: 2D0188726026177F272116B66CC8E7F6A6DDFC6BA1315C12EF919C7201DA618E0191B0

Function 00C59639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C59693
SelectObject.GDI32(?,00000000), ref: 00C596A2
BeginPath.GDI32(?), ref: 00C596B9
SelectObject.GDI32(?,00000000), ref: 00C596E2

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3c6b851be8184b7d30c51d7301b3df9795a37fb24c211a6fe31e2e8523685a9f
Instruction ID: a8ebd9704dccc67c270d15a6723ec3620421c31ef96b68bb6bb14511e48ab688
Opcode Fuzzy Hash: 3c6b851be8184b7d30c51d7301b3df9795a37fb24c211a6fe31e2e8523685a9f
Instruction Fuzzy Hash: 68219038802306EBDB108F24DC487EE3BA5FB10312F108256F930D62B0DB70598ACFA8

Function 00CA5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00CA5726
_memcmp.LIBVCRUNTIME ref: 00CA5744
_memcmp.LIBVCRUNTIME ref: 00CA5757
_memcmp.LIBVCRUNTIME ref: 00CA576F
_memcmp.LIBVCRUNTIME ref: 00CA5787

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7249dcc413c2d4fb672864480746b0305dd2a21a011c1b1033aac82bd408c45b
Instruction ID: cfbcd041984f08afa1f237b9dc969be87d4798b07a5c104e5b36775c5ac6d451
Opcode Fuzzy Hash: 7249dcc413c2d4fb672864480746b0305dd2a21a011c1b1033aac82bd408c45b
Instruction Fuzzy Hash: C101FE61251606FBD22851119D81FBB734C9B62369F08C035FD16FA341F720ED5182A0

Function 00C72DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00C6F2DE,00C73863,00D11444,?,00C5FDF5,?,?,00C4A976,00000010,00D11440,00C413FC,?,00C413C6), ref: 00C72DFD
_free.LIBCMT ref: 00C72E32
_free.LIBCMT ref: 00C72E59
SetLastError.KERNEL32(00000000,00C41129), ref: 00C72E66
SetLastError.KERNEL32(00000000,00C41129), ref: 00C72E6F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a4ec0199b560b2aa83609c305049f1c55303393e4509099a80326837677cf574
Instruction ID: fd8d090d8c2f0a0d710cbe82bd50f9742b3313b18272f972f058147073035e9d
Opcode Fuzzy Hash: a4ec0199b560b2aa83609c305049f1c55303393e4509099a80326837677cf574
Instruction Fuzzy Hash: 4C01F4322056007BC61227356C85E6F265DABC53A2B24C129F83DE22E3EF648D416020

Function 00CA000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C9FF41,80070057,?,?,?,00CA035E), ref: 00CA002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C9FF41,80070057,?,?), ref: 00CA0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C9FF41,80070057,?,?), ref: 00CA0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C9FF41,80070057,?), ref: 00CA0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C9FF41,80070057,?,?), ref: 00CA0070

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cab86227dafd4d6efaa0a7646c973064891d97a8eee7b7d793b54e4c6cc895f8
Instruction ID: a188108525dbc617b98665787a7afe93e1d10993a2e9baf7367418a5e4b6db33
Opcode Fuzzy Hash: cab86227dafd4d6efaa0a7646c973064891d97a8eee7b7d793b54e4c6cc895f8
Instruction Fuzzy Hash: FB018B72601606BFDB104F69DC88FAE7BAEEB48796F244129F905D2210E775DE40DBA0

Function 00CAE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00CAE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00CAE9A5
Sleep.KERNEL32(00000000), ref: 00CAE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00CAE9B7
Sleep.KERNEL32 ref: 00CAE9F3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2919d6e41451158d93974e04ad9788fd64c65ef7776d5d03f971e6671bd624ba
Instruction ID: 660a5ccfa6ce61dc4d2abb725f7985e63e8e92c8520cc67de59e0a037cd88b55
Opcode Fuzzy Hash: 2919d6e41451158d93974e04ad9788fd64c65ef7776d5d03f971e6671bd624ba
Instruction Fuzzy Hash: 47011B31C0162ADBCF00ABF5D899BEEBB78BB0A705F000556E512B2151CB309655C7A1

Function 00CA10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CA1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00CA0B9B,?,?,?), ref: 00CA1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CA0B9B,?,?,?), ref: 00CA112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CA0B9B,?,?,?), ref: 00CA1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CA114D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 00f85c72ebbc87207a4501bb7a51bf5b5101c03330e0df2ec691106cd54e8544
Instruction ID: 791cc72bf54000a3bef592af42ae8e1a75cf864970e58f798676328d026cb5cc
Opcode Fuzzy Hash: 00f85c72ebbc87207a4501bb7a51bf5b5101c03330e0df2ec691106cd54e8544
Instruction Fuzzy Hash: 35016975201216BFDB115FA4DC89B6E3B6EEF8A3A4B25041AFA41C3360DA31DD00DA60

Function 00CA0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CA0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CA0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CA0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CA0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CA1002

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c6197c755b40cbb7269cfbcd17b2e493d67c307fc67a5c9b0b04fab29ac8239e
Instruction ID: 60beb78d28ba0d421eeaf389fd5f78d300ac0659b9a9c2a02e0f87efe92ad24c
Opcode Fuzzy Hash: c6197c755b40cbb7269cfbcd17b2e493d67c307fc67a5c9b0b04fab29ac8239e
Instruction Fuzzy Hash: 07F04935241312EFDB215FA49C89F5A3BADEF8A762F154416FA45C6291CA70EC50CA60

Function 00CA1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CA102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CA1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CA1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CA104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CA1062

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 584cb5b98d05441d2566ef5b822e5d8b085e498b60df58e54a428257a717b6a1
Instruction ID: 8e6852f44d536abfec7dbbb0f5982e78d1e431450bfbbee09c4d36cdb3cc910c
Opcode Fuzzy Hash: 584cb5b98d05441d2566ef5b822e5d8b085e498b60df58e54a428257a717b6a1
Instruction Fuzzy Hash: F7F06D35241312EBDB215FA4EC89F9A3BADEF8A761F150416FE55C7290CA70E950CA60

Function 00CB030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00CB017D,?,00CB32FC,?,00000001,00C82592,?), ref: 00CB0324
CloseHandle.KERNEL32(?,?,?,?,00CB017D,?,00CB32FC,?,00000001,00C82592,?), ref: 00CB0331
CloseHandle.KERNEL32(?,?,?,?,00CB017D,?,00CB32FC,?,00000001,00C82592,?), ref: 00CB033E
CloseHandle.KERNEL32(?,?,?,?,00CB017D,?,00CB32FC,?,00000001,00C82592,?), ref: 00CB034B
CloseHandle.KERNEL32(?,?,?,?,00CB017D,?,00CB32FC,?,00000001,00C82592,?), ref: 00CB0358
CloseHandle.KERNEL32(?,?,?,?,00CB017D,?,00CB32FC,?,00000001,00C82592,?), ref: 00CB0365

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 46246747db6bd4168d1a75eb744d6ef15ace2d117fb1f5066762563f5a2d455e
Instruction ID: 3b2f11c221be27f43f2925ddf1c288098ca6e4cfbd60153931720bc942ddd40a
Opcode Fuzzy Hash: 46246747db6bd4168d1a75eb744d6ef15ace2d117fb1f5066762563f5a2d455e
Instruction Fuzzy Hash: A501A272801B159FC7309F66D890457F7F5BF503153258A3FD1A652931C771AA54CF80

Function 00C7D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C7D752

Part of subcall function 00C729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000), ref: 00C729DE
Part of subcall function 00C729C8: GetLastError.KERNEL32(00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000,00000000), ref: 00C729F0

_free.LIBCMT ref: 00C7D764
_free.LIBCMT ref: 00C7D776
_free.LIBCMT ref: 00C7D788
_free.LIBCMT ref: 00C7D79A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: aa19a3f3d2c4dbe6bef284b107232a407deeaf43e42f04d9977c0651d99aca40
Instruction ID: e29df5a6d1c8cd79336fe85cd8090860b37781a6b2ef8a9a03b1dbb3182744b2
Opcode Fuzzy Hash: aa19a3f3d2c4dbe6bef284b107232a407deeaf43e42f04d9977c0651d99aca40
Instruction Fuzzy Hash: 9EF04F32510304ABC625EB79F9C1D16B7EDBF44311F989805F15EE7606C720FC808A74

Function 00CA5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00CA5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00CA5C6F
MessageBeep.USER32(00000000), ref: 00CA5C87
KillTimer.USER32(?,0000040A), ref: 00CA5CA3
EndDialog.USER32(?,00000001), ref: 00CA5CBD

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6bbfd359272f124e8aed538afc6d5a5707e9cb23ebedf595347f32ebb5465c84
Instruction ID: bc8882fb6932ec8a07222a431dbe45cbb72b74c7f7f15d4b7e82014e142f8cc7
Opcode Fuzzy Hash: 6bbfd359272f124e8aed538afc6d5a5707e9cb23ebedf595347f32ebb5465c84
Instruction Fuzzy Hash: 0101FE30500B059BEB205B10DD8EFDA77B8FF0570DF00025AB553610E0D7F09945CB50

Function 00C722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C722BE

Part of subcall function 00C729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000), ref: 00C729DE
Part of subcall function 00C729C8: GetLastError.KERNEL32(00000000,?,00C7D7D1,00000000,00000000,00000000,00000000,?,00C7D7F8,00000000,00000007,00000000,?,00C7DBF5,00000000,00000000), ref: 00C729F0

_free.LIBCMT ref: 00C722D0
_free.LIBCMT ref: 00C722E3
_free.LIBCMT ref: 00C722F4
_free.LIBCMT ref: 00C72305

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a55a319de202eb539d194248a66ce4b2a7285e67fdacdecd6003e98449af8a19
Instruction ID: 36a910c409caf3ee3170d2829c0371482049018eb696add76f72d68fe80ef8aa
Opcode Fuzzy Hash: a55a319de202eb539d194248a66ce4b2a7285e67fdacdecd6003e98449af8a19
Instruction Fuzzy Hash: 54F03074451310ABC712BF64BC029887F64BB18760B05D606F618D23B1CF750593ABB8

Function 00C595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C595D4
StrokeAndFillPath.GDI32(?,?,00C971F7,00000000,?,?,?), ref: 00C595F0
SelectObject.GDI32(?,00000000), ref: 00C59603
DeleteObject.GDI32 ref: 00C59616
StrokePath.GDI32(?), ref: 00C59631

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f6cbecba3f55d4fbdc50b3fe35f1db9b6aed4af741c02343e7467c6ad2a4c142
Instruction ID: 34508983981710929db6e2cc5e5aa1914db2edfbbf92e506d229733893546df6
Opcode Fuzzy Hash: f6cbecba3f55d4fbdc50b3fe35f1db9b6aed4af741c02343e7467c6ad2a4c142
Instruction Fuzzy Hash: 8FF01938006305EBDB125F65ED587A83B61EB00322F048255FA35951F0CB308AAADF24

Function 00C70F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C710F9
__freea.LIBCMT ref: 00C71117

Part of subcall function 00C71537: _free.LIBCMT ref: 00C7154F

Strings

a/p, xrefs: 00C711DE
am/pm, xrefs: 00C7117A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: c62089a1f5905b347f4c18d85f79ba56e4d5cd1e32292b68baaa6cd821ead859
Instruction ID: a8c2f19c27a4940cf683c01a185965d816fec9a7112526f07da81184b7ebaf0d
Opcode Fuzzy Hash: c62089a1f5905b347f4c18d85f79ba56e4d5cd1e32292b68baaa6cd821ead859
Instruction Fuzzy Hash: 7ED1F231910246CADB249F6DC895BFEBBB4EF05700F2CC119ED29AB661D3359E80DB51

Function 00CC7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C60242: EnterCriticalSection.KERNEL32(00D1070C,00D11884,?,?,00C5198B,00D12518,?,?,?,00C412F9,00000000), ref: 00C6024D
Part of subcall function 00C60242: LeaveCriticalSection.KERNEL32(00D1070C,?,00C5198B,00D12518,?,?,?,00C412F9,00000000), ref: 00C6028A

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Part of subcall function 00C600A3: __onexit.LIBCMT ref: 00C600A9

__Init_thread_footer.LIBCMT ref: 00CC7BFB

Part of subcall function 00C601F8: EnterCriticalSection.KERNEL32(00D1070C,?,?,00C58747,00D12514), ref: 00C60202
Part of subcall function 00C601F8: LeaveCriticalSection.KERNEL32(00D1070C,?,00C58747,00D12514), ref: 00C60235

Strings

G, xrefs: 00CC7C7F
5, xrefs: 00CC7C78
Variable must be of type 'Object'., xrefs: 00CC7C3A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 511167095b0503118a5ebcded2336d479961b91eeedb70c4bda9c12118c70545
Instruction ID: ad2515021c0764a7336160e9bdf5b73eaa73945d23f61d25ce21eabacf6ecae4
Opcode Fuzzy Hash: 511167095b0503118a5ebcded2336d479961b91eeedb70c4bda9c12118c70545
Instruction Fuzzy Hash: 40918D74A04209AFCB14EF94D891EADB7B1FF49300F10815DF8169B292DB71AE85DF51

Function 00CA2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CA21D0,?,?,00000034,00000800,?,00000034), ref: 00CAB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CA2760

Part of subcall function 00CAB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CA21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00CAB3F8

Part of subcall function 00CAB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00CAB355
Part of subcall function 00CAB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CA2194,00000034,?,?,00001004,00000000,00000000), ref: 00CAB365
Part of subcall function 00CAB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CA2194,00000034,?,?,00001004,00000000,00000000), ref: 00CAB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CA27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CA281A

Strings

@, xrefs: 00CA2832

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 8199efc777f9e47295336cc67b6a96594bc5dc4b5ba2eea057f0bc2fdee4bc1d
Instruction ID: 1db20319618d4eb7d1a64c4e1ba0ee8e771397db2e93edeca92ae13c7218da38
Opcode Fuzzy Hash: 8199efc777f9e47295336cc67b6a96594bc5dc4b5ba2eea057f0bc2fdee4bc1d
Instruction Fuzzy Hash: 33413C72901219AFDB10DBA4CD81BEEBBB8EF0A304F004055FA55B7191DB706F45DBA0

Function 00C7172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00C71769
_free.LIBCMT ref: 00C71834
_free.LIBCMT ref: 00C7183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00C71760, 00C71767, 00C71796, 00C717CE

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 9e2e4266b9eee8a8f01d774e1555fbc133bf043ae34a3f1cd5b2758b8ec059a3
Instruction ID: 7f0e84219c00f4a85f21d602df26545a482d9b0cfcd69c48a662f00001e0ff26
Opcode Fuzzy Hash: 9e2e4266b9eee8a8f01d774e1555fbc133bf043ae34a3f1cd5b2758b8ec059a3
Instruction Fuzzy Hash: BB31A075A00218FFCB21DF99D881D9EBBFCEB85310B18816AF918D7251DA708E41DBA1

Function 00CAC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CAC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00CAC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D11990,01816B70), ref: 00CAC395

Strings

0, xrefs: 00CAC2DF

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: d55f99ece3b4f610f2400c72432f2473753ed171500b67c5c030d900ea67df70
Instruction ID: 0edd1f6ab5ca116643fb7c848472a900a2fe0e05a07e81d55744073ad4350785
Opcode Fuzzy Hash: d55f99ece3b4f610f2400c72432f2473753ed171500b67c5c030d900ea67df70
Instruction Fuzzy Hash: E841A5312093029FDB24DF25D8C4B5ABBE8EF86318F14861EF965972E1D770E904DB52

Function 00CD4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CDCC08,00000000,?,?,?,?), ref: 00CD44AA
GetWindowLongW.USER32 ref: 00CD44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CD44D7

Strings

SysTreeView32, xrefs: 00CD447C

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: aa76530b0fc6b9660a16db70a3372d0384a1ce2013ab25fb04cfe958b27f36c0
Instruction ID: 7b93de4e091443a700a747fc895a6d0b6054fb274d512e6d334862248a35e2d1
Opcode Fuzzy Hash: aa76530b0fc6b9660a16db70a3372d0384a1ce2013ab25fb04cfe958b27f36c0
Instruction Fuzzy Hash: C2319E31210206AFDF248F38DC85BEA7BA9EB48334F204716FA79922E0D770ED919750

Function 00CC304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CC3077,?,?), ref: 00CC3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CC307A
_wcslen.LIBCMT ref: 00CC309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00CC3106

Strings

255.255.255.255, xrefs: 00CC3095, 00CC309A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 7fc4d6239732a8d5482b75e10bd8e094ec36a52fe2dbf80a4521cb8a87830e30
Instruction ID: 6b8aefa675c0114e9e9beedab79b5b8f84edfe8d6e8f10937db5a87b9be9e47d
Opcode Fuzzy Hash: 7fc4d6239732a8d5482b75e10bd8e094ec36a52fe2dbf80a4521cb8a87830e30
Instruction Fuzzy Hash: 2F31B2366042819FCB10CF29E985FAA77E0EF54318F28C059E9268B392DB32DF41D761

Function 00CD3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CD3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CD3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CD3F78

Strings

SysMonthCal32, xrefs: 00CD3F0B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: bb4bde214e9567c8d3ed9e02ad9b790ec5d39996282a6ea1d94402c21888a88a
Instruction ID: 2f899d6651af443915238ab9f093676112b54c03c06e238b1ab2fbad228629da
Opcode Fuzzy Hash: bb4bde214e9567c8d3ed9e02ad9b790ec5d39996282a6ea1d94402c21888a88a
Instruction Fuzzy Hash: 7F21AB32600259BFDF218F90CC86FEE3B79EB48714F110255FA15AB2D0DAB1A955DBA0

Function 00CD4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CD4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CD4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CD471A

Strings

msctls_updown32, xrefs: 00CD4684

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1b89114df638f401a88160ad6fc04ab1ccb1f3f1a0604058e7212fc56afd7967
Instruction ID: 68473c2143af5ae63ba1ae3ba428a12ffc7ce2a907b6844e0254235a9b14fbe9
Opcode Fuzzy Hash: 1b89114df638f401a88160ad6fc04ab1ccb1f3f1a0604058e7212fc56afd7967
Instruction Fuzzy Hash: 37213CB5600209AFDB14DF64DCC1DAB37ADEB5A3A4B15005AFB109B391CB71ED12DA60

Function 00CA95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CA961D

Strings

#OnAutoItStartRegister, xrefs: 00CA95F3
#requireadmin, xrefs: 00CA95D9
#notrayicon, xrefs: 00CA95B7

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 13fe20028b28321a6e26704fa5f90a76779ece48a80f726267ad9bdbfb220f54
Instruction ID: 4b4380e083e8d3d7c365e2a499e58b88158f53cf021d0478d589b48e1d967679
Opcode Fuzzy Hash: 13fe20028b28321a6e26704fa5f90a76779ece48a80f726267ad9bdbfb220f54
Instruction Fuzzy Hash: C221873260421266C331AB259C43FBB73D8EF92308F00452AFA5A97181EBB1AE46D295

Function 00CD37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CD3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CD3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CD3876

Strings

Listbox, xrefs: 00CD380F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 35b9bd9d2d016f7ae573d1b1b0d4ffc789930bc98cdb55f04593175a65a299ca
Instruction ID: 0d0317d4aa229c0482b88edd1e494e9ca1b33e58318127e9d3658219a8052de8
Opcode Fuzzy Hash: 35b9bd9d2d016f7ae573d1b1b0d4ffc789930bc98cdb55f04593175a65a299ca
Instruction Fuzzy Hash: 4121DE72600219BBEF218F54CC85FAB376AEF89750F018126FA109B290CA71DD1297A0

Function 00CB49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CB4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CB4A5C
SetErrorMode.KERNEL32(00000000,?,?,00CDCC08), ref: 00CB4AD0

Strings

%lu, xrefs: 00CB4A6F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: e4a4856330641f215c6135ce2912c56171efe157d03d71185fbb7635e9d3836d
Instruction ID: 5ea1900b3a83cf7374c3ea19ba2e7aecbe068f6a6acd779d85b24aa20b45f677
Opcode Fuzzy Hash: e4a4856330641f215c6135ce2912c56171efe157d03d71185fbb7635e9d3836d
Instruction Fuzzy Hash: 3A314C75A00119AFDB14DF54C885EAE7BF8EF08308F1480A9E909DB252D771EE46DB61

Function 00CD41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CD424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CD4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CD4271

Strings

msctls_trackbar32, xrefs: 00CD4226

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 64bd9ce13c6f97fd55b134e81d795dd5d6f1905754f58ff38c35cc03b384f426
Instruction ID: 2a41d4f61bd8ab3282721c72c7606b32cee3f1b363ea3c56e8aae6f5afc19a0d
Opcode Fuzzy Hash: 64bd9ce13c6f97fd55b134e81d795dd5d6f1905754f58ff38c35cc03b384f426
Instruction Fuzzy Hash: F0110231240208BFEF205F29CC06FAB7BACEF95B64F110125FB55E61A0D671DC129B20

Function 00CA2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C46B57: _wcslen.LIBCMT ref: 00C46B6A

Part of subcall function 00CA2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CA2DC5
Part of subcall function 00CA2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CA2DD6
Part of subcall function 00CA2DA7: GetCurrentThreadId.KERNEL32 ref: 00CA2DDD
Part of subcall function 00CA2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CA2DE4

GetFocus.USER32 ref: 00CA2F78

Part of subcall function 00CA2DEE: GetParent.USER32(00000000), ref: 00CA2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00CA2FC3
EnumChildWindows.USER32(?,00CA303B), ref: 00CA2FEB

Strings

%s%d, xrefs: 00CA2FFF

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 40c61f030f30ba0938b1f0363f8770366a70b88d053de46998bb9eec1956063a
Instruction ID: 9baca7afacf5771cac5a19c306e601fee6643a9b9072dab5779cedb21f94bd9e
Opcode Fuzzy Hash: 40c61f030f30ba0938b1f0363f8770366a70b88d053de46998bb9eec1956063a
Instruction Fuzzy Hash: 4A11A27160020A6BCF147F748CD5FEE776AAF85318F044075FD099B292DE309A4AEB60

Function 00CD5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CD58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CD58EE
DrawMenuBar.USER32(?), ref: 00CD58FD

Strings

0, xrefs: 00CD588F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: c6f427e7e967d3689acf320faf26b3a2094bf618b669972f9dfb65208acbee8a
Instruction ID: bfda59fa6903c7dcfd28606be93228099e070c413f1c7ce524aeb6845bcd0523
Opcode Fuzzy Hash: c6f427e7e967d3689acf320faf26b3a2094bf618b669972f9dfb65208acbee8a
Instruction Fuzzy Hash: D0018031500218EFDB219F15EC45BAEBBB8FF45361F10809AE949D6251EB708A86EF25

Function 00CA007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9bb26d876c781d4fdc2a097dbeb55090702e7b6ad9d2b4dffe9809400bf1481
Instruction ID: d16a8efb77dfc0782bc28269f876202513c423269b67850ebffda69e2186b28d
Opcode Fuzzy Hash: d9bb26d876c781d4fdc2a097dbeb55090702e7b6ad9d2b4dffe9809400bf1481
Instruction Fuzzy Hash: 44C14E75A0020AEFDB14CF94C898BAEB7B5FF49748F208598E515EB251D731DE81CB90

Function 00C73E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C73F0B
__alldvrm.LIBCMT ref: 00C7410C
__alldvrm.LIBCMT ref: 00C7412E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 4cf764ba127241aa9812910858be606cc59df3a505b7b2254371579e48272d1d
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 55A16B71E003869FD729DF58C8917AEBBE5EF61350F18C1ADE5A99B241C7348E81C750

Function 00CC342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CC3459
CoUninitialize.OLE32 ref: 00CC3463
VariantInit.OLEAUT32(?), ref: 00CC346E
VariantClear.OLEAUT32(?), ref: 00CC371B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: f21a9e5c5b3aa756827e7ea3546b87fe7296baefdd51f2a16dc27a8f955fe715
Instruction ID: 6a4be4eb0c6d5152aa07a90678b0f8e54dc878437a145bede342e708b2f20284
Opcode Fuzzy Hash: f21a9e5c5b3aa756827e7ea3546b87fe7296baefdd51f2a16dc27a8f955fe715
Instruction Fuzzy Hash: B1A147756042109FC710DF28C985E2AB7E5FF88714F04895DF98A9B3A2DB30EE45DB92

Function 00CA0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CDFC08,?), ref: 00CA05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CDFC08,?), ref: 00CA0608
CLSIDFromProgID.OLE32(?,?,00000000,00CDCC40,000000FF,?,00000000,00000800,00000000,?,00CDFC08,?), ref: 00CA062D
_memcmp.LIBVCRUNTIME ref: 00CA064E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4385568c658f8a01889a8c3272f4641d9e548f8fa2e305b8a8345f327d90d0d3
Instruction ID: 0d0846975b2a20f28acefb86c34bf17db67c916cfcb47ffcdaaa2aec75ccc256
Opcode Fuzzy Hash: 4385568c658f8a01889a8c3272f4641d9e548f8fa2e305b8a8345f327d90d0d3
Instruction Fuzzy Hash: 5D812E71A0010AEFCB04DF94C984EEEB7B9FF89359F204558F516AB250DB71AE06CB60

Function 00CCA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CCA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00CCA6BA

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Process32NextW.KERNEL32(00000000,?), ref: 00CCA79C
CloseHandle.KERNEL32(00000000), ref: 00CCA7AB

Part of subcall function 00C5CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C83303,?), ref: 00C5CE8A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d370b222b364c2ff90b1bb7c047184879d9d39c8571f917958794cb10ab36c19
Instruction ID: 2cf0102b38a6800e6860229390b3fa9cc0ea5cc9b6b4f8d2c045889d58bc4914
Opcode Fuzzy Hash: d370b222b364c2ff90b1bb7c047184879d9d39c8571f917958794cb10ab36c19
Instruction Fuzzy Hash: 22512A71508311AFD710EF24C886E6BBBE8FF89754F00491DF995972A2EB70D904DB92

Function 00C81391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C814C0

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4fd7ec0a56d21d803e7435c040a5a764cdfa5ef874af478963edef6de277e2cb
Instruction ID: 4659f5ed194f5f16281e4640106964b218479911c725d1137fe0b7c1c7ce288e
Opcode Fuzzy Hash: 4fd7ec0a56d21d803e7435c040a5a764cdfa5ef874af478963edef6de277e2cb
Instruction Fuzzy Hash: ED412C31A001106BDB317BB99C85ABE3BECEF85374F1C4225FC29D6191E67489436776

Function 00CD6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CD62E2
ScreenToClient.USER32(?,?), ref: 00CD6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CD6382

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 672983b348a4881254b38724939856340e50c53f79cb48ed20da4f973791b693
Instruction ID: a8bf86b80d402d35224a720408f029ce9eb16fde0471a15ff63750ddebcb2c98
Opcode Fuzzy Hash: 672983b348a4881254b38724939856340e50c53f79cb48ed20da4f973791b693
Instruction Fuzzy Hash: 0B510C74A00209AFDF10DF68D881AAE7BB5FF55360F10825AFA25973A1D730EE41CB90

Function 00CC1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00CC1AFD
WSAGetLastError.WSOCK32 ref: 00CC1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CC1B8A
WSAGetLastError.WSOCK32 ref: 00CC1B94

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 17efd087cc2a23f75c22c18a81661071cb33dade018b53fb55c7e32e99571622
Instruction ID: d17e09a883efddd50c3a8a89baae94dd85022a472edfbf3585450b8ba2d98533
Opcode Fuzzy Hash: 17efd087cc2a23f75c22c18a81661071cb33dade018b53fb55c7e32e99571622
Instruction Fuzzy Hash: 3B41B274600201AFE720AF25C896F2A77E5AB45718F58844CF91A9F3D3D772DD42DB90

Function 00C7B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1a446a1be72b2df71f98e936fe622f83382d7afebc7161fef9e9d8ee307513
Instruction ID: 31426a2cd041c40ece51722a7de81dffa9fe99ac6d6b3da95ce03b57b4f63cfd
Opcode Fuzzy Hash: ca1a446a1be72b2df71f98e936fe622f83382d7afebc7161fef9e9d8ee307513
Instruction Fuzzy Hash: 1641F671A00704BFD724AF78CC45BAABBF9EB88710F10852EF559DB282D7719E019B90

Function 00CB56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CB5783
GetLastError.KERNEL32(?,00000000), ref: 00CB57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CB57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CB57FA

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 73bb1e5c898ac50d75dd35335ea99b7923fdba0a77e65f97812e3ca4f67d8f8d
Instruction ID: 9a078856f04b74b9ac2a61912fdc1970c8fc225cddd6a49d3bda98446bcd0830
Opcode Fuzzy Hash: 73bb1e5c898ac50d75dd35335ea99b7923fdba0a77e65f97812e3ca4f67d8f8d
Instruction Fuzzy Hash: 4F410A35600611DFCB11DF55C584A5EBBE2FF89320B198888E85AAF362CB35FD40DB91

Function 00C7D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C66D71,00000000,00000000,00C682D9,?,00C682D9,?,00000001,00C66D71,8BE85006,00000001,00C682D9,00C682D9), ref: 00C7D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C7D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C7D9AB
__freea.LIBCMT ref: 00C7D9B4

Part of subcall function 00C73820: RtlAllocateHeap.NTDLL(00000000,?,00D11444,?,00C5FDF5,?,?,00C4A976,00000010,00D11440,00C413FC,?,00C413C6,?,00C41129), ref: 00C73852

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: b920f5408517cfbadefe2584a0681459547b7bac188973d077c2c6502b7526fd
Instruction ID: 6b278a20e67afb39f0ddd9d9782a313f9465ded1e1cc3dcb9f9d22f5ff15febb
Opcode Fuzzy Hash: b920f5408517cfbadefe2584a0681459547b7bac188973d077c2c6502b7526fd
Instruction Fuzzy Hash: 1731F072A1021AABDF249F64DC81EAE7BB5EF40310F058268FC19D7290EB35CE50DB90

Function 00CD52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00CD5352
GetWindowLongW.USER32(?,000000F0), ref: 00CD5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CD5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CD53A8

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 04b8bea3b2e6170e387d99e269760b974ec71732e7b98b67275e724898549bdd
Instruction ID: cee1fe1177cb7301479a5121db374247a3eb8d907924b902b1b93935da7d2e9d
Opcode Fuzzy Hash: 04b8bea3b2e6170e387d99e269760b974ec71732e7b98b67275e724898549bdd
Instruction Fuzzy Hash: 0731A034A95A08EFEB349A14CC46BE97766AB04390F584103FB21963F1C7B09A90EB51

Function 00CAAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00CAABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00CAAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00CAAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00CAACC6

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1af55fcfb5b288001274deac9f09d8a4b5869033100654374f68b5b6dda6d97c
Instruction ID: 475b72b2a54958d740462c69f105662865f2f7d0c51ab93a9fcdd3615cdec247
Opcode Fuzzy Hash: 1af55fcfb5b288001274deac9f09d8a4b5869033100654374f68b5b6dda6d97c
Instruction Fuzzy Hash: 9D313930A0071A6FFF35CB658C097FE7BA6AB8633CF04431AE491921D1D3768A81D752

Function 00CD7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CD769A
GetWindowRect.USER32(?,?), ref: 00CD7710
PtInRect.USER32(?,?,00CD8B89), ref: 00CD7720
MessageBeep.USER32(00000000), ref: 00CD778C

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 97c5d52be59ef94992d9840fd8205d24640e9b99d8404ea88cdae138345cf04a
Instruction ID: 9f7c1ce5c0da9ac2ad8072a1aded6d9d7893d9b0c4c7e4ada1f45a4d5e68e79c
Opcode Fuzzy Hash: 97c5d52be59ef94992d9840fd8205d24640e9b99d8404ea88cdae138345cf04a
Instruction Fuzzy Hash: 7F4154386052159FCB12CF58C894FA9B7F5BB49314F1646A6E624DB361E730E942CF90

Function 00CD16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CD16EB

Part of subcall function 00CA3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CA3A57
Part of subcall function 00CA3A3D: GetCurrentThreadId.KERNEL32 ref: 00CA3A5E
Part of subcall function 00CA3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CA25B3), ref: 00CA3A65

GetCaretPos.USER32(?), ref: 00CD16FF
ClientToScreen.USER32(00000000,?), ref: 00CD174C
GetForegroundWindow.USER32 ref: 00CD1752

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b479d24a146f4b9cbd36ada7f280df62532e499c87c025f1e772c9a828ff41b0
Instruction ID: 5f2fcb0e09801b67de4d5eb7646ec67213816c5a35ba0c9b882c031d0442dd95
Opcode Fuzzy Hash: b479d24a146f4b9cbd36ada7f280df62532e499c87c025f1e772c9a828ff41b0
Instruction Fuzzy Hash: A7315E75D01249AFD700EFA9C8C1DAEBBF9FF48304B5480AAE815E7211E7359E45DBA0

Function 00CADF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00C47620: _wcslen.LIBCMT ref: 00C47625

_wcslen.LIBCMT ref: 00CADFCB
_wcslen.LIBCMT ref: 00CADFE2
_wcslen.LIBCMT ref: 00CAE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00CAE018

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 45e201a7c33c05119cf689cda717d9ed4ec7c7d6c5a633a1449876520f846f73
Instruction ID: 08a6be774f2d6ba40b1f4c26a05825ccbcebdae104315efc7a74bb25f10a4282
Opcode Fuzzy Hash: 45e201a7c33c05119cf689cda717d9ed4ec7c7d6c5a633a1449876520f846f73
Instruction Fuzzy Hash: B421D171900215AFCB20EFA8C9C2BAEB7F8EF46710F104069F805BB245D6709E41DBA1

Function 00CD8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C59BB2

GetCursorPos.USER32(?), ref: 00CD9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C97711,?,?,?,?,?), ref: 00CD9016
GetCursorPos.USER32(?), ref: 00CD905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C97711,?,?,?), ref: 00CD9094

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 191de11e720ead0090030b242226b5bde2af286270f5019e7552b9c807642a9b
Instruction ID: da79175e38fcc59e40dbf4562f0a53cdafb4425907cbdaa9c3731b79741780a3
Opcode Fuzzy Hash: 191de11e720ead0090030b242226b5bde2af286270f5019e7552b9c807642a9b
Instruction Fuzzy Hash: 0621E439200004FFCB159F54D854FEA7BB9EF49310F008056FA1587261C731AA90EB60

Function 00CAD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CDCB68), ref: 00CAD2FB
GetLastError.KERNEL32 ref: 00CAD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CAD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CDCB68), ref: 00CAD376

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 4d139f98996303c6d0804d366f0f60b024aa73b0e3331e7c1fce1097f36db3de
Instruction ID: 637e7e73f404b4f94f3386580addb8b7fb3767b78823d4483bb2f35b2cbf868f
Opcode Fuzzy Hash: 4d139f98996303c6d0804d366f0f60b024aa73b0e3331e7c1fce1097f36db3de
Instruction Fuzzy Hash: 2F2160705062029F8B10DF68C8855AEB7E4FE56368F104A1EF4ABC72A1D731DA45CB93

Function 00CA1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CA102A
Part of subcall function 00CA1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CA1036
Part of subcall function 00CA1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CA1045
Part of subcall function 00CA1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CA104C
Part of subcall function 00CA1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CA1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00CA15BE
_memcmp.LIBVCRUNTIME ref: 00CA15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CA1617
HeapFree.KERNEL32(00000000), ref: 00CA161E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 49b21ef5e549f36b20e765fe782e68766fd02c929e51b3383c61c6e424bac591
Instruction ID: 28fe89403f0a9991d98e1a73d90ccc7945ec808ada16b0bb7ea114373a6d97b6
Opcode Fuzzy Hash: 49b21ef5e549f36b20e765fe782e68766fd02c929e51b3383c61c6e424bac591
Instruction Fuzzy Hash: F9219A31E4110AEFDF10DFA4C985BEEB7B8EF45359F0C4459E861AB241E730AA05DBA0

Function 00CD2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CD280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CD2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CD2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CD2840

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 57ca75470e6f249134e3bf3aa1e0760592383c2f02971602573fae9993dd6294
Instruction ID: 8624024f988402fa4713aeff200dccb00ff33866761a545679114659f0cb99f3
Opcode Fuzzy Hash: 57ca75470e6f249134e3bf3aa1e0760592383c2f02971602573fae9993dd6294
Instruction Fuzzy Hash: 2D210331205112AFD7149B24CC84FAA7B95EF55324F14825AF52A8B3E2C771FD82D790

Function 00CA78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00CA790A,?,000000FF,?,00CA8754,00000000,?,0000001C,?,?), ref: 00CA8D8C
Part of subcall function 00CA8D7D: lstrcpyW.KERNEL32(00000000,?,?,00CA790A,?,000000FF,?,00CA8754,00000000,?,0000001C,?,?,00000000), ref: 00CA8DB2
Part of subcall function 00CA8D7D: lstrcmpiW.KERNEL32(00000000,?,00CA790A,?,000000FF,?,00CA8754,00000000,?,0000001C,?,?), ref: 00CA8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00CA8754,00000000,?,0000001C,?,?,00000000), ref: 00CA7923
lstrcpyW.KERNEL32(00000000,?,?,00CA8754,00000000,?,0000001C,?,?,00000000), ref: 00CA7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00CA8754,00000000,?,0000001C,?,?,00000000), ref: 00CA7984

Strings

cdecl, xrefs: 00CA797B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 692d29ef7fbac98c619052844aa8589e883110fba9d8e7307288d5712c7bbc42
Instruction ID: 5e534599368489278f520871699482b52ad8e4ab9bb092b56726e7d7d7731eed
Opcode Fuzzy Hash: 692d29ef7fbac98c619052844aa8589e883110fba9d8e7307288d5712c7bbc42
Instruction Fuzzy Hash: FA11033A201203ABCF15AF38DC45E7B77A9FF86354B00412BF806C72A4EB319912D7A1

Function 00CD7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00CD7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CD7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CD7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CBB7AD,00000000), ref: 00CD7D6B

Part of subcall function 00C59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C59BB2

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: d1a037f341cb501786820307d38d2d3e4ad40d4a55e99e9729d822690089a864
Instruction ID: de7f997e8f27b1e64822e206985f37541fa1536ac1cfd96bf0d73d2351a770a9
Opcode Fuzzy Hash: d1a037f341cb501786820307d38d2d3e4ad40d4a55e99e9729d822690089a864
Instruction Fuzzy Hash: 3911CD35205615AFCB109F28DC04BAA3BA6AF45360B218326FA3AC73F0E730CA51DB50

Function 00CD5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00CD56BB
_wcslen.LIBCMT ref: 00CD56CD
_wcslen.LIBCMT ref: 00CD56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CD5816

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 53f69285d2135d42ae44933921fa5eaa3043af0dca4fcab7ec00e38411a5d26d
Instruction ID: 07a2957b164592b422fb3c51b9846ca0cd34e4c3277a6b25b33760810960df8b
Opcode Fuzzy Hash: 53f69285d2135d42ae44933921fa5eaa3043af0dca4fcab7ec00e38411a5d26d
Instruction Fuzzy Hash: 3211D375A00608A6DB209F65DC85AEE77ACEF10760B10802BFB25D6281EB70CA85CF64

Function 00C71D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ac7e5710b425e835a12b23a2227b6dbf4c24b777372b5deb7aae4f0ae3b467
Instruction ID: 8f178f8e6f2b2a753b019cf541d9accdaba8de5f3ab4e5d797c149a8b087f203
Opcode Fuzzy Hash: 26ac7e5710b425e835a12b23a2227b6dbf4c24b777372b5deb7aae4f0ae3b467
Instruction Fuzzy Hash: 0301A2B22056163EFA22267C7CC1F6B671CDF513B8F388326F939A11D2DB608D405570

Function 00CA1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00CA1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CA1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CA1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CA1A8A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a19d3dd78f45c7c7c4ffd5d0a1de7a826ffef105d255d5b589a925fb16dc7083
Instruction ID: d1ddb87eb417f920ca32294263bc9bf298c9d5d645c3125e913f08dcd8624d4a
Opcode Fuzzy Hash: a19d3dd78f45c7c7c4ffd5d0a1de7a826ffef105d255d5b589a925fb16dc7083
Instruction Fuzzy Hash: 96113C3AD01219FFEB10DBA5CD85FADBB78EB04754F240091EA00B7290D6716F50EB94

Function 00CAE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CAE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00CAE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CAE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CAE24D

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: cbda3046c2e3668060c9f7c368bd40437a3b3ff646224a6470b182752c758609
Instruction ID: d0683587ee9157c1f19683b14ecb3f3267cdf210766f690fa9b23861a8e69a96
Opcode Fuzzy Hash: cbda3046c2e3668060c9f7c368bd40437a3b3ff646224a6470b182752c758609
Instruction Fuzzy Hash: 7911C87690425ABBC7119BA89C49BDE7FACDB46324F048366F925D3391D6708E0487B0

Function 00C6D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C6CFF9,00000000,00000004,00000000), ref: 00C6D218
GetLastError.KERNEL32 ref: 00C6D224
__dosmaperr.LIBCMT ref: 00C6D22B
ResumeThread.KERNEL32(00000000), ref: 00C6D249

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 3d35b106205ffbcb1743d66e2a9b4c02f30a5e7a5e7b9da4b913fd0cec1562ff
Instruction ID: 2bfa45cf750697eec205bfc3bcf948806e190a091356027649a8054fafeefa58
Opcode Fuzzy Hash: 3d35b106205ffbcb1743d66e2a9b4c02f30a5e7a5e7b9da4b913fd0cec1562ff
Instruction Fuzzy Hash: FE01D276E05205BBCB315BA5DC89BAE7B69EF82331F104219F936921E0CB71CE41D6A1

Function 00CD9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00C59BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C59BB2

GetClientRect.USER32(?,?), ref: 00CD9F31
GetCursorPos.USER32(?), ref: 00CD9F3B
ScreenToClient.USER32(?,?), ref: 00CD9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00CD9F7A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b41d00a8a6a50661237fe0726ed093ed31109cfeaee5166641313216c709af36
Instruction ID: e84fb1d1f21bd0d72ccf8e7ff276fd0173d0f4cf5071d59efae478e7d6d12383
Opcode Fuzzy Hash: b41d00a8a6a50661237fe0726ed093ed31109cfeaee5166641313216c709af36
Instruction Fuzzy Hash: CD115A3A90011ABBDB10DFA8D889AEE77B8FF05311F400556FA11E3240D730BA82DBA1

Function 00C4600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C4604C
GetStockObject.GDI32(00000011), ref: 00C46060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C4606A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 37c18c3b1ec58949c75fab73cd79223df6de32d47a0714c12a4ea20f59720858
Instruction ID: f8cf35fafb4e5ca16c486a545e02e39fab0ce98b3c36792a95f690539833be61
Opcode Fuzzy Hash: 37c18c3b1ec58949c75fab73cd79223df6de32d47a0714c12a4ea20f59720858
Instruction Fuzzy Hash: 08115E72502509BFEF125F949C44BEEBF69FF09355F040216FA2452114DB32DD60DBA5

Function 00C63B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C63B56

Part of subcall function 00C63AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C63AD2
Part of subcall function 00C63AA3: ___AdjustPointer.LIBCMT ref: 00C63AED

_UnwindNestedFrames.LIBCMT ref: 00C63B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C63B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C63BA4

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: cb08dd575707fe4911444ecd223c5388686a6eae9daedb23ab78aa6fe5cbeae8
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D0010C32100189BBDF225E95CC86EEB7F6EEF99754F044014FE5896121C732E961EBA0

Function 00C73073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C413C6,00000000,00000000,?,00C7301A,00C413C6,00000000,00000000,00000000,?,00C7328B,00000006,FlsSetValue), ref: 00C730A5
GetLastError.KERNEL32(?,00C7301A,00C413C6,00000000,00000000,00000000,?,00C7328B,00000006,FlsSetValue,00CE2290,FlsSetValue,00000000,00000364,?,00C72E46), ref: 00C730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C7301A,00C413C6,00000000,00000000,00000000,?,00C7328B,00000006,FlsSetValue,00CE2290,FlsSetValue,00000000), ref: 00C730BF

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d34b99710b0bfe9552d54a655ae5cc3cd00b15218b396a343d1a9cbb94de2452
Instruction ID: 935d25b4e7d348ec6dd9624f4bb7ea825ac3a2650dfe02ae72597673ff777310
Opcode Fuzzy Hash: d34b99710b0bfe9552d54a655ae5cc3cd00b15218b396a343d1a9cbb94de2452
Instruction Fuzzy Hash: C1012032352273ABC7315B799C85B5B7B9C9F45761B108720F91DD7180D721DA01D6E0

Function 00CA7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00CA747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00CA7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00CA74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00CA74CA

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e65c8de2b6aef5ba5c361b8eba8c78fda033ae0c65c8a576f22ec4feec9b75a4
Instruction ID: 3d0d649279c33a3cd386be4b63b6b37809f85e0f89a72a20511e5e56e0b68e8f
Opcode Fuzzy Hash: e65c8de2b6aef5ba5c361b8eba8c78fda033ae0c65c8a576f22ec4feec9b75a4
Instruction Fuzzy Hash: D011C4B12063129FE7208F14DD48FA67FFCFB05B08F10866AA626D6151D770E944DF50

Function 00CAB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CAACD3,?,00008000), ref: 00CAB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CAACD3,?,00008000), ref: 00CAB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CAACD3,?,00008000), ref: 00CAB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CAACD3,?,00008000), ref: 00CAB126

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a62b6f3baaba0eb8fac0dac59ee9e769049d8c9a486312660e62625a51ca52bb
Instruction ID: ff05eb9dfdf30edf5e566809d82ac56a248693402494bb246c710b436bebfc0c
Opcode Fuzzy Hash: a62b6f3baaba0eb8fac0dac59ee9e769049d8c9a486312660e62625a51ca52bb
Instruction Fuzzy Hash: 64115B71C01A2EE7CF00AFE5E9987EEBB78FF0A715F104096DA51B2282CB305A51CB51

Function 00CD7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CD7E33
ScreenToClient.USER32(?,?), ref: 00CD7E4B
ScreenToClient.USER32(?,?), ref: 00CD7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CD7E8A

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ce76bfab6e6b26e0a08bb89e937c5df9f74c34c1d1c0a6785a5085dfe4707bfd
Instruction ID: 133846d2b4503f1c92f4a45291f23d2b6e716b552ef2890c11779d0b49e5b8a9
Opcode Fuzzy Hash: ce76bfab6e6b26e0a08bb89e937c5df9f74c34c1d1c0a6785a5085dfe4707bfd
Instruction Fuzzy Hash: EA1114B9D0024AAFDB41DF98C884AEEBBF5FF08310F505156E915E3610D735AA55CF50

Function 00CA2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CA2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00CA2DD6
GetCurrentThreadId.KERNEL32 ref: 00CA2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CA2DE4

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 02f11678b473fd701cd97be2f7c71bf709a322ca6cdb6c1e3a75e47cf3e62344
Instruction ID: c9eb25034570f1c8fcf9fa8a65e0f1b3fdb7ea834a0b10e3a1c5de972f352ec2
Opcode Fuzzy Hash: 02f11678b473fd701cd97be2f7c71bf709a322ca6cdb6c1e3a75e47cf3e62344
Instruction Fuzzy Hash: 3EE06D71502236BADB202B669C8DFEF7F6CEF43BA5F000016B505D10819AA4C941C6B0

Function 00CD8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C59639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C59693
Part of subcall function 00C59639: SelectObject.GDI32(?,00000000), ref: 00C596A2
Part of subcall function 00C59639: BeginPath.GDI32(?), ref: 00C596B9
Part of subcall function 00C59639: SelectObject.GDI32(?,00000000), ref: 00C596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CD8887
LineTo.GDI32(?,?,?), ref: 00CD8894
EndPath.GDI32(?), ref: 00CD88A4
StrokePath.GDI32(?), ref: 00CD88B2

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 49c4cdb8482be4efc8cdb89bc6487667aaead752e99cce0a041f6c0808b725c3
Instruction ID: 35a24ae623f915b151d1689fad579797c3eedfdfaf76a2585a7bb3b9ba33c5d3
Opcode Fuzzy Hash: 49c4cdb8482be4efc8cdb89bc6487667aaead752e99cce0a041f6c0808b725c3
Instruction Fuzzy Hash: F2F0BE3A002259FBDB121F94AC09FDE3F19AF06310F008002FB21611E1CB746615DFE9

Function 00C598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C598CC
SetTextColor.GDI32(?,?), ref: 00C598D6
SetBkMode.GDI32(?,00000001), ref: 00C598E9
GetStockObject.GDI32(00000005), ref: 00C598F1

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 3db5d1167f77b716eb66a5c797bff9c9c861a2498c0cc58b9a9954341cf9eb21
Instruction ID: 95b6d96cf0d58f92dd7e3a776c7d60299cb95450131af2f30ccbcb0e0d69efcc
Opcode Fuzzy Hash: 3db5d1167f77b716eb66a5c797bff9c9c861a2498c0cc58b9a9954341cf9eb21
Instruction Fuzzy Hash: 30E03931245291AADF215B74AC4DBED3B20AB12336F04831BF6BA580E1C3724650DB10

Function 00CA162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00CA1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00CA11D9), ref: 00CA163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00CA11D9), ref: 00CA1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00CA11D9), ref: 00CA164F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 45634654ebe2548d4ed8a29add47fb2a2cded49d8cf35b07e2b4f9eacb09ed94
Instruction ID: d8df8320b2b68b9af3372ee84c7d88a6f38589a088bc1726189c59c34a10a5aa
Opcode Fuzzy Hash: 45634654ebe2548d4ed8a29add47fb2a2cded49d8cf35b07e2b4f9eacb09ed94
Instruction Fuzzy Hash: EBE08631603213DBD7201FE09E4DB8A3B7CEF457A5F184809F655C9090D6345540C750

Function 00C9D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C9D858
GetDC.USER32(00000000), ref: 00C9D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C9D882
ReleaseDC.USER32(?), ref: 00C9D8A3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ffb02325457d5e42584c2bb3515223cc7bb8398acc9a4394b7dc0df55a8b216e
Instruction ID: a5f1c1949f5b2625ff56b6270c620697297560345344fb1c1c139f7fd9e1bf10
Opcode Fuzzy Hash: ffb02325457d5e42584c2bb3515223cc7bb8398acc9a4394b7dc0df55a8b216e
Instruction Fuzzy Hash: AEE01AB4801206DFCF419FA1D88C76DBBB1FB08311F14800AF816E7250C7389946EF40

Function 00C9D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C9D86C
GetDC.USER32(00000000), ref: 00C9D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C9D882
ReleaseDC.USER32(?), ref: 00C9D8A3

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4fe701ad44d5e0535d036d06aefeed3010abc0713e088fc0019b1dcae4b0a5e6
Instruction ID: b3df12f2e655425462af7291e06411a2ba66e1fa2be40dbb9c1d3d2c55abe79f
Opcode Fuzzy Hash: 4fe701ad44d5e0535d036d06aefeed3010abc0713e088fc0019b1dcae4b0a5e6
Instruction Fuzzy Hash: 4CE01A74801201DFCB509FA0D88876DBBB1FB08311B14800AF816E7250C7389906EF40

Function 00CB4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C47620: _wcslen.LIBCMT ref: 00C47625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00CB4ED4

Strings

*, xrefs: 00CB4E10
LPT, xrefs: 00CB4DFB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 7adace34b17e636a67c7fa555e47d28f1ca478863f85a22b4e5e195f64ca5d4e
Instruction ID: ec910246811ad98c2feb2266c8c3b292e43d7cc237d589f6c3ebbb0ec86d341b
Opcode Fuzzy Hash: 7adace34b17e636a67c7fa555e47d28f1ca478863f85a22b4e5e195f64ca5d4e
Instruction Fuzzy Hash: E5915075A042549FCB18DF98C484EEABBF1BF44304F198099E81A9F362D735EE85CB91

Function 00C6E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C6E30D

Strings

pow, xrefs: 00C6E2E5, 00C6E302

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 24486b0c06d29efbcce2af9ed2085a6a4bed0391c2980c9c7bdc3098af57f4de
Instruction ID: 048f713ec32233d814a3e747e60adeed229ed0c9f8dcdc19031d1eefa3e6afbc
Opcode Fuzzy Hash: 24486b0c06d29efbcce2af9ed2085a6a4bed0391c2980c9c7bdc3098af57f4de
Instruction Fuzzy Hash: 72517F65A0C2069ACB357724C98137D3B98EF50740F34CA6AE0F9873F9DF348D959A86

Function 00C5E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00C5E1B1

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 460c3c5d1c8f5d65c5e5c2271582e0452c698fca375114988b9f056bed141cc9
Instruction ID: 98d6d1654879d30d9520b03e5189db0c77d78c89dc9bd2fd4fc69c86ae5d71a8
Opcode Fuzzy Hash: 460c3c5d1c8f5d65c5e5c2271582e0452c698fca375114988b9f056bed141cc9
Instruction Fuzzy Hash: 21513379904346DFDF18DFA8C4856BA7BA8EF25310F244055ECA19B2C0D7309F86DBA1

Function 00C5F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C5F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C5F2BB

Strings

@, xrefs: 00C5F2AF

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2b1c6578daf909cd42494f348dc8fb242a1c5d7569715cb74965b185d3e4afb4
Instruction ID: 4363bae653841374ef10c7ebcef8e703d8b6f0b1d27be324416bbf44df8d426d
Opcode Fuzzy Hash: 2b1c6578daf909cd42494f348dc8fb242a1c5d7569715cb74965b185d3e4afb4
Instruction Fuzzy Hash: 375132724097449BE320AF54DC86BAFBBF8FB84300F81885DF5D9411A5EB318929CB67

Function 00CC5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00CC57E0
_wcslen.LIBCMT ref: 00CC57EC

Strings

CALLARGARRAY, xrefs: 00CC57E6, 00CC57EB

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6e00c37977ef598c635595351a5777d6955e2d7cae6b4168ac7a61c1de3b3dd3
Instruction ID: 5c0f57df151e1ca04e5038057f2f056c88a6d70f496fa027c2e000865e4e238e
Opcode Fuzzy Hash: 6e00c37977ef598c635595351a5777d6955e2d7cae6b4168ac7a61c1de3b3dd3
Instruction Fuzzy Hash: 2041BF31E401099FCB14DFA9C881EAEBBB5FF59354F10402DF515A7291E730AE81CBA0

Function 00CBD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CBD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CBD13A

Strings

|, xrefs: 00CBD10B

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: e2c80923bb495f4f11af63582f68a762726e291cab5db3f1861363d21641f0f4
Instruction ID: b5d1becedf7c3843b5809c16fd8dc4c1ba4f975bb58bb8cf1305ddcc25d96d39
Opcode Fuzzy Hash: e2c80923bb495f4f11af63582f68a762726e291cab5db3f1861363d21641f0f4
Instruction Fuzzy Hash: 7A314D71D01219ABCF15EFA5CC85EEEBFB9FF05310F100019F816A6166EB31AA06DB61

Function 00CD356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CD3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CD365C

Strings

static, xrefs: 00CD35BC

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0b2654c7d03f76fda50082c3a6149ce270e1bc204f05f51fd47b2258cd45cfba
Instruction ID: 6a254355cef6f394c21a4bfa897c0cec8c71a4a72a8bd6b58ed34e23a9c1d98e
Opcode Fuzzy Hash: 0b2654c7d03f76fda50082c3a6149ce270e1bc204f05f51fd47b2258cd45cfba
Instruction Fuzzy Hash: DC318D71110644AEDB109F68DC81FFB73A9FF88720F10861AFAA597290DA31ED82D765

Function 00CD4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CD461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CD4634

Strings

', xrefs: 00CD458E

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f9061bcafb0546e88d059c3658f9459fd5128d837ea6b5b81c05eab6b33c1eeb
Instruction ID: a90e3403bcc646a13e2151fea9843e8eaeb752c133d29c3d6a2ffd369a1df979
Opcode Fuzzy Hash: f9061bcafb0546e88d059c3658f9459fd5128d837ea6b5b81c05eab6b33c1eeb
Instruction Fuzzy Hash: 11310874A013099FDB18CF69D991BDA7BB5FF49300F14406AEA15AB351E770E942CF90

Function 00CD31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CD327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CD3287

Strings

Combobox, xrefs: 00CD3249

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d7aa3865b0bb4e9d88bd0290929e0037f265b91bf2655df410f9c3b6db97fc3d
Instruction ID: bd28ed30a860ddde3fd9e9aa04656b329a840822ba5ff719df1f2ee0de0a61a9
Opcode Fuzzy Hash: d7aa3865b0bb4e9d88bd0290929e0037f265b91bf2655df410f9c3b6db97fc3d
Instruction Fuzzy Hash: 5E11E271B002487FEF219E54DC80FBB3B6AEB94364F10412AFA289B392D6319E518760

Function 00CD3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C4600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C4604C
Part of subcall function 00C4600E: GetStockObject.GDI32(00000011), ref: 00C46060
Part of subcall function 00C4600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C4606A

GetWindowRect.USER32(00000000,?), ref: 00CD377A
GetSysColor.USER32(00000012), ref: 00CD3794

Strings

static, xrefs: 00CD3757

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: fbdb84804281a96abbbf2c6a6f0c016a7d05eced49891e65985ae549cbffafc3
Instruction ID: 94b486b6efc532649fb216e8b1835b0188dc0aa1ac611354b977a670411e8467
Opcode Fuzzy Hash: fbdb84804281a96abbbf2c6a6f0c016a7d05eced49891e65985ae549cbffafc3
Instruction Fuzzy Hash: F11129B261060AAFDF00DFA8CD46AFE7BB8FB08354F014516FA65E2250E735E951DB60

Function 00CBCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CBCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CBCDA6

Strings

<local>, xrefs: 00CBCD66

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 0176ccf4565ff753b44535d572dd9c7647fb4385cf1994a2a57e52e05fe9a01a
Instruction ID: d3c0d97fd3073677d05896c8e32c9f476d359cd88abc4dbe5c41bb58195c8565
Opcode Fuzzy Hash: 0176ccf4565ff753b44535d572dd9c7647fb4385cf1994a2a57e52e05fe9a01a
Instruction Fuzzy Hash: 6B11C279205632BAD7384B768CC9FE7BEACEF627A4F40422AF15983080D7709950D6F0

Function 00CD3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CD34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CD34BA

Strings

edit, xrefs: 00CD348F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ccdc33101568554f14822cf7dfc9022b1e8f410c79ae431588211eff27dbf66f
Instruction ID: dfea49b71de043c07762388532ce8834b509a3e955fcd38057038c4cc9ac71eb
Opcode Fuzzy Hash: ccdc33101568554f14822cf7dfc9022b1e8f410c79ae431588211eff27dbf66f
Instruction Fuzzy Hash: 0E11BF71100248AFEB125E64EC84BEB3B6AEB05374F504326FA70932D0C779DD519B62

Function 00CA6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

CharUpperBuffW.USER32(?,?,?), ref: 00CA6CB6
_wcslen.LIBCMT ref: 00CA6CC2

Strings

STOP, xrefs: 00CA6CBC, 00CA6CC1

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 9ab295205e58a081eb7f3da249a732234959738a0e967fd9fd0a58ad9ef65249
Instruction ID: b043e5af9e4683fdccea6d2a82eb4c3cb3e987945e7dd00f09efb96ae27d9ca6
Opcode Fuzzy Hash: 9ab295205e58a081eb7f3da249a732234959738a0e967fd9fd0a58ad9ef65249
Instruction Fuzzy Hash: DC01D232A005278BCB20AFBDDC809BF77B5FF62768B190528E97297195EB31DA00C650

Function 00CA1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Part of subcall function 00CA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CA3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CA1D4C

Strings

ComboBox, xrefs: 00CA1CEB
ListBox, xrefs: 00CA1D16

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7bca9654f32885daeaac42fb497b16165d12b570e76e3bcb3cac627745ae7908
Instruction ID: 45007029ecf4e6582b9a03435a1943ab7e18f52063ba171841118a2cdbb56be3
Opcode Fuzzy Hash: 7bca9654f32885daeaac42fb497b16165d12b570e76e3bcb3cac627745ae7908
Instruction Fuzzy Hash: 2F01D875A41229ABCB05EBA4DC55DFF7768FB47364F040619FC32572C1EA3059089760

Function 00CA1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Part of subcall function 00CA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CA3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00CA1C46

Strings

ComboBox, xrefs: 00CA1BE5
ListBox, xrefs: 00CA1C10

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c829ecd85e47f4a63615703ce5dfc001af5ae53b2b87635efe1b88cfaceeedca
Instruction ID: d1e11d8c684d5156beed6459c8e98c99bed6eab8d3ff3fd935777fe82836231c
Opcode Fuzzy Hash: c829ecd85e47f4a63615703ce5dfc001af5ae53b2b87635efe1b88cfaceeedca
Instruction Fuzzy Hash: EA01A775BC11196ACB04EB90DD51AFF7BA8EB133A8F140019BC16672C2EA209F0CD6B1

Function 00CA1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Part of subcall function 00CA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CA3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00CA1CC8

Strings

ComboBox, xrefs: 00CA1C69
ListBox, xrefs: 00CA1C94

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 868296a237a808b1c49bb30c1ca7b3da21d6950df3536c0b154575906d8fc365
Instruction ID: 0f1c0f282b7f00df9f6a386d76864e5753d4f7b0bd54416991232d48f8bfab9f
Opcode Fuzzy Hash: 868296a237a808b1c49bb30c1ca7b3da21d6950df3536c0b154575906d8fc365
Instruction Fuzzy Hash: BF01A775B8112966CB04E794DA51BFF77A8AB13358F140015BC16732C1EA209F08D6B1

Function 00CA1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C49CB3: _wcslen.LIBCMT ref: 00C49CBD

Part of subcall function 00CA3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CA3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00CA1DD3

Strings

ComboBox, xrefs: 00CA1D75
ListBox, xrefs: 00CA1DA0

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: db8badcfce6b2129e5bddbe7a9f2edac8ee96f5805b982e077346685ce861058
Instruction ID: b570b6ca9776386b07960af33b221e1393372426bc082b6023c28dcc625c1ccc
Opcode Fuzzy Hash: db8badcfce6b2129e5bddbe7a9f2edac8ee96f5805b982e077346685ce861058
Instruction Fuzzy Hash: 38F0A971F512296AD705F7A4DD91BFF7768FB03354F040915BC22632C1DA705A089660

Function 00CC747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CC7493
_wcslen.LIBCMT ref: 00CC74B9

Strings

3, 3, 16, 1, xrefs: 00CC7483

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b7e91a8cf63eb9065139dfc1ac5c92b548b6796c006ebe968a0177595bb31fb7
Instruction ID: 9991d102603d140e70dd7f07a571c5d155d72b762f7aaf1db0b317b349e82330
Opcode Fuzzy Hash: b7e91a8cf63eb9065139dfc1ac5c92b548b6796c006ebe968a0177595bb31fb7
Instruction Fuzzy Hash: 2EE0610274472014A33D1279DCC1F7F668EDFC5750710182FF995C2266EA94CE91A7B0

Function 00CA0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CA0B23

Strings

Error allocating memory., xrefs: 00CA0B1C
AutoIt, xrefs: 00CA0B17

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: abf1024e7d7940ccee31e46e6b19fb1e10ef6a0df2c5a35e80acda324cfa9eac
Instruction ID: 6c687ebf05c351c35f233b97b76feed2e7c9557230436f60fe5a74421ac1a5f4
Opcode Fuzzy Hash: abf1024e7d7940ccee31e46e6b19fb1e10ef6a0df2c5a35e80acda324cfa9eac
Instruction Fuzzy Hash: E2E0D8312443096AD2183754BC43F897B849F05B61F10042BFB58555C38AD22490A6BD

Function 00C60D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C5F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C60D71,?,?,?,00C4100A), ref: 00C5F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C4100A), ref: 00C60D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C4100A), ref: 00C60D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C60D7F

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c25ca1cf62542401170c67c0fb159b09f22f5eafbb327e789d78e717436c6fac
Instruction ID: 1717f93380a194ffad0cf8d55676778527f68fc378a741afa2c9e621b68c1f90
Opcode Fuzzy Hash: c25ca1cf62542401170c67c0fb159b09f22f5eafbb327e789d78e717436c6fac
Instruction Fuzzy Hash: 05E092B42007118BD7309FB8E4883477BE4BF14745F108A2EE592D6B55DBB4E485CBA1

Function 00CB3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00CB302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00CB3044

Strings

aut, xrefs: 00CB3038

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ea25d6df798aa2f3e8c029c7a31213e96cdb61999529a9e18805cd367de43042
Instruction ID: 47fb70cca8105102dff933dcfd6f65080bf1bd41fbd2aea0d17df1532a359e3f
Opcode Fuzzy Hash: ea25d6df798aa2f3e8c029c7a31213e96cdb61999529a9e18805cd367de43042
Instruction Fuzzy Hash: 01D05BB15013146BDA20A7949C4DFCB3B6CD704750F000252B655D20D1DAB4D544CAE0

Function 00C9D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C9D220

Strings

%.3d, xrefs: 00C9D22B
X64, xrefs: 00C9D2A8

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: fd747e2d3cd5c81e4958e432823ca9273af36b754edcfc4ab41d88c262a06575
Instruction ID: 0c35e3d6e8f57b22d3fa2fd7bb7f1556381b8a1402bb2b2875deb83773779009
Opcode Fuzzy Hash: fd747e2d3cd5c81e4958e432823ca9273af36b754edcfc4ab41d88c262a06575
Instruction Fuzzy Hash: D3D012A5C09509EACF5097D1CC8D9BDB37CAB18302F508452FC07B1080D624D94CA761

Function 00CD2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CD236C
PostMessageW.USER32(00000000), ref: 00CD2373

Part of subcall function 00CAE97B: Sleep.KERNEL32 ref: 00CAE9F3

Strings

Shell_TrayWnd, xrefs: 00CD2365

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3f039ae8abd4830670c5b0768642b3e4b149b61fc1df276d8a1fdfe7383270e9
Instruction ID: 0475d5cb1a4d443f90fa0e4d81deab278606864b37da0a2f05b422795399735c
Opcode Fuzzy Hash: 3f039ae8abd4830670c5b0768642b3e4b149b61fc1df276d8a1fdfe7383270e9
Instruction Fuzzy Hash: 3BD0C9323863117AEA64A771AC4FFCA76589B45B14F1049167645AA1D0DAA0E805CA54

Function 00CD2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CD232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CD233F

Part of subcall function 00CAE97B: Sleep.KERNEL32 ref: 00CAE9F3

Strings

Shell_TrayWnd, xrefs: 00CD2325

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2a5a981524c5c57d2f5259d43049fcaa8b8fe1be2a26718cf123b5da08f96c10
Instruction ID: 946106e877e8d828cdd8349fc7d2d92fca1e962a4611dcd8c7349f8ea44a249f
Opcode Fuzzy Hash: 2a5a981524c5c57d2f5259d43049fcaa8b8fe1be2a26718cf123b5da08f96c10
Instruction Fuzzy Hash: E4D01236395311BBEA64B771EC4FFCB7B589B40B14F1049177749AA1D0DAF0E805CA54

Function 00C7BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C7BE93
GetLastError.KERNEL32 ref: 00C7BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C7BEFC

Memory Dump Source

Source File: 00000000.00000002.1743976404.0000000000C41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000000.00000002.1743863287.0000000000C40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000CDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744169670.0000000000D02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744770512.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1744812562.0000000000D14000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 842745fb11d508b625134b08145410fc263f34cde8a6964d4df8737d3c94d323
Instruction ID: 8f0e492dc6ed20f6fc79bcb7e4a1e45c7222ff4fdebe3d2abdc6809aceaaedcd
Opcode Fuzzy Hash: 842745fb11d508b625134b08145410fc263f34cde8a6964d4df8737d3c94d323
Instruction Fuzzy Hash: 8D41D738601216AFDF21CFA5CD94BAE7BA5AF41710F148169F96D972A1DB308E01DB60

Analysis Process: firefox.exePID: 7756, Parent PID: 6640COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001C549EE93B7 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001C549EE93DC

Memory Dump Source

Source File: 00000010.00000002.2932370271.000001C549EE5000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001C549EE5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1c549ee5000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: 6f751ea7d1f937515ebe5187f23ccde9d3ece0e3cd2269fedb79147011bfaf76
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 61A3C831654E498BEB2DDF28DC86BE977E5FB55300F04422ED94BC7251EF30E9928A81

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1908855373.00000251BB3F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1871492988.00000251BB47D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1762941073.00000251B1B98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871492988.00000251BB47D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1762941073.00000251B1B98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871492988.00000251BB47D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1908855373.00000251BB3F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1871492988.00000251BB47D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1899769187.00000251B066D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1899769187.00000251B066D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1762941073.00000251B1B98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871492988.00000251BB47D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1762941073.00000251B1B98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871492988.00000251BB47D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2932913659.000001C549F0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2931978751.00000208D120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2932913659.000001C549F0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2931978751.00000208D120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2932913659.000001C549F0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2931978751.00000208D120C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1883552572.00000251BB46C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1908855373.00000251BB3F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1871492988.00000251BB47D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1879049849.00000251B10BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906278862.00000251B10BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907540555.00000251B10BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: 197.87.175.4.in-addr.arpa

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:52587 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:52589 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:52588 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:52593 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:52594 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:52592 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:52595 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:52637 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:52638 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:52639 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52637
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52638
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 52592 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52639
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52594
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52595
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52601 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52637 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52595 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 52591 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52804
Source: unknown	Network traffic detected: HTTP traffic on port 52587 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52601
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52638 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 52594 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 52590 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52588 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52639 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52593 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52589 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52589
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52587
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52588
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52592
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52593
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52590
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52591
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0f569f28-2b47-40d1-b4cb-ce8f4c02a763.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0f569f28-2b47-40d1-b4cb-ce8f4c02a763.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre