Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1565531
MD5:	a9e989ef5eb79aeeb328a104849f4a85
SHA1:	2350a9ecc6c9012f34a1206487d96f9912b6b2a9
SHA256:	b5c318e6f3e8af90f8d3bcd87bfd270195d238dba7ab2fe277c0bf9d57e6fdd0
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A9E989EF5EB79AEEB328A104849F4A85)

taskkill.exe (PID: 7292 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7388 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7452 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7516 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7580 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7644 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7684 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7700 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7928 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d28453ce-bbb3-47cc-a509-e2588d894b94} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0c946f110 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7320 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4456 -parentBuildID 20230927232528 -prefsHandle 4216 -prefMapHandle 2752 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ec1ea3-4057-4a16-83ca-d99827d7004b} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0db4da710 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7296 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9afbe1b9-40f8-47f5-924a-bbf70670cb96} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0d9a1ed10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7276	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00BDEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00BDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BDED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00BDED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00BDEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00BCAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00BF9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_150c0ff8-f
Source: file.exe, 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_91f7666b-f
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_960603e3-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0e47e912-3

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001FF82432377 NtQuerySystemInformation,		16_2_000001FF82432377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001FF828C5A72 NtQuerySystemInformation,		16_2_000001FF828C5A72

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00BCD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00BC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00BCE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B68060	0_2_00B68060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD2046	0_2_00BD2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8298	0_2_00BC8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9E4FF	0_2_00B9E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9676B	0_2_00B9676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF4873	0_2_00BF4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8CAA0	0_2_00B8CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B6CAF0	0_2_00B6CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7CC39	0_2_00B7CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B96DD9	0_2_00B96DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B691C0	0_2_00B691C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7B119	0_2_00B7B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81394	0_2_00B81394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81706	0_2_00B81706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8781B	0_2_00B8781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B819B0	0_2_00B819B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B67920	0_2_00B67920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7997D	0_2_00B7997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87A4A	0_2_00B87A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87CA7	0_2_00B87CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81C77	0_2_00B81C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B99EEE	0_2_00B99EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEBE44	0_2_00BEBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81F32	0_2_00B81F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001FF82432377	16_2_000001FF82432377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001FF828C5A72	16_2_000001FF828C5A72
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001FF828C619C	16_2_000001FF828C619C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001FF828C5AB2	16_2_000001FF828C5AB2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B80A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B7F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/36@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD37B5 GetLastError,FormatMessageW,

0_2_00BD37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC10BF AdjustTokenPrivileges,CloseHandle,		0_2_00BC10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00BC16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00BD51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00BCD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00BD648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B642A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1998571764.000001B0DA9C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864440511.000001B0DA9C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1998571764.000001B0DA9C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864440511.000001B0DA9C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1998571764.000001B0DA9C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864440511.000001B0DA9C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1998571764.000001B0DA9C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864440511.000001B0DA9C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1998571764.000001B0DA9C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864440511.000001B0DA9C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1998571764.000001B0DA9C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864440511.000001B0DA9C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1998571764.000001B0DA9C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864440511.000001B0DA9C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1998571764.000001B0DA9C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864440511.000001B0DA9C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1998571764.000001B0DA9C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864440511.000001B0DA9C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	ReversingLabs: Detection: 34%
Source: file.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d28453ce-bbb3-47cc-a509-e2588d894b94} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0c946f110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4456 -parentBuildID 20230927232528 -prefsHandle 4216 -prefMapHandle 2752 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ec1ea3-4057-4a16-83ca-d99827d7004b} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0db4da710 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9afbe1b9-40f8-47f5-924a-bbf70670cb96} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0d9a1ed10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d28453ce-bbb3-47cc-a509-e2588d894b94} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0c946f110 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4456 -parentBuildID 20230927232528 -prefsHandle 4216 -prefMapHandle 2752 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ec1ea3-4057-4a16-83ca-d99827d7004b} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0db4da710 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9afbe1b9-40f8-47f5-924a-bbf70670cb96} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0d9a1ed10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80A76 push ecx; ret

0_2_00B80A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B7F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00BF1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96462

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001FF82432377 rdtsc

16_2_000001FF82432377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Users\user\Desktop\file.exe TID: 7280	Thread sleep count: 109 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7280	Thread sleep count: 177 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BCDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD68EE FindFirstFileW,FindClose,	0_2_00BD68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00BD698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BCD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BCD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BD9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BD979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00BD9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00BD5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: firefox.exe, 00000011.00000002.3027682313.00000237F726A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpIf
Source: firefox.exe, 00000010.00000002.3033651418.000001FF82930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle,
Source: firefox.exe, 0000000F.00000002.3034558166.0000026AC92E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3028169199.0000026AC8DAA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3033651418.000001FF82930000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3027159482.000001FF81FCA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3033014537.00000237F7660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3034558166.0000026AC92E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: firefox.exe, 0000000F.00000002.3033403740.0000026AC9117000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3034558166.0000026AC92E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: firefox.exe, 00000010.00000002.3033651418.000001FF82930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPj
Source: firefox.exe, 00000010.00000002.3033651418.000001FF82930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.&
Source: firefox.exe, 0000000F.00000002.3034558166.0000026AC92E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3033651418.000001FF82930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001FF82432377 rdtsc

16_2_000001FF82432377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BDEAA2 BlockInput,

0_2_00BDEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B92622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B84CE8 mov eax, dword ptr fs:[00000030h]

0_2_00B84CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00BC0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B92622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B8083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B809D5 SetUnhandledExceptionFilter,	0_2_00B809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B80C21

Source: C:\Users\user\Desktop\file.exe

0_2_00BC1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BA2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00BA2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BCB226 SendInput,keybd_event,

0_2_00BCB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00BE22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00BC0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00BC1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1898388483.000001B0E57E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80698 cpuid

0_2_00B80698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00BD8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BBD27A GetUserNameW,

0_2_00BBD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B9BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B9BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B642DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7276, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7276, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00BE1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00BE1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	36%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://detectportal.firefox.comX	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.193	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.17.78	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.193.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.3028885319.00000237F75C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.2006179820.000001B0E1184000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1985750768.000001B0DC77D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2013274253.000001B0E520C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3028763307.0000026AC8EE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3029317376.000001FF823F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3033405253.00000237F7803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1843389816.000001B0E1238000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942294036.000001B0E1230000.00000004.00000800.00020000.00000000.sdmp	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3028885319.00000237F758F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.2011617579.000001B0DA3C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2005560858.000001B0E4F75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1862504287.000001B0E1A9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1979730691.000001B0E1A9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1994758564.000001B0E1A9D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1808288316.000001B0D9077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807781983.000001B0D901F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808129233.000001B0D905A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807980559.000001B0D903C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807638793.000001B0D8E00000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1991455594.000001B0DAA9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003465927.000001B0DACA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.2011780618.000001B0DA362000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1865982544.000001B0E1165000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1860412408.000001B0E165F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808129233.000001B0D905A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807980559.000001B0D903C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1945816723.000001B0DA2B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807638793.000001B0D8E00000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000D.00000003.1989759544.000001B0DB8BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1996133611.000001B0DB8BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848836718.000001B0DB8BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1808288316.000001B0D9077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807781983.000001B0D901F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808129233.000001B0D905A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807980559.000001B0D903C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807638793.000001B0D8E00000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000D.00000003.1848836718.000001B0DB8BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3028763307.0000026AC8EE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3029317376.000001FF823F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3033405253.00000237F7803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.2012927447.000001B0D9A9A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1877204293.000001B0DAB2C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ok.ru/	firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1980557245.000001B0E16EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000507581.000001B0E1627000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3028763307.0000026AC8EE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3029317376.000001FF823F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3033405253.00000237F7803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://www.youtube.com/	firefox.exe, 00000011.00000002.3028885319.00000237F750C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1876576970.000001B0DA2A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
http://detectportal.firefox.comX	firefox.exe, 0000000D.00000003.1985750768.000001B0DC77D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000721955.000001B0DC7B2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.2012927447.000001B0D9A9A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.3028885319.00000237F75C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1864019532.000001B0E1073000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1873146057.000001B0DA669000.00000004.00000800.00020000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1949510670.000001B0DA288000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977301142.000001B0DA287000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.2011701483.000001B0DA3B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1980557245.000001B0E16D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1991455594.000001B0DAA9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003465927.000001B0DACC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		high
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.2011617579.000001B0DA3C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3029317376.000001FF82312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028885319.00000237F7513000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 0000000F.00000002.3028763307.0000026AC8E72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1865982544.000001B0E1165000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1981010521.000001B0E165B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860412408.000001B0E1678000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995434421.000001B0E165B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1876417228.000001B0DA66B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1852383073.000001B0DA1C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863396356.000001B0E11E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942294036.000001B0E1215000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865982544.000001B0E11AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809168601.000001B0D9150000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870606957.000001B0DA1D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2010172638.000001B0DB4B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877979386.000001B0DA6B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2013694625.000001B0E3737000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843135729.000001B0E12B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848836718.000001B0DB8F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949510670.000001B0DA225000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2002290103.000001B0D93EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1989299513.000001B0DC54B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2007900919.000001B0E3735000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1813497481.000001B0DA2D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1814325449.000001B0DA2CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876417228.000001B0DA6B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1977221508.000001B0DA2BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866634483.000001B0E112E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1949510670.000001B0DA288000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1989759544.000001B0DB8BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1996133611.000001B0DB8BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848836718.000001B0DB8BE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://youtube.com/	firefox.exe, 0000000D.00000003.1860412408.000001B0E1678000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1989759544.000001B0DB8BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1996133611.000001B0DB8BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848836718.000001B0DB8BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false		high
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000559481.000001B0E132B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1866634483.000001B0E112E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863936308.000001B0E112E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1866634483.000001B0E112E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863936308.000001B0E112E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1981010521.000001B0E165B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860412408.000001B0E1678000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1995434421.000001B0E165B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1843389816.000001B0E1238000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942294036.000001B0E1230000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.2006354300.000001B0E15CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1810592589.000001B0D8833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810003125.000001B0D8833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810362556.000001B0D881D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1876417228.000001B0DA66B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1864019532.000001B0E10E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2008903832.000001B0E10F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1876576970.000001B0DA2A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874581268.000001B0DAB06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873146057.000001B0DA6E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876889639.000001B0DA2AD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1810592589.000001B0D8833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810003125.000001B0D8833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810362556.000001B0D881D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.2012927447.000001B0D9A9A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3028763307.0000026AC8EE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3029317376.000001FF823F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3033405253.00000237F7803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1981219192.000001B0E13EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981219192.000001B0E137A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965812331.000001B0E137A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.2012299116.000001B0DA33E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2013945067.000001B0E2CAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2000078147.000001B0E2CAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892107874.000001B0E2CAA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1807638793.000001B0D8E00000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000000D.00000003.1808288316.000001B0D9077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948430220.000001B0DA2B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807781983.000001B0D901F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875786991.000001B0DA2B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808129233.000001B0D905A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807980559.000001B0D903C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1945816723.000001B0DA2B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2012839738.000001B0D9AD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807638793.000001B0D8E00000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1865982544.000001B0E1165000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3033047205.0000026AC8F70000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3028707550.000001FF821B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3033135368.00000237F7760000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.2000507581.000001B0E1627000.00000004.00000800.00020000.00000000.sdmp	false		high
https://twitter.com/	firefox.exe, 0000000D.00000003.1965812331.000001B0E136C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://vk.com/	firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565531
Start date and time:	2024-11-30 05:34:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/36@67/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.27.142.243, 52.32.237.164, 34.209.229.249, 172.217.17.78, 88.221.134.155, 88.221.134.209, 172.217.17.42
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:35:13	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.118.84.150
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.118.84.150
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Xmrig	Browse	34.118.84.150
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	secondaryTask.vbs	Get hash	malicious	Clipboard Hijacker, MicroClip, Remcos	Browse	185.199.108.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	LauncherPred8.3.389 stablesetup.msi	Get hash	malicious	Clipboard Hijacker, MicroClip, Remcos	Browse	185.199.108.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	HackBrowser, Xmrig	Browse	34.160.111.145
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	HackBrowser, Xmrig	Browse	34.160.111.145

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_45fcd96f-7d16-4a2c-b54a-73b2ba21a852.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181497849653027
Encrypted:	false
SSDEEP:	192:djMXxtmcbhbVbTbfbRbObtbyEl7nMrmJA6WnSrDtTUd/SkDrO:dY6cNhnzFSJsrlBnSrDhUd/A
MD5:	8E2358E099ACA1FBBB18E50F3D43836C
SHA1:	0BFF32A58D0C8356ED2F11A54FDD890487247E0F
SHA-256:	91E313A3B954ED36075C2FB1A56BF41DAFF2B4967D59876821B0FBFDC9263A34
SHA-512:	700B57856582BB4B11E06B12CC8740CB08275D8B0371EB719C6877777FB9AE655F50E7A90E743AD6345A90EF1D9A2B5EB178E803313E5F3121530EFB7D47A7CC
Malicious:	false
Preview:	{"type":"uninstall","id":"45fcd96f-7d16-4a2c-b54a-73b2ba21a852","creationDate":"2024-11-30T05:51:27.806Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_45fcd96f-7d16-4a2c-b54a-73b2ba21a852.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181497849653027
Encrypted:	false
SSDEEP:	192:djMXxtmcbhbVbTbfbRbObtbyEl7nMrmJA6WnSrDtTUd/SkDrO:dY6cNhnzFSJsrlBnSrDhUd/A
MD5:	8E2358E099ACA1FBBB18E50F3D43836C
SHA1:	0BFF32A58D0C8356ED2F11A54FDD890487247E0F
SHA-256:	91E313A3B954ED36075C2FB1A56BF41DAFF2B4967D59876821B0FBFDC9263A34
SHA-512:	700B57856582BB4B11E06B12CC8740CB08275D8B0371EB719C6877777FB9AE655F50E7A90E743AD6345A90EF1D9A2B5EB178E803313E5F3121530EFB7D47A7CC
Malicious:	false
Preview:	{"type":"uninstall","id":"45fcd96f-7d16-4a2c-b54a-73b2ba21a852","creationDate":"2024-11-30T05:51:27.806Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927344996982228
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN+9j:8S+OfJQPUFpOdwNIOdYVjvYcXaNLt08P
MD5:	50E0ED47158AC14D530B9918BFBE8ED6
SHA1:	CE1CF18D863B5484E08F88006D6E2725C9B7C31D
SHA-256:	634559504BFDCBD6F316C0AA0B5FFBD74FE1B81B707D4E922A7ED735BBF8539D
SHA-512:	CB1DF71542DE35D870D54AAA85398F1E766EAC155C98870A6DC7E42A2771F102C7691D478381091F454D2EE2819155596F9EF655CA45827E105F5A37E6DFFC15
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927344996982228
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakN+9j:8S+OfJQPUFpOdwNIOdYVjvYcXaNLt08P
MD5:	50E0ED47158AC14D530B9918BFBE8ED6
SHA1:	CE1CF18D863B5484E08F88006D6E2725C9B7C31D
SHA-256:	634559504BFDCBD6F316C0AA0B5FFBD74FE1B81B707D4E922A7ED735BBF8539D
SHA-512:	CB1DF71542DE35D870D54AAA85398F1E766EAC155C98870A6DC7E42A2771F102C7691D478381091F454D2EE2819155596F9EF655CA45827E105F5A37E6DFFC15
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07334727757666264
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkimW:DLhesh7Owd4+ji
MD5:	2F1B6177F33AE7C267A04CA5B9A2531E
SHA1:	2AB91287D6A03AC2EFF9CEC1EBD3592CBE51B9EE
SHA-256:	471EAC761FA9FE2C56993434060FBCB4528FCBCDB2E4BE600339FEF6BDDFFD69
SHA-512:	7AEAA8C7C873547FAECEEB83BA434E1537FC9F6CE1EF92733BE1CDBEB693E5FDAAE8DC7F17D5ABA84DC75502AD5521D0AED679B9C5271D711475D0525CF67212
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFGstsNxuK9HIttlstFGstsNxuKlllllJ89//alEl:GtWtEsts5IttWtEstsTD89XuM
MD5:	33D6825E20AF119E6B90320B6F14D01E
SHA1:	B942FBE6CD5D97621B8FB06CEC0662A4F8312F5F
SHA-256:	D502633773C4E850D3132F562E20C77AF9879C8CE1BC1471AE1AC52EC16E6FF1
SHA-512:	72D857581EB3CA33385490D68AD0A62E4FE2D0358629FB2A10F358EDCE6C4C0DDAFDB8FD6391C995340DD9BF96AC9367B6B0A7E4D402AC071551DE3D2B5119B4
Malicious:	false
Preview:	..-........................jb.2.M.ory......:.V....-........................jb.2.M.ory......:.V..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03998118428817617
Encrypted:	false
SSDEEP:	3:Ol1+Nlt/y3oFgO69llia7l8rEXsxdwhml8XW3R2:KIpC5Ywl8dMhm93w
MD5:	6B93655B372C98D2C210B3521C5DE693
SHA1:	7882A6503F7AACD9678C0422D8063BFBFE843183
SHA-256:	F9D903EF3E583DAF3A46A2C2B7C2A71A6546D4F511550142F8702C9EA04752AB
SHA-512:	6FEF95F484A2C7B378E827F35A8F2160E9067DAFEF904F8A7957C0811AE1C8EC16219DFA37B573EA2B4F508C9B4D7C5165E579A31727EAA3472397290AD2DEDF
Malicious:	false
Preview:	7....-..........M.ory...H6.`.5.~........M.ory...j....2.b................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.496171098023503
Encrypted:	false
SSDEEP:	192:ZnaRtLYbBp63hj4qyaaX16Kf6N9f5RfGNBw8dvVSl:Ee9qnk2tcwi0
MD5:	3285D76F507B2313FB5B7F172947A1F0
SHA1:	129D8F2D225B8794DC9FEB8FC37B0FF8E1DA53DD
SHA-256:	69DC8E818918BF620DF19F7F485E2F8BD77FE56C5243F8C5A036549B3AF1673A
SHA-512:	5BD42B368192DD885E991DFC839E84F2CDABCA6C8FE0353C3A7BE9E7455B3BFDF9CD9E6CCF44619CC32FBE3923F4CB6EE99F6178E9F398E333323EC0C1913E15
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732945858);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732945858);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732945858);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173294

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.496171098023503
Encrypted:	false
SSDEEP:	192:ZnaRtLYbBp63hj4qyaaX16Kf6N9f5RfGNBw8dvVSl:Ee9qnk2tcwi0
MD5:	3285D76F507B2313FB5B7F172947A1F0
SHA1:	129D8F2D225B8794DC9FEB8FC37B0FF8E1DA53DD
SHA-256:	69DC8E818918BF620DF19F7F485E2F8BD77FE56C5243F8C5A036549B3AF1673A
SHA-512:	5BD42B368192DD885E991DFC839E84F2CDABCA6C8FE0353C3A7BE9E7455B3BFDF9CD9E6CCF44619CC32FBE3923F4CB6EE99F6178E9F398E333323EC0C1913E15
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732945858);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732945858);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732945858);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173294

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\bcdaee9a-4819-42be-85cc-d4aac6b371e9 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.944164831645922
Encrypted:	false
SSDEEP:	12:YZFgl58SaDIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YbSUSlCOlZGV1AQIWZcy6Z2d
MD5:	546B9018AF585A051A6BDA861E2F3FBD
SHA1:	98CF11467BAE432BFFA6B491341EC55C5955DD4D
SHA-256:	F3BB40119EDBD6D363C655D898AC441687C96F41775450A8ECFD2A880666276C
SHA-512:	13BED021C826ECD745B16FA5D537F453DA1A354DF71ED3CDDBACA3C1E5A02E5E315D6F99D2BC2ED8F8EA8898F0BBACE766DE2DBA4545AE55CBEEF4077E323537
Malicious:	false
Preview:	{"type":"health","id":"bcdaee9a-4819-42be-85cc-d4aac6b371e9","creationDate":"2024-11-30T05:51:29.306Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\bcdaee9a-4819-42be-85cc-d4aac6b371e9.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.944164831645922
Encrypted:	false
SSDEEP:	12:YZFgl58SaDIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YbSUSlCOlZGV1AQIWZcy6Z2d
MD5:	546B9018AF585A051A6BDA861E2F3FBD
SHA1:	98CF11467BAE432BFFA6B491341EC55C5955DD4D
SHA-256:	F3BB40119EDBD6D363C655D898AC441687C96F41775450A8ECFD2A880666276C
SHA-512:	13BED021C826ECD745B16FA5D537F453DA1A354DF71ED3CDDBACA3C1E5A02E5E315D6F99D2BC2ED8F8EA8898F0BBACE766DE2DBA4545AE55CBEEF4077E323537
Malicious:	false
Preview:	{"type":"health","id":"bcdaee9a-4819-42be-85cc-d4aac6b371e9","creationDate":"2024-11-30T05:51:29.306Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.3292474438360165
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqLXnIgQR/pnxQwRlszT5sKt0q3eHVQj6T0amhujJF6tOsIomNVr0l:GUpOxbYrnR6v3eHT04JF6tIquR4
MD5:	2B7C4D6E103427D566545920BDA51569
SHA1:	8B60E8715CC6D038334F896E4D81DA8412820CCC
SHA-256:	4B856659E1FEA77E20AF83A3C5382A57986C9C418996AF44AD14EB807C75DBDA
SHA-512:	5B0811FB8193D5E77AE6C539F0F287C8199959CE42C19F0C119D3DF1B2B86AF74C91FC9520DADA77CAE0343AB188F0C54855335907C04C96F9A59124B5F728F1
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8ec515f2-4c5b-4941-a4ff-00e00f6a1313}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732945862606,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..P27728...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...32465,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.3292474438360165
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqLXnIgQR/pnxQwRlszT5sKt0q3eHVQj6T0amhujJF6tOsIomNVr0l:GUpOxbYrnR6v3eHT04JF6tIquR4
MD5:	2B7C4D6E103427D566545920BDA51569
SHA1:	8B60E8715CC6D038334F896E4D81DA8412820CCC
SHA-256:	4B856659E1FEA77E20AF83A3C5382A57986C9C418996AF44AD14EB807C75DBDA
SHA-512:	5B0811FB8193D5E77AE6C539F0F287C8199959CE42C19F0C119D3DF1B2B86AF74C91FC9520DADA77CAE0343AB188F0C54855335907C04C96F9A59124B5F728F1
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8ec515f2-4c5b-4941-a4ff-00e00f6a1313}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732945862606,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..P27728...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...32465,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.3292474438360165
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqLXnIgQR/pnxQwRlszT5sKt0q3eHVQj6T0amhujJF6tOsIomNVr0l:GUpOxbYrnR6v3eHT04JF6tIquR4
MD5:	2B7C4D6E103427D566545920BDA51569
SHA1:	8B60E8715CC6D038334F896E4D81DA8412820CCC
SHA-256:	4B856659E1FEA77E20AF83A3C5382A57986C9C418996AF44AD14EB807C75DBDA
SHA-512:	5B0811FB8193D5E77AE6C539F0F287C8199959CE42C19F0C119D3DF1B2B86AF74C91FC9520DADA77CAE0343AB188F0C54855335907C04C96F9A59124B5F728F1
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8ec515f2-4c5b-4941-a4ff-00e00f6a1313}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732945862606,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...7,"startTim..P27728...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...32465,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034089298937135
Encrypted:	false
SSDEEP:	48:YrSAYt6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	93E526C732EF9F1AB29CA46928B07FCF
SHA1:	68C2CC8DFB9C679177455F686BA0C402929E7A03
SHA-256:	14D8AA2DD73B821F602EE3677B9B62EE07C5A7952793F820C2804AAAE93338C5
SHA-512:	04B3640A82C1F215F439CAA15E9F037E8337A359ACC1B51683838269EA86684116C36899E4AA7E9688970526525AE7441660C679EE1392970FAC5B3439F26AEC
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-30T05:50:45.985Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034089298937135
Encrypted:	false
SSDEEP:	48:YrSAYt6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yctyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	93E526C732EF9F1AB29CA46928B07FCF
SHA1:	68C2CC8DFB9C679177455F686BA0C402929E7A03
SHA-256:	14D8AA2DD73B821F602EE3677B9B62EE07C5A7952793F820C2804AAAE93338C5
SHA-512:	04B3640A82C1F215F439CAA15E9F037E8337A359ACC1B51683838269EA86684116C36899E4AA7E9688970526525AE7441660C679EE1392970FAC5B3439F26AEC
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-30T05:50:45.985Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.59131047180261
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'112 bytes
MD5:	a9e989ef5eb79aeeb328a104849f4a85
SHA1:	2350a9ecc6c9012f34a1206487d96f9912b6b2a9
SHA256:	b5c318e6f3e8af90f8d3bcd87bfd270195d238dba7ab2fe277c0bf9d57e6fdd0
SHA512:	f8b7685846b3efdb253b1c3ef5e45b308a240f9ee56f2f30b07777628b573247291b654b43d8029bada68896b456aeba3c98865914d9f96b3eb8db3cdb1e8ba3
SSDEEP:	24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8aNhK:2TvC/MTQYxsWR7aN
TLSH:	65159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674A8F35 [Sat Nov 30 04:06:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F3ECCDF6AC3h
jmp 00007F3ECCDF63CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3ECCDF65ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3ECCDF657Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F3ECCDF916Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3ECCDF91B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3ECCDF91A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa76c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa76c	0xa800	b4dbcb6a5873d1564d0093871dafc6dc	False	0.3673502604166667	data	5.609527849838507	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1a32	data			1.0016403220996122
RT_GROUP_ICON	0xde1ec	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde264	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde278	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde28c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde2a0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde37c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2024 05:35:12.202944994 CET	49736	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:12.202996969 CET	443	49736	35.190.72.216	192.168.2.4
Nov 30, 2024 05:35:12.203174114 CET	49736	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:12.239216089 CET	49736	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:12.239233971 CET	443	49736	35.190.72.216	192.168.2.4
Nov 30, 2024 05:35:13.507458925 CET	443	49736	35.190.72.216	192.168.2.4
Nov 30, 2024 05:35:13.514663935 CET	49736	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:13.544756889 CET	49736	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:13.544775963 CET	443	49736	35.190.72.216	192.168.2.4
Nov 30, 2024 05:35:13.544889927 CET	49736	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:13.545037031 CET	443	49736	35.190.72.216	192.168.2.4
Nov 30, 2024 05:35:13.548435926 CET	49736	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:13.868451118 CET	49738	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:13.868482113 CET	443	49738	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:13.873033047 CET	49739	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:13.873073101 CET	443	49739	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:13.875958920 CET	49738	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:13.876070976 CET	49739	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:13.878135920 CET	49738	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:13.878151894 CET	443	49738	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:13.882411003 CET	49739	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:13.882427931 CET	443	49739	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:13.882652998 CET	49740	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:14.002614975 CET	80	49740	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:14.002705097 CET	49740	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:14.002929926 CET	49740	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:14.123414040 CET	80	49740	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:14.206814051 CET	49741	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:14.206868887 CET	443	49741	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:14.207016945 CET	49741	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:14.207148075 CET	49741	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:14.207159996 CET	443	49741	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:14.284027100 CET	49742	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:14.284084082 CET	443	49742	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:14.284178972 CET	49742	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:14.285958052 CET	49742	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:14.285973072 CET	443	49742	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:14.337635994 CET	49743	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:14.337663889 CET	443	49743	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:14.341082096 CET	49743	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:14.342777014 CET	49743	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:14.342792034 CET	443	49743	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:14.740928888 CET	49744	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:14.740973949 CET	443	49744	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:14.744972944 CET	49744	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:14.745227098 CET	49744	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:14.745243073 CET	443	49744	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:15.135251999 CET	80	49740	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:15.201550007 CET	49740	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:15.423671961 CET	443	49741	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:15.431334019 CET	443	49741	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:15.443880081 CET	49741	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:15.443945885 CET	49741	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:15.463538885 CET	49741	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:15.463566065 CET	443	49741	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:15.463864088 CET	443	49741	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:15.493458986 CET	49741	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:15.493587971 CET	49741	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:15.493700027 CET	443	49741	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:15.493850946 CET	49741	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:15.556904078 CET	443	49742	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:15.556974888 CET	49742	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:15.561317921 CET	49742	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:15.561343908 CET	443	49742	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:15.561417103 CET	49742	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:15.561542988 CET	443	49742	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:15.561654091 CET	49742	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:15.574737072 CET	443	49738	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:15.574752092 CET	443	49738	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:15.575465918 CET	443	49738	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:15.579638958 CET	49738	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:15.579655886 CET	443	49738	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:15.584991932 CET	49738	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:15.585009098 CET	443	49738	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:15.585108042 CET	49738	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:15.585235119 CET	443	49738	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:15.585360050 CET	49738	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:15.612476110 CET	443	49743	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:15.613976002 CET	49743	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:15.664314985 CET	443	49739	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:15.665040970 CET	443	49739	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:15.666512012 CET	49739	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:15.666526079 CET	443	49739	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:15.717665911 CET	49739	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:15.792176008 CET	49743	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:15.792202950 CET	443	49743	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:15.792258024 CET	49743	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:15.792541027 CET	443	49743	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:15.793929100 CET	49739	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:15.793936968 CET	443	49739	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:15.794054031 CET	49739	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:15.794187069 CET	443	49739	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:15.794358969 CET	49743	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:15.794377089 CET	49739	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:16.053195000 CET	443	49744	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:16.053261042 CET	49744	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:16.327449083 CET	49744	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:16.327482939 CET	443	49744	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:16.327672005 CET	49740	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:16.327879906 CET	443	49744	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:16.328011990 CET	49747	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:16.328037977 CET	443	49747	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:16.331743002 CET	49744	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:16.331866980 CET	49744	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:16.331964016 CET	443	49744	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:16.332206964 CET	49748	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:16.332232952 CET	443	49748	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:16.335127115 CET	49744	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:16.335179090 CET	49744	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:16.335189104 CET	49747	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:16.335207939 CET	49748	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:16.336842060 CET	49747	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:16.336857080 CET	443	49747	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:16.336977959 CET	49748	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:16.336992025 CET	443	49748	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:16.447854042 CET	80	49740	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:16.447921991 CET	49740	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:16.467422962 CET	49749	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:16.467454910 CET	443	49749	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:16.467742920 CET	49749	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:16.467915058 CET	49749	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:16.467928886 CET	443	49749	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:16.845191956 CET	49750	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:16.845227957 CET	443	49750	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:16.852258921 CET	49750	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:16.854147911 CET	49750	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:16.854163885 CET	443	49750	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:16.964452028 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:16.964668036 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:17.001950026 CET	49753	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:17.001980066 CET	443	49753	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:17.002316952 CET	49753	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:17.003767967 CET	49753	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:17.003782988 CET	443	49753	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:17.084495068 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:17.084575891 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:17.084592104 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:17.084810019 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:17.084933996 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:17.085016966 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:17.131133080 CET	49754	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:17.131155968 CET	443	49754	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:17.134021997 CET	49754	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:17.135585070 CET	49754	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:17.135597944 CET	443	49754	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:17.204711914 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:17.204860926 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:17.547962904 CET	443	49748	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:17.552675009 CET	49748	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:17.564115047 CET	49748	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:17.564135075 CET	443	49748	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:17.564434052 CET	443	49748	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:17.566859007 CET	49748	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:17.566966057 CET	49748	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:17.567042112 CET	443	49748	34.160.144.191	192.168.2.4
Nov 30, 2024 05:35:17.567112923 CET	49748	443	192.168.2.4	34.160.144.191
Nov 30, 2024 05:35:17.680697918 CET	443	49749	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:17.686531067 CET	49749	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:17.689474106 CET	49749	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:17.689491034 CET	443	49749	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:17.689749002 CET	443	49749	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:17.692094088 CET	49749	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:17.692235947 CET	49749	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:17.692272902 CET	443	49749	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:17.692460060 CET	49749	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:18.072164059 CET	443	49750	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:18.072180033 CET	443	49750	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:18.072307110 CET	49750	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:18.076643944 CET	49750	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:18.076651096 CET	443	49750	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:18.076776028 CET	49750	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:18.076828003 CET	443	49750	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:18.077155113 CET	49756	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:18.077178955 CET	443	49756	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:18.077349901 CET	443	49747	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:18.077363968 CET	443	49747	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:18.078064919 CET	443	49747	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:18.090926886 CET	49750	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:18.090995073 CET	49747	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:18.091005087 CET	443	49747	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:18.091016054 CET	49756	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:18.093517065 CET	49756	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:18.093532085 CET	443	49756	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:18.097222090 CET	49747	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:18.097240925 CET	443	49747	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:18.097315073 CET	49747	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:18.097424984 CET	443	49747	142.250.181.78	192.168.2.4
Nov 30, 2024 05:35:18.103756905 CET	49747	443	192.168.2.4	142.250.181.78
Nov 30, 2024 05:35:18.155190945 CET	49757	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:18.155245066 CET	443	49757	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:18.166604996 CET	49757	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:18.168056965 CET	49757	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:18.168071985 CET	443	49757	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:18.216626883 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:18.262448072 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:18.267096996 CET	443	49753	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:18.271334887 CET	443	49753	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:18.274434090 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:18.274497986 CET	49753	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:18.283329964 CET	49753	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:18.283337116 CET	443	49753	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:18.283411980 CET	49753	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:18.283535957 CET	443	49753	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:18.294807911 CET	49753	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:18.315236092 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:18.352519989 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:18.396447897 CET	443	49754	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:18.396723032 CET	49754	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:18.401227951 CET	49754	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:18.401242018 CET	443	49754	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:18.401303053 CET	49754	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:18.401446104 CET	443	49754	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:18.401540041 CET	49754	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:18.472454071 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:18.485121012 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:18.605003119 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:18.677314043 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:18.722628117 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:18.818100929 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:18.847224951 CET	49758	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:18.847263098 CET	443	49758	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:18.847455978 CET	49758	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:18.848953962 CET	49758	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:18.848969936 CET	443	49758	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:18.869822979 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:19.310667038 CET	443	49756	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:19.310682058 CET	443	49756	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:19.310762882 CET	49756	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:19.376074076 CET	49756	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:19.376101017 CET	443	49756	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:19.376184940 CET	49756	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:19.376324892 CET	443	49756	34.117.188.166	192.168.2.4
Nov 30, 2024 05:35:19.376549959 CET	49756	443	192.168.2.4	34.117.188.166
Nov 30, 2024 05:35:19.429577112 CET	443	49757	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:19.429590940 CET	443	49757	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:19.429665089 CET	49757	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:19.433783054 CET	49757	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:19.433793068 CET	443	49757	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:19.433881044 CET	49757	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:19.434093952 CET	443	49757	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:19.435080051 CET	49757	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:20.059544086 CET	443	49758	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:20.061960936 CET	49758	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:20.066255093 CET	49758	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:20.066268921 CET	443	49758	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:20.066365957 CET	49758	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:20.066438913 CET	443	49758	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:20.066525936 CET	49758	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:25.671857119 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:25.772088051 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:25.774019003 CET	49761	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:25.774043083 CET	443	49761	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:25.774590969 CET	49761	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:25.775963068 CET	49761	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:25.775975943 CET	443	49761	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:25.791848898 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:25.892071962 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:25.995873928 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:26.048448086 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:26.105547905 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:26.148765087 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:26.510885954 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:26.526959896 CET	49763	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:26.527009010 CET	443	49763	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:26.529268980 CET	49763	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:26.530865908 CET	49763	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:26.530884981 CET	443	49763	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:26.630830050 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:26.631169081 CET	49764	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:26.631225109 CET	443	49764	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:26.631794930 CET	49765	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:26.631843090 CET	443	49765	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:26.634316921 CET	49764	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:26.634552956 CET	49765	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:26.634557009 CET	49764	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:26.634571075 CET	443	49764	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:26.634690046 CET	49765	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:26.634713888 CET	443	49765	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:26.834912062 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:26.882011890 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:27.078831911 CET	443	49761	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:27.082760096 CET	49761	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.086891890 CET	49761	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.086931944 CET	443	49761	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:27.086986065 CET	49761	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.087100983 CET	443	49761	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:27.098303080 CET	49761	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.787781954 CET	443	49763	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:27.787863970 CET	49763	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:27.792855024 CET	49763	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:27.792855024 CET	49763	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:27.792869091 CET	443	49763	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:27.793030024 CET	443	49763	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:27.793090105 CET	49763	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:27.797449112 CET	49767	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:27.797481060 CET	443	49767	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:27.799251080 CET	49767	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:27.800745010 CET	49767	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:27.800757885 CET	443	49767	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:27.939502001 CET	443	49764	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:27.940049887 CET	443	49765	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:27.942550898 CET	49765	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.942565918 CET	49764	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.945611954 CET	49764	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.945621014 CET	443	49764	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:27.945882082 CET	443	49764	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:27.947951078 CET	49765	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.947957039 CET	443	49765	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:27.948225975 CET	443	49765	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:27.950864077 CET	49764	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.950946093 CET	49764	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.951023102 CET	443	49764	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:27.951040030 CET	49765	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.951090097 CET	49765	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.951195955 CET	443	49765	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:27.951239109 CET	49764	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:27.951528072 CET	49765	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:28.308988094 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:28.428941965 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:28.642247915 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:28.687302113 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:28.847599030 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:28.967438936 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:29.056211948 CET	443	49767	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:29.057288885 CET	49767	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:29.171917915 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:29.220015049 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:29.514206886 CET	49767	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:29.514224052 CET	443	49767	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:29.514287949 CET	49767	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:29.514499903 CET	443	49767	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:29.515058041 CET	49767	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:29.747186899 CET	49769	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:29.747200966 CET	443	49769	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:29.749166012 CET	49769	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:29.749319077 CET	49769	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:29.749331951 CET	443	49769	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:29.846323967 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:29.847990036 CET	49770	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:29.848040104 CET	443	49770	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:29.859477043 CET	49770	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:29.871207952 CET	49770	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:29.871243954 CET	443	49770	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:29.875957966 CET	49771	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:29.875987053 CET	443	49771	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:29.878415108 CET	49771	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:29.888410091 CET	49771	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:29.888425112 CET	443	49771	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:29.966140985 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:30.181076050 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:30.222948074 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:30.897707939 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:31.017610073 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:31.052890062 CET	443	49769	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.052958965 CET	49769	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.056302071 CET	49769	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.056308031 CET	443	49769	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.056591034 CET	443	49769	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.058973074 CET	49769	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.059056044 CET	49769	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.059148073 CET	443	49769	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.059864998 CET	49769	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.061940908 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:31.144825935 CET	443	49771	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.147775888 CET	49771	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.152327061 CET	49771	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.152343035 CET	443	49771	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.152631044 CET	443	49771	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.154658079 CET	49771	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.154732943 CET	49771	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.154839993 CET	443	49771	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.155961037 CET	49771	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.155961037 CET	49771	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.176359892 CET	443	49770	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.176376104 CET	443	49770	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.179001093 CET	49770	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.181799889 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:31.183909893 CET	49770	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.183923006 CET	443	49770	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.183984995 CET	49770	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.184072018 CET	443	49770	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.184231043 CET	49770	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.188525915 CET	49773	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.188570976 CET	443	49773	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.188868046 CET	49773	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.190268040 CET	49773	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:31.190282106 CET	443	49773	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:31.221905947 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:31.263906956 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:31.394979954 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:31.399717093 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:31.448571920 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:31.519629955 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:31.727998018 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:31.780669928 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:32.447540998 CET	443	49773	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:32.447627068 CET	49773	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:32.452099085 CET	49773	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:32.452105999 CET	443	49773	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:32.452224016 CET	49773	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:32.452240944 CET	443	49773	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:32.453231096 CET	49773	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:32.455660105 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:32.458724022 CET	49774	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:32.458754063 CET	443	49774	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:32.458853006 CET	49774	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:32.460216999 CET	49774	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:32.460232019 CET	443	49774	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:32.575532913 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:32.789169073 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:32.792644024 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:32.830409050 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:32.912527084 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:33.116688013 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:33.169023037 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:33.763468027 CET	443	49774	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:33.763561964 CET	49774	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:33.768054008 CET	49774	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:33.768060923 CET	443	49774	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:33.768162966 CET	49774	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:33.768197060 CET	443	49774	34.120.208.123	192.168.2.4
Nov 30, 2024 05:35:33.769630909 CET	49774	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:35:33.771671057 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:33.891616106 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:34.104820967 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:34.108411074 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:34.156312943 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:34.228267908 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:34.432642937 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:34.472770929 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:38.374155045 CET	49775	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:38.374190092 CET	443	49775	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:38.374448061 CET	49775	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:38.375916958 CET	49775	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:38.375936031 CET	443	49775	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:39.586963892 CET	443	49775	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:39.587182999 CET	49775	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:39.592075109 CET	49775	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:39.592087984 CET	443	49775	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:39.592180014 CET	49775	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:39.592219114 CET	443	49775	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:39.592401028 CET	49775	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:39.595454931 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:39.715353012 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:39.928809881 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:39.932959080 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:39.973160982 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:40.052838087 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:40.257011890 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:40.320899963 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:40.331487894 CET	49776	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:40.331511974 CET	443	49776	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:40.331860065 CET	49776	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:40.332005978 CET	49776	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:40.332017899 CET	443	49776	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:40.345923901 CET	49777	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:40.345943928 CET	443	49777	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:40.346080065 CET	49777	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:40.346249104 CET	49777	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:40.346260071 CET	443	49777	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:40.482871056 CET	49778	443	192.168.2.4	151.101.193.91
Nov 30, 2024 05:35:40.482902050 CET	443	49778	151.101.193.91	192.168.2.4
Nov 30, 2024 05:35:40.483356953 CET	49778	443	192.168.2.4	151.101.193.91
Nov 30, 2024 05:35:40.483484030 CET	49778	443	192.168.2.4	151.101.193.91
Nov 30, 2024 05:35:40.483495951 CET	443	49778	151.101.193.91	192.168.2.4
Nov 30, 2024 05:35:40.526689053 CET	49779	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:40.526736975 CET	443	49779	35.190.72.216	192.168.2.4
Nov 30, 2024 05:35:40.531997919 CET	49779	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:40.533442974 CET	49779	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:40.533461094 CET	443	49779	35.190.72.216	192.168.2.4
Nov 30, 2024 05:35:40.998074055 CET	49780	443	192.168.2.4	35.201.103.21
Nov 30, 2024 05:35:40.998114109 CET	443	49780	35.201.103.21	192.168.2.4
Nov 30, 2024 05:35:40.998589993 CET	49780	443	192.168.2.4	35.201.103.21
Nov 30, 2024 05:35:41.000099897 CET	49780	443	192.168.2.4	35.201.103.21
Nov 30, 2024 05:35:41.000119925 CET	443	49780	35.201.103.21	192.168.2.4
Nov 30, 2024 05:35:41.592170954 CET	443	49776	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:41.593493938 CET	49776	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.596765041 CET	49776	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.596774101 CET	443	49776	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:41.596992970 CET	443	49776	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:41.598845005 CET	49776	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.598934889 CET	49776	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.598973036 CET	443	49776	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:41.602158070 CET	49776	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.602158070 CET	49776	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.603770971 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:41.604084015 CET	443	49777	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:41.604676008 CET	49777	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:41.607633114 CET	49777	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:41.607640982 CET	443	49777	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:41.607880116 CET	443	49777	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:41.610161066 CET	49777	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:41.610243082 CET	49777	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:41.610307932 CET	443	49777	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:41.611979008 CET	49777	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:41.724029064 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:41.744232893 CET	443	49779	35.190.72.216	192.168.2.4
Nov 30, 2024 05:35:41.744316101 CET	49779	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:41.749325991 CET	49779	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:41.749340057 CET	443	49779	35.190.72.216	192.168.2.4
Nov 30, 2024 05:35:41.749418974 CET	49779	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:41.749567986 CET	443	49779	35.190.72.216	192.168.2.4
Nov 30, 2024 05:35:41.750036001 CET	49779	443	192.168.2.4	35.190.72.216
Nov 30, 2024 05:35:41.791553020 CET	443	49778	151.101.193.91	192.168.2.4
Nov 30, 2024 05:35:41.791635990 CET	49778	443	192.168.2.4	151.101.193.91
Nov 30, 2024 05:35:41.795125008 CET	49778	443	192.168.2.4	151.101.193.91
Nov 30, 2024 05:35:41.795133114 CET	443	49778	151.101.193.91	192.168.2.4
Nov 30, 2024 05:35:41.795591116 CET	443	49778	151.101.193.91	192.168.2.4
Nov 30, 2024 05:35:41.797477961 CET	49778	443	192.168.2.4	151.101.193.91
Nov 30, 2024 05:35:41.797590971 CET	49778	443	192.168.2.4	151.101.193.91
Nov 30, 2024 05:35:41.797635078 CET	443	49778	151.101.193.91	192.168.2.4
Nov 30, 2024 05:35:41.803328037 CET	443	49778	151.101.193.91	192.168.2.4
Nov 30, 2024 05:35:41.804800034 CET	49778	443	192.168.2.4	151.101.193.91
Nov 30, 2024 05:35:41.804800034 CET	49778	443	192.168.2.4	151.101.193.91
Nov 30, 2024 05:35:41.804817915 CET	49778	443	192.168.2.4	151.101.193.91
Nov 30, 2024 05:35:41.806211948 CET	49781	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.806233883 CET	443	49781	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:41.806354046 CET	49781	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.806471109 CET	49781	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.806492090 CET	443	49781	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:41.808866978 CET	49782	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.808890104 CET	443	49782	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:41.809209108 CET	49782	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.809334040 CET	49782	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.809353113 CET	443	49782	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:41.812093019 CET	49783	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.812104940 CET	443	49783	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:41.812393904 CET	49783	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.812609911 CET	49783	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:41.812619925 CET	443	49783	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:41.937371969 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:41.941524982 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:41.979001999 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:42.061399937 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:42.251301050 CET	443	49780	35.201.103.21	192.168.2.4
Nov 30, 2024 05:35:42.251391888 CET	49780	443	192.168.2.4	35.201.103.21
Nov 30, 2024 05:35:42.256680965 CET	49780	443	192.168.2.4	35.201.103.21
Nov 30, 2024 05:35:42.256689072 CET	443	49780	35.201.103.21	192.168.2.4
Nov 30, 2024 05:35:42.256793976 CET	49780	443	192.168.2.4	35.201.103.21
Nov 30, 2024 05:35:42.256886959 CET	443	49780	35.201.103.21	192.168.2.4
Nov 30, 2024 05:35:42.257641077 CET	49780	443	192.168.2.4	35.201.103.21
Nov 30, 2024 05:35:42.260603905 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:42.265536070 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:42.270742893 CET	49784	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:42.270776033 CET	443	49784	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:42.270981073 CET	49784	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:42.271075964 CET	49784	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:42.271083117 CET	443	49784	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:42.311114073 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:42.380520105 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:42.593749046 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:42.597517014 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:42.643263102 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:42.717463017 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:42.921571970 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:42.981916904 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:43.063071012 CET	443	49781	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.064971924 CET	443	49782	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.068032026 CET	49781	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.068150997 CET	49782	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.071333885 CET	49781	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.071348906 CET	443	49781	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.071633101 CET	443	49781	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.073940039 CET	49782	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.073957920 CET	443	49782	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.074210882 CET	443	49782	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.076855898 CET	49781	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.076935053 CET	49781	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.077018976 CET	443	49781	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.077146053 CET	49782	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.077198982 CET	49782	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.077311039 CET	443	49782	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.077821016 CET	49782	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.077848911 CET	49781	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.077850103 CET	49782	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.085870981 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:43.113410950 CET	443	49783	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.113616943 CET	49783	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.116745949 CET	49783	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.116753101 CET	443	49783	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.117019892 CET	443	49783	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.119102955 CET	49783	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.119174957 CET	49783	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.119263887 CET	443	49783	35.244.181.201	192.168.2.4
Nov 30, 2024 05:35:43.120182037 CET	49783	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.120182037 CET	49783	443	192.168.2.4	35.244.181.201
Nov 30, 2024 05:35:43.205751896 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:43.419405937 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:43.425924063 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:43.461281061 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:43.545865059 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:43.577328920 CET	443	49784	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:43.577441931 CET	49784	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:43.581180096 CET	49784	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:43.581190109 CET	443	49784	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:43.581438065 CET	443	49784	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:43.585134029 CET	49784	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:43.585242033 CET	49784	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:43.585293055 CET	443	49784	34.149.100.209	192.168.2.4
Nov 30, 2024 05:35:43.586916924 CET	49784	443	192.168.2.4	34.149.100.209
Nov 30, 2024 05:35:43.588903904 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:43.708765984 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:43.749986887 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:43.799904108 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:43.922378063 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:43.925899982 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:43.980688095 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:44.045779943 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:44.249907017 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:44.301379919 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:53.929693937 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:54.049566984 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:54.261887074 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:54.321620941 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:54.382925987 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:54.441402912 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:54.654716015 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:54.660141945 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:54.716105938 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:54.780126095 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:54.984256983 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:35:55.048266888 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:35:59.751043081 CET	49793	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:59.751070976 CET	443	49793	34.107.243.93	192.168.2.4
Nov 30, 2024 05:35:59.751429081 CET	49793	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:59.752895117 CET	49793	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:35:59.752926111 CET	443	49793	34.107.243.93	192.168.2.4
Nov 30, 2024 05:36:01.010242939 CET	443	49793	34.107.243.93	192.168.2.4
Nov 30, 2024 05:36:01.010411978 CET	49793	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:36:01.016741991 CET	49793	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:36:01.016757965 CET	443	49793	34.107.243.93	192.168.2.4
Nov 30, 2024 05:36:01.016864061 CET	49793	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:36:01.016897917 CET	443	49793	34.107.243.93	192.168.2.4
Nov 30, 2024 05:36:01.017487049 CET	49793	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:36:01.019722939 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:01.140973091 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:01.353296041 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:01.357508898 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:01.398283958 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:01.477391005 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:01.681607008 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:01.737076044 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:10.250289917 CET	49817	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:10.250310898 CET	443	49817	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:10.250489950 CET	49818	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:10.250544071 CET	443	49818	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:10.250571966 CET	49819	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:10.250579119 CET	443	49819	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:10.251329899 CET	49817	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:10.251461983 CET	49819	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:10.251463890 CET	49818	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:10.251507044 CET	49817	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:10.251519918 CET	443	49817	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:10.251673937 CET	49819	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:10.251686096 CET	443	49819	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:10.251781940 CET	49818	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:10.251792908 CET	443	49818	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.355145931 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:11.474992037 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:11.619872093 CET	443	49818	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.620100975 CET	443	49819	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.620201111 CET	49818	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.620414019 CET	443	49817	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.620615959 CET	49819	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.622939110 CET	49817	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.623460054 CET	49818	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.623473883 CET	443	49818	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.623713017 CET	443	49818	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.625978947 CET	49819	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.625983953 CET	443	49819	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.626230955 CET	443	49819	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.628254890 CET	49817	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.628259897 CET	443	49817	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.628503084 CET	443	49817	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.631736994 CET	49818	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.631887913 CET	443	49818	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.632024050 CET	49818	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.632033110 CET	443	49818	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.632112026 CET	49819	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.632188082 CET	49819	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.632277966 CET	443	49819	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.632659912 CET	49817	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.632739067 CET	49817	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.632803917 CET	443	49817	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.632848978 CET	49819	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.632869959 CET	49818	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.632940054 CET	49817	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.637058020 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:11.641318083 CET	49825	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.641339064 CET	443	49825	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.648425102 CET	49826	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.648462057 CET	443	49826	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.648569107 CET	49827	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.648582935 CET	443	49827	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.648868084 CET	49825	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.649009943 CET	49827	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.649009943 CET	49826	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.649009943 CET	49825	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.649034977 CET	443	49825	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.649178982 CET	49826	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.649190903 CET	443	49826	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.649254084 CET	49827	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.649266958 CET	443	49827	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.650738955 CET	49828	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.650762081 CET	443	49828	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.650866032 CET	49828	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.650971889 CET	49828	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:11.650984049 CET	443	49828	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:11.687274933 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:11.756953001 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:11.807234049 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:11.970082998 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:11.974384069 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:12.018923998 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:12.094245911 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:12.298145056 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:12.357635975 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:12.861247063 CET	443	49826	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.861386061 CET	49826	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.864695072 CET	49826	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.864720106 CET	443	49826	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.864953041 CET	443	49826	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.867048025 CET	49826	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.867161036 CET	49826	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.867192030 CET	443	49826	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.868402958 CET	49826	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.870089054 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:12.908721924 CET	443	49827	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.908807993 CET	49827	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.912168980 CET	49827	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.912174940 CET	443	49827	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.912408113 CET	443	49827	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.915003061 CET	49827	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.915119886 CET	49827	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.915150881 CET	443	49827	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.915282965 CET	49827	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.932964087 CET	443	49828	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.933033943 CET	49828	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.936182022 CET	49828	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.936188936 CET	443	49828	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.936425924 CET	443	49828	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.938802958 CET	49828	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.938929081 CET	443	49828	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.938935041 CET	49828	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.938941002 CET	443	49828	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.972618103 CET	443	49825	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.972635031 CET	443	49825	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.972698927 CET	49825	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.975927114 CET	49825	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.975939989 CET	443	49825	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.976193905 CET	443	49825	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.978416920 CET	49825	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.978535891 CET	49825	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.978568077 CET	443	49825	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:12.982650042 CET	49825	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:12.989972115 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:13.143342972 CET	443	49828	34.120.208.123	192.168.2.4
Nov 30, 2024 05:36:13.143439054 CET	49828	443	192.168.2.4	34.120.208.123
Nov 30, 2024 05:36:13.203099966 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:13.206315994 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:13.260461092 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:13.326164007 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:13.530025005 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:13.576864958 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:23.204616070 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:23.324517012 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:23.536895990 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:23.656723976 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:33.334258080 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:33.454371929 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:33.665966034 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:33.785860062 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:41.597754955 CET	49890	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:36:41.597814083 CET	443	49890	34.107.243.93	192.168.2.4
Nov 30, 2024 05:36:41.598220110 CET	49890	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:36:41.599766970 CET	49890	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:36:41.599781036 CET	443	49890	34.107.243.93	192.168.2.4
Nov 30, 2024 05:36:42.865700960 CET	443	49890	34.107.243.93	192.168.2.4
Nov 30, 2024 05:36:42.865796089 CET	49890	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:36:42.870906115 CET	49890	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:36:42.870913029 CET	443	49890	34.107.243.93	192.168.2.4
Nov 30, 2024 05:36:42.871020079 CET	49890	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:36:42.871049881 CET	443	49890	34.107.243.93	192.168.2.4
Nov 30, 2024 05:36:42.871126890 CET	49890	443	192.168.2.4	34.107.243.93
Nov 30, 2024 05:36:42.873704910 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:42.993583918 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:43.206613064 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:43.210819006 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:43.262073994 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:43.330693960 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:43.615322113 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:43.663239956 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:53.220525980 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:53.340419054 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:36:53.621701002 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:36:53.741566896 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:37:03.349308014 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:37:03.469269991 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:37:03.750437021 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:37:03.870316982 CET	80	49751	34.107.221.82	192.168.2.4
Nov 30, 2024 05:37:13.481157064 CET	49752	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:37:13.600955009 CET	80	49752	34.107.221.82	192.168.2.4
Nov 30, 2024 05:37:13.876936913 CET	49751	80	192.168.2.4	34.107.221.82
Nov 30, 2024 05:37:13.996814966 CET	80	49751	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2024 05:35:12.203089952 CET	53588	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:12.430808067 CET	53	53588	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:12.435887098 CET	55633	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:12.659337997 CET	53	55633	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:13.729993105 CET	61947	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:13.732860088 CET	56768	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:13.867357016 CET	53	61947	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:13.869030952 CET	56583	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:13.886264086 CET	56450	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.006805897 CET	53	56583	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.009208918 CET	57316	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.024111986 CET	53	56450	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.025698900 CET	57880	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.103148937 CET	62514	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.136990070 CET	53568	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.148236036 CET	53	57316	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.163033009 CET	53	57880	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.206959009 CET	62321	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.274297953 CET	53	53568	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.286478996 CET	50490	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.336035967 CET	53	62514	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.337938070 CET	65093	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.346246004 CET	53	62321	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.347240925 CET	63743	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.419886112 CET	49180	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.479237080 CET	53	65093	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.482367039 CET	57127	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.485616922 CET	53	63743	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.530766010 CET	53	50490	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.531653881 CET	62172	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.557174921 CET	53	49180	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.619750023 CET	53	57127	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.669462919 CET	53	62172	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.741307974 CET	52917	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.790386915 CET	54144	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:14.878947020 CET	53	52917	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:14.887258053 CET	63081	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:15.024641991 CET	53	63081	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:15.571439981 CET	58942	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:15.709218025 CET	53	58942	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:15.718693972 CET	53	53171	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:15.780344009 CET	54407	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:15.919071913 CET	53	54407	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:15.919939041 CET	55513	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:16.057576895 CET	53	55513	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:16.290416956 CET	53335	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:16.291282892 CET	50778	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:16.427571058 CET	53	53335	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:16.428332090 CET	53	50778	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:16.825579882 CET	51420	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:17.002821922 CET	55657	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:17.140290976 CET	53	55657	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:17.143887997 CET	62997	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:17.281286955 CET	53	62997	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:18.014636040 CET	56040	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:18.151937008 CET	53	56040	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:18.156039953 CET	56905	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:18.293354988 CET	53	56905	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:18.328109980 CET	59703	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:18.465239048 CET	53	59703	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:22.084410906 CET	50728	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:22.222296000 CET	53	50728	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:22.225337982 CET	65330	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:22.363127947 CET	53	65330	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:22.382045984 CET	52107	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:22.519964933 CET	53	52107	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:25.775007963 CET	51236	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:25.840513945 CET	61932	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:25.840816021 CET	54564	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:25.912729025 CET	53	51236	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:25.977767944 CET	53	61932	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:25.977978945 CET	53	54564	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.327517986 CET	55917	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.327569962 CET	57638	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.328136921 CET	53083	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.465971947 CET	53	55917	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.467060089 CET	49301	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.479336023 CET	53	57638	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.480091095 CET	61175	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.552551985 CET	53	53083	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.553363085 CET	65142	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.604329109 CET	53	49301	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.607825041 CET	54477	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.618257046 CET	53	61175	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.618827105 CET	56921	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.691262960 CET	53	65142	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.692523003 CET	56783	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.744844913 CET	53	54477	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.745865107 CET	57862	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.829350948 CET	53	56783	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.830239058 CET	62051	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.841566086 CET	53	56921	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.842272997 CET	51591	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.955389023 CET	53	57862	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.956264019 CET	58252	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.967991114 CET	53	62051	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:26.968774080 CET	51104	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:26.988159895 CET	65520	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:27.094347954 CET	53	58252	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:27.106241941 CET	53	51104	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:27.125515938 CET	53	65520	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:31.188868046 CET	53125	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:31.326241016 CET	53	53125	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:38.374376059 CET	57812	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:38.512676954 CET	53	57812	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:40.331707954 CET	54916	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:40.343856096 CET	52810	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:40.469990969 CET	53	54916	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:40.470875978 CET	58847	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:40.481906891 CET	53	52810	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:40.483709097 CET	65065	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:40.531541109 CET	50413	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:40.611743927 CET	53	58847	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:40.622467041 CET	53	65065	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:40.623279095 CET	54287	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:40.996644020 CET	53	54287	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:40.996742964 CET	53	50413	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:40.998502970 CET	54134	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:41.136718988 CET	53	54134	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:41.137541056 CET	57842	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:41.275630951 CET	53	57842	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:59.612557888 CET	50325	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:59.749792099 CET	53	50325	1.1.1.1	192.168.2.4
Nov 30, 2024 05:35:59.751331091 CET	57849	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:35:59.888705969 CET	53	57849	1.1.1.1	192.168.2.4
Nov 30, 2024 05:36:10.244718075 CET	57774	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:36:10.382304907 CET	53	57774	1.1.1.1	192.168.2.4
Nov 30, 2024 05:36:41.598154068 CET	50880	53	192.168.2.4	1.1.1.1
Nov 30, 2024 05:36:41.735302925 CET	53	50880	1.1.1.1	192.168.2.4
Nov 30, 2024 05:36:42.874003887 CET	50685	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 30, 2024 05:35:12.203089952 CET	192.168.2.4	1.1.1.1	0x7aee	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:12.435887098 CET	192.168.2.4	1.1.1.1	0xc449	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 30, 2024 05:35:13.729993105 CET	192.168.2.4	1.1.1.1	0xee	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:13.732860088 CET	192.168.2.4	1.1.1.1	0x1e88	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:13.869030952 CET	192.168.2.4	1.1.1.1	0x553e	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:13.886264086 CET	192.168.2.4	1.1.1.1	0x222f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.009208918 CET	192.168.2.4	1.1.1.1	0x3adf	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:14.025698900 CET	192.168.2.4	1.1.1.1	0xa971	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 30, 2024 05:35:14.103148937 CET	192.168.2.4	1.1.1.1	0xc19a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.136990070 CET	192.168.2.4	1.1.1.1	0x5462	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.206959009 CET	192.168.2.4	1.1.1.1	0xd69d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.286478996 CET	192.168.2.4	1.1.1.1	0x60df	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.337938070 CET	192.168.2.4	1.1.1.1	0xb68e	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.347240925 CET	192.168.2.4	1.1.1.1	0x7c2b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 30, 2024 05:35:14.419886112 CET	192.168.2.4	1.1.1.1	0xb03	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.482367039 CET	192.168.2.4	1.1.1.1	0x7ffb	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:14.531653881 CET	192.168.2.4	1.1.1.1	0x974d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 30, 2024 05:35:14.741307974 CET	192.168.2.4	1.1.1.1	0xf276	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.790386915 CET	192.168.2.4	1.1.1.1	0xecaf	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.887258053 CET	192.168.2.4	1.1.1.1	0x5fd4	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 30, 2024 05:35:15.571439981 CET	192.168.2.4	1.1.1.1	0x18cf	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:15.780344009 CET	192.168.2.4	1.1.1.1	0x37d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:15.919939041 CET	192.168.2.4	1.1.1.1	0x1fdf	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:16.290416956 CET	192.168.2.4	1.1.1.1	0x8b4c	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:16.291282892 CET	192.168.2.4	1.1.1.1	0x53b3	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:16.825579882 CET	192.168.2.4	1.1.1.1	0x792	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:17.002821922 CET	192.168.2.4	1.1.1.1	0x62e2	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:17.143887997 CET	192.168.2.4	1.1.1.1	0x7123	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:18.014636040 CET	192.168.2.4	1.1.1.1	0x173f	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:18.156039953 CET	192.168.2.4	1.1.1.1	0x4b8c	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:18.328109980 CET	192.168.2.4	1.1.1.1	0x776d	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 30, 2024 05:35:22.084410906 CET	192.168.2.4	1.1.1.1	0x23d9	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:22.225337982 CET	192.168.2.4	1.1.1.1	0xdae2	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:22.382045984 CET	192.168.2.4	1.1.1.1	0x3c25	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 30, 2024 05:35:25.775007963 CET	192.168.2.4	1.1.1.1	0x18e5	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:25.840513945 CET	192.168.2.4	1.1.1.1	0x5868	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:25.840816021 CET	192.168.2.4	1.1.1.1	0xbd1d	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.327517986 CET	192.168.2.4	1.1.1.1	0x96a6	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.327569962 CET	192.168.2.4	1.1.1.1	0xadb7	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.328136921 CET	192.168.2.4	1.1.1.1	0xb116	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.467060089 CET	192.168.2.4	1.1.1.1	0x3ccb	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:26.480091095 CET	192.168.2.4	1.1.1.1	0x6b6a	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.553363085 CET	192.168.2.4	1.1.1.1	0xd2d9	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:26.607825041 CET	192.168.2.4	1.1.1.1	0x19d0	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.618827105 CET	192.168.2.4	1.1.1.1	0x9551	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 30, 2024 05:35:26.692523003 CET	192.168.2.4	1.1.1.1	0x3c36	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.745865107 CET	192.168.2.4	1.1.1.1	0x442b	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.830239058 CET	192.168.2.4	1.1.1.1	0x2563	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.842272997 CET	192.168.2.4	1.1.1.1	0xa857	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.956264019 CET	192.168.2.4	1.1.1.1	0x754d	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 30, 2024 05:35:26.968774080 CET	192.168.2.4	1.1.1.1	0xbc24	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:26.988159895 CET	192.168.2.4	1.1.1.1	0xd733	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:31.188868046 CET	192.168.2.4	1.1.1.1	0x5f30	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:38.374376059 CET	192.168.2.4	1.1.1.1	0x70fb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:40.331707954 CET	192.168.2.4	1.1.1.1	0xd225	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.343856096 CET	192.168.2.4	1.1.1.1	0x84d7	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.470875978 CET	192.168.2.4	1.1.1.1	0xf494	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 30, 2024 05:35:40.483709097 CET	192.168.2.4	1.1.1.1	0x1e51	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.531541109 CET	192.168.2.4	1.1.1.1	0xade	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.623279095 CET	192.168.2.4	1.1.1.1	0xb33c	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 30, 2024 05:35:40.998502970 CET	192.168.2.4	1.1.1.1	0xc980	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:41.137541056 CET	192.168.2.4	1.1.1.1	0x8a0f	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 30, 2024 05:35:59.612557888 CET	192.168.2.4	1.1.1.1	0xec8a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:59.751331091 CET	192.168.2.4	1.1.1.1	0xcb38	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 30, 2024 05:36:10.244718075 CET	192.168.2.4	1.1.1.1	0xfa29	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 30, 2024 05:36:41.598154068 CET	192.168.2.4	1.1.1.1	0xc23f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 30, 2024 05:36:42.874003887 CET	192.168.2.4	1.1.1.1	0x261	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 30, 2024 05:35:12.197349072 CET	1.1.1.1	192.168.2.4	0xd3f0	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:12.430808067 CET	1.1.1.1	192.168.2.4	0x7aee	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:13.867357016 CET	1.1.1.1	192.168.2.4	0xee	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:13.870518923 CET	1.1.1.1	192.168.2.4	0x1e88	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:13.870518923 CET	1.1.1.1	192.168.2.4	0x1e88	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.006805897 CET	1.1.1.1	192.168.2.4	0x553e	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.024111986 CET	1.1.1.1	192.168.2.4	0x222f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.148236036 CET	1.1.1.1	192.168.2.4	0x3adf	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 30, 2024 05:35:14.163033009 CET	1.1.1.1	192.168.2.4	0xa971	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 30, 2024 05:35:14.205785036 CET	1.1.1.1	192.168.2.4	0x5569	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:14.205785036 CET	1.1.1.1	192.168.2.4	0x5569	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.274297953 CET	1.1.1.1	192.168.2.4	0x5462	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:14.274297953 CET	1.1.1.1	192.168.2.4	0x5462	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.336035967 CET	1.1.1.1	192.168.2.4	0xc19a	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.346246004 CET	1.1.1.1	192.168.2.4	0xd69d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.479237080 CET	1.1.1.1	192.168.2.4	0xb68e	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.530766010 CET	1.1.1.1	192.168.2.4	0x60df	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.557174921 CET	1.1.1.1	192.168.2.4	0xb03	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:14.557174921 CET	1.1.1.1	192.168.2.4	0xb03	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:14.557174921 CET	1.1.1.1	192.168.2.4	0xb03	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:14.878947020 CET	1.1.1.1	192.168.2.4	0xf276	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:15.013189077 CET	1.1.1.1	192.168.2.4	0xecaf	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:15.024641991 CET	1.1.1.1	192.168.2.4	0x5fd4	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 30, 2024 05:35:15.709218025 CET	1.1.1.1	192.168.2.4	0x18cf	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:15.919071913 CET	1.1.1.1	192.168.2.4	0x37d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:16.427571058 CET	1.1.1.1	192.168.2.4	0x8b4c	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:16.428332090 CET	1.1.1.1	192.168.2.4	0x53b3	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:16.428332090 CET	1.1.1.1	192.168.2.4	0x53b3	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:16.466320038 CET	1.1.1.1	192.168.2.4	0x10e0	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:16.466320038 CET	1.1.1.1	192.168.2.4	0x10e0	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:16.963551998 CET	1.1.1.1	192.168.2.4	0x792	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:16.963551998 CET	1.1.1.1	192.168.2.4	0x792	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:17.000075102 CET	1.1.1.1	192.168.2.4	0xad50	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:17.140290976 CET	1.1.1.1	192.168.2.4	0x62e2	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:18.151937008 CET	1.1.1.1	192.168.2.4	0x173f	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:18.151937008 CET	1.1.1.1	192.168.2.4	0x173f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:18.293354988 CET	1.1.1.1	192.168.2.4	0x4b8c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:18.624887943 CET	1.1.1.1	192.168.2.4	0x74d1	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:22.222296000 CET	1.1.1.1	192.168.2.4	0x23d9	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:22.222296000 CET	1.1.1.1	192.168.2.4	0x23d9	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:22.222296000 CET	1.1.1.1	192.168.2.4	0x23d9	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:22.363127947 CET	1.1.1.1	192.168.2.4	0xdae2	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:25.977767944 CET	1.1.1.1	192.168.2.4	0x5868	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:25.977767944 CET	1.1.1.1	192.168.2.4	0x5868	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:25.977767944 CET	1.1.1.1	192.168.2.4	0x5868	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:25.977767944 CET	1.1.1.1	192.168.2.4	0x5868	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:25.977767944 CET	1.1.1.1	192.168.2.4	0x5868	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:25.977767944 CET	1.1.1.1	192.168.2.4	0x5868	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:25.977767944 CET	1.1.1.1	192.168.2.4	0x5868	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:25.977767944 CET	1.1.1.1	192.168.2.4	0x5868	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:25.977767944 CET	1.1.1.1	192.168.2.4	0x5868	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:25.977978945 CET	1.1.1.1	192.168.2.4	0xbd1d	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:25.977978945 CET	1.1.1.1	192.168.2.4	0xbd1d	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.465971947 CET	1.1.1.1	192.168.2.4	0x96a6	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.465971947 CET	1.1.1.1	192.168.2.4	0x96a6	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.465971947 CET	1.1.1.1	192.168.2.4	0x96a6	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.465971947 CET	1.1.1.1	192.168.2.4	0x96a6	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.465971947 CET	1.1.1.1	192.168.2.4	0x96a6	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.465971947 CET	1.1.1.1	192.168.2.4	0x96a6	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.465971947 CET	1.1.1.1	192.168.2.4	0x96a6	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.465971947 CET	1.1.1.1	192.168.2.4	0x96a6	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.465971947 CET	1.1.1.1	192.168.2.4	0x96a6	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.479336023 CET	1.1.1.1	192.168.2.4	0xadb7	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:26.479336023 CET	1.1.1.1	192.168.2.4	0xadb7	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.552551985 CET	1.1.1.1	192.168.2.4	0xb116	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.604329109 CET	1.1.1.1	192.168.2.4	0x3ccb	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 30, 2024 05:35:26.604329109 CET	1.1.1.1	192.168.2.4	0x3ccb	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 30, 2024 05:35:26.604329109 CET	1.1.1.1	192.168.2.4	0x3ccb	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 30, 2024 05:35:26.604329109 CET	1.1.1.1	192.168.2.4	0x3ccb	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 30, 2024 05:35:26.618257046 CET	1.1.1.1	192.168.2.4	0x6b6a	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.691262960 CET	1.1.1.1	192.168.2.4	0xd2d9	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 30, 2024 05:35:26.744844913 CET	1.1.1.1	192.168.2.4	0x19d0	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:26.744844913 CET	1.1.1.1	192.168.2.4	0x19d0	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.744844913 CET	1.1.1.1	192.168.2.4	0x19d0	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.744844913 CET	1.1.1.1	192.168.2.4	0x19d0	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.744844913 CET	1.1.1.1	192.168.2.4	0x19d0	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.829350948 CET	1.1.1.1	192.168.2.4	0x3c36	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.829350948 CET	1.1.1.1	192.168.2.4	0x3c36	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.829350948 CET	1.1.1.1	192.168.2.4	0x3c36	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.829350948 CET	1.1.1.1	192.168.2.4	0x3c36	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.841566086 CET	1.1.1.1	192.168.2.4	0x9551	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 30, 2024 05:35:26.955389023 CET	1.1.1.1	192.168.2.4	0x442b	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.955389023 CET	1.1.1.1	192.168.2.4	0x442b	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.955389023 CET	1.1.1.1	192.168.2.4	0x442b	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.955389023 CET	1.1.1.1	192.168.2.4	0x442b	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.967991114 CET	1.1.1.1	192.168.2.4	0x2563	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.967991114 CET	1.1.1.1	192.168.2.4	0x2563	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.967991114 CET	1.1.1.1	192.168.2.4	0x2563	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.967991114 CET	1.1.1.1	192.168.2.4	0x2563	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:26.983087063 CET	1.1.1.1	192.168.2.4	0xa857	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:26.983087063 CET	1.1.1.1	192.168.2.4	0xa857	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.469990969 CET	1.1.1.1	192.168.2.4	0xd225	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.481906891 CET	1.1.1.1	192.168.2.4	0x84d7	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.481906891 CET	1.1.1.1	192.168.2.4	0x84d7	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.481906891 CET	1.1.1.1	192.168.2.4	0x84d7	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.481906891 CET	1.1.1.1	192.168.2.4	0x84d7	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.622467041 CET	1.1.1.1	192.168.2.4	0x1e51	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.622467041 CET	1.1.1.1	192.168.2.4	0x1e51	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.622467041 CET	1.1.1.1	192.168.2.4	0x1e51	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.622467041 CET	1.1.1.1	192.168.2.4	0x1e51	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:40.996644020 CET	1.1.1.1	192.168.2.4	0xb33c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 30, 2024 05:35:40.996644020 CET	1.1.1.1	192.168.2.4	0xb33c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 30, 2024 05:35:40.996644020 CET	1.1.1.1	192.168.2.4	0xb33c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 30, 2024 05:35:40.996644020 CET	1.1.1.1	192.168.2.4	0xb33c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 30, 2024 05:35:40.996742964 CET	1.1.1.1	192.168.2.4	0xade	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:40.996742964 CET	1.1.1.1	192.168.2.4	0xade	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:41.136718988 CET	1.1.1.1	192.168.2.4	0xc980	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:35:43.929292917 CET	1.1.1.1	192.168.2.4	0x2b9a	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:43.929292917 CET	1.1.1.1	192.168.2.4	0x2b9a	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:35:59.749792099 CET	1.1.1.1	192.168.2.4	0xec8a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:36:10.237369061 CET	1.1.1.1	192.168.2.4	0xba5b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 30, 2024 05:36:43.011953115 CET	1.1.1.1	192.168.2.4	0x261	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2024 05:36:43.011953115 CET	1.1.1.1	192.168.2.4	0x261	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	7700	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 05:35:14.002929926 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:15.135251999 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71748 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49751	34.107.221.82	80	7700	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 05:35:17.084810019 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:18.216626883 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82490 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:18.352519989 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:18.677314043 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82490 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:25.671857119 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:25.995873928 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82497 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:26.510885954 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:26.834912062 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82498 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:28.847599030 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:29.171917915 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82501 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:30.897707939 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:31.221905947 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82503 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:31.399717093 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:31.727998018 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82503 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:32.792644024 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:33.116688013 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82504 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:34.108411074 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:34.432642937 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82506 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:39.932959080 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:40.257011890 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82512 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:41.941524982 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:42.265536070 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82514 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:42.597517014 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:42.921571970 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82514 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:43.425924063 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:43.749986887 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82515 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:43.925899982 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:44.249907017 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82516 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:35:54.261887074 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:35:54.660141945 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:35:54.984256983 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82526 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:36:01.357508898 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:36:01.681607008 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82533 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:36:11.687274933 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:36:11.974384069 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:36:12.298145056 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82544 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:36:13.206315994 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:36:13.530025005 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82545 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:36:23.536895990 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:36:33.665966034 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:36:43.210819006 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 30, 2024 05:36:43.615322113 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 29 Nov 2024 05:40:28 GMT Age: 82575 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 30, 2024 05:36:53.621701002 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:37:03.750437021 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:37:13.876936913 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49752	34.107.221.82	80	7700	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 05:35:17.085016966 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:18.262448072 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71752 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:18.485121012 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:18.818100929 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71752 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:25.772088051 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:26.105547905 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71759 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:28.308988094 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:28.642247915 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71762 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:29.846323967 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:30.181076050 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71764 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:31.061940908 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:31.394979954 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71765 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:32.455660105 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:32.789169073 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71766 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:33.771671057 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:34.104820967 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71767 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:39.595454931 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:39.928809881 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71773 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:41.603770971 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:41.937371969 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71775 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:42.260603905 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:42.593749046 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71776 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:43.085870981 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:43.419405937 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71777 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:43.588903904 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:43.922378063 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71777 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:35:53.929693937 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:35:54.321620941 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:35:54.654716015 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71788 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:36:01.019722939 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:36:01.353296041 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71795 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:36:11.355145931 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:36:11.637058020 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:36:11.970082998 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71805 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:36:12.870089054 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:36:13.203099966 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71807 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:36:23.204616070 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:36:33.334258080 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:36:42.873704910 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 30, 2024 05:36:43.206613064 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 29 Nov 2024 08:39:26 GMT Age: 71837 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 30, 2024 05:36:53.220525980 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:37:03.349308014 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 30, 2024 05:37:13.481157064 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	23:35:04
Start date:	29/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb60000
File size:	922'112 bytes
MD5 hash:	A9E989EF5EB79AEEB328A104849F4A85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:35:04
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xff0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:35:04
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:35:07
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xff0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:35:07
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:35:07
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xff0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:35:07
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:35:07
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xff0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:35:07
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:35:07
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xff0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:35:07
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:35:08
Start date:	29/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:35:08
Start date:	29/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:35:08
Start date:	29/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	23:35:09
Start date:	29/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d28453ce-bbb3-47cc-a509-e2588d894b94} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0c946f110 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	23:35:11
Start date:	29/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4456 -parentBuildID 20230927232528 -prefsHandle 4216 -prefMapHandle 2752 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ec1ea3-4057-4a16-83ca-d99827d7004b} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0db4da710 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	23:35:17
Start date:	29/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9afbe1b9-40f8-47f5-924a-bbf70670cb96} 7700 "\\.\pipe\gecko-crash-server-pipe.7700" 1b0d9a1ed10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	1523
Total number of Limit Nodes:	54

Executed Functions

Function 00B642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B6430D

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

GetCurrentProcess.KERNEL32(?,00BFCB64,00000000,?,?), ref: 00B64422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B64429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B64454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B64466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B64474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B6447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00B644A0

Strings

kernel32.dll, xrefs: 00B6444F
GetNativeSystemInfo, xrefs: 00B64460
|O, xrefs: 00BA36F8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 240488dea82d6a38e135992f733709cc12d1ebec5fb41ed7f64fa84ccdd9905b
Instruction ID: 1dbe50aecfd7d6a5b96f91be9337c7c13af949a556d9d2477149b227072273ab
Opcode Fuzzy Hash: 240488dea82d6a38e135992f733709cc12d1ebec5fb41ed7f64fa84ccdd9905b
Instruction Fuzzy Hash: 69A1927597E6C4DFC791D7697C827AD7FE4AB27700B0C48D9E84193B32DA244A48CB21

Function 00B642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B650AA,?,?,00000000,00000000), ref: 00B642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B650AA,?,?,00000000,00000000), ref: 00B642C9
LoadResource.KERNEL32(?,00000000,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20), ref: 00BA35BE
SizeofResource.KERNEL32(?,00000000,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20), ref: 00BA35D3
LockResource.KERNEL32(00B650AA,?,?,00B650AA,?,?,00000000,00000000,?,?,?,?,?,?,00B64F20,?), ref: 00BA35E6

Strings

SCRIPT, xrefs: 00B642BF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 72a85dec11a76bcc1c75d700aa10cde2a9275d423ee54c47c3c19422014f719f
Instruction ID: 90e7b3c68415bbf48626b3781c966682ce71b214e5e6dc4d7141d02f7402a949
Opcode Fuzzy Hash: 72a85dec11a76bcc1c75d700aa10cde2a9275d423ee54c47c3c19422014f719f
Instruction Fuzzy Hash: 6B115A70201604AFDB218B65DD58F277BB9EBC5B51F2081A9F40297260DB71D854CA20

Function 00BA2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00B62B6B

Part of subcall function 00B63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C31418,?,00B62E7F,?,?,?,00000000), ref: 00B63A78

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00C22224), ref: 00BA2C10
ShellExecuteW.SHELL32(00000000,?,?,00C22224), ref: 00BA2C17

Strings

runas, xrefs: 00BA2C0B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: fe10c0ee35b586d766951257e9f0d56aaa364774622972bce80de1a1b53e83cf
Instruction ID: a09d71e5130bef8387738d0374481a7820e926ba06faff045e1ef62ae1cad406
Opcode Fuzzy Hash: fe10c0ee35b586d766951257e9f0d56aaa364774622972bce80de1a1b53e83cf
Instruction Fuzzy Hash: 8811E931208345AED704FF64D951ABEBBE4DF95750F4C04ADF582531A2CF39894AD712

Function 00BCD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BCD501
Process32FirstW.KERNEL32(00000000,?), ref: 00BCD50F
Process32NextW.KERNEL32(00000000,?), ref: 00BCD52F
CloseHandle.KERNELBASE(00000000), ref: 00BCD5DC

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 1b2f936f26ba239cc5be3456853656a7a621514f3e7058b56a9083dbd775aac1
Instruction ID: 9a9cbc824439486fa0da18bf77fc843f520cee8daff6f58a676b808f01bd2563
Opcode Fuzzy Hash: 1b2f936f26ba239cc5be3456853656a7a621514f3e7058b56a9083dbd775aac1
Instruction Fuzzy Hash: DB319F711083009FD300EF54C881FAFBBE8EFA9354F14096DF585971A1EB719A88CBA2

Function 00BCDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00BA5222), ref: 00BCDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00BCDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00BCDBEE
FindClose.KERNEL32(00000000), ref: 00BCDBFA

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9df335126ff60e85b0ec6ac2244eda2f3f473665f98affeee918764d707cf5ac
Instruction ID: 20dcd2d4351e2390746503bd065cf1a66fb5f0a1e56caf8a70a798773b412206
Opcode Fuzzy Hash: 9df335126ff60e85b0ec6ac2244eda2f3f473665f98affeee918764d707cf5ac
Instruction Fuzzy Hash: 9BF0A0308109185782206F7CAE0D9BB3BACDE01334B104B5AF836C30E0EFB06994C695

Function 00B84CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000,?,00B928E9), ref: 00B84D09
TerminateProcess.KERNEL32(00000000,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000,?,00B928E9), ref: 00B84D10
ExitProcess.KERNEL32 ref: 00B84D22

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ff4239efee954a8fc0e64c657ab7238aa7335141b341bfb3e11b0af841b1216d
Instruction ID: c7544d572e245b2563579628f0ef3d932c1a3500df1d4fda6ea8bec8bf7305d5
Opcode Fuzzy Hash: ff4239efee954a8fc0e64c657ab7238aa7335141b341bfb3e11b0af841b1216d
Instruction Fuzzy Hash: C4E0B631004149ABCF12BF54DE09A687FA9EB42781B104064FC059B132CB35EE92DB84

Function 00BEAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00BEB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB1D4
_wcslen.LIBCMT ref: 00BEB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BEB236
_wcslen.LIBCMT ref: 00BEB332

Part of subcall function 00BD05A7: GetStdHandle.KERNEL32(000000F6), ref: 00BD05C6

_wcslen.LIBCMT ref: 00BEB34B
_wcslen.LIBCMT ref: 00BEB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BEB3B6
GetLastError.KERNEL32(00000000), ref: 00BEB407
CloseHandle.KERNEL32(?), ref: 00BEB439
CloseHandle.KERNEL32(00000000), ref: 00BEB44A
CloseHandle.KERNEL32(00000000), ref: 00BEB45C
CloseHandle.KERNEL32(00000000), ref: 00BEB46E
CloseHandle.KERNEL32(?), ref: 00BEB4E3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 850cbb73220f3ee9827349f9ce88937e5d5fdb414b31e4e5c734e756027179ce
Instruction ID: e1f655454cecd9d4be42776e6c20774e61b2d3d983d99146565ce2dccf2789aa
Opcode Fuzzy Hash: 850cbb73220f3ee9827349f9ce88937e5d5fdb414b31e4e5c734e756027179ce
Instruction Fuzzy Hash: 5CF15A315082409FC714EF25C891F6BBBE5EF85314F14859DF89A9B2A2DB35EC44CB52

Function 00B6D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B6D807
timeGetTime.WINMM ref: 00B6DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6DB28
TranslateMessage.USER32(?), ref: 00B6DB7B
DispatchMessageW.USER32(?), ref: 00B6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6DB9F
Sleep.KERNELBASE(0000000A), ref: 00B6DBB1

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 69f667e5fd50184ff954f6cbae1ca74787f66aa866f6d0abfa100c8dc6d1dfd7
Instruction ID: 8784bf7612ef82eebcbf1923cc9455d19caf12665127055079a5e6c0b8c19bf0
Opcode Fuzzy Hash: 69f667e5fd50184ff954f6cbae1ca74787f66aa866f6d0abfa100c8dc6d1dfd7
Instruction Fuzzy Hash: 3A42C230B08645DFD728CF24C894BBABBE0FF45304F5886A9E56587291D7B4E844CB92

Function 00B62CD4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B62D07
RegisterClassExW.USER32(00000030), ref: 00B62D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B62D42
InitCommonControlsEx.COMCTL32(?), ref: 00B62D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B62D6F
LoadIconW.USER32(000000A9), ref: 00B62D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B62D94

Strings

AutoIt v3 GUI, xrefs: 00B62D23
+, xrefs: 00B62CF0
0, xrefs: 00B62CE9
TaskbarCreated, xrefs: 00B62D37
^, xrefs: 00B62D80, 00B62D8E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: ^$+$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1535172914
Opcode ID: 179ab510fc8147eeb89b3e83c671cc28a1abe3d71664d6d1215da76b177899b7
Instruction ID: f2056b32ee1e4a781b05841c200f1e6994df85dfdda85d5862c7196bee0e9b74
Opcode Fuzzy Hash: 179ab510fc8147eeb89b3e83c671cc28a1abe3d71664d6d1215da76b177899b7
Instruction Fuzzy Hash: 4E21B2B591131CAFDB00DFA4E949BEDBFB4FB08700F04811AEA11A72A0DBB15584CF95

Function 00BA065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BA039A: CreateFileW.KERNELBASE(00000000,00000000,?,00BA0704,?,?,00000000,?,00BA0704,00000000,0000000C), ref: 00BA03B7

GetLastError.KERNEL32 ref: 00BA076F
__dosmaperr.LIBCMT ref: 00BA0776
GetFileType.KERNELBASE(00000000), ref: 00BA0782
GetLastError.KERNEL32 ref: 00BA078C
__dosmaperr.LIBCMT ref: 00BA0795
CloseHandle.KERNEL32(00000000), ref: 00BA07B5
CloseHandle.KERNEL32(?), ref: 00BA08FF
GetLastError.KERNEL32 ref: 00BA0931
__dosmaperr.LIBCMT ref: 00BA0938

Strings

H, xrefs: 00BA08BD

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 6429c32c6b80fef3c75d6eb9fe7be9dd49547499fa2e7c5cc2721c2d89c267b2
Instruction ID: 979a1bb38ae0285b910a144d3b9f93ce1600edeb5e661e73dcee0ea699b8e00f
Opcode Fuzzy Hash: 6429c32c6b80fef3c75d6eb9fe7be9dd49547499fa2e7c5cc2721c2d89c267b2
Instruction Fuzzy Hash: ABA10932A281098FDF19BF68D851BAE7BE0EB0A324F140199F815DB291DB359D12CB95

Function 00B6344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B63A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C31418,?,00B62E7F,?,?,?,00000000), ref: 00B63A78

Part of subcall function 00B63357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B63379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B6356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BA318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BA31CE
RegCloseKey.ADVAPI32(?), ref: 00BA3210
_wcslen.LIBCMT ref: 00BA3277
_wcslen.LIBCMT ref: 00BA3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00B63560
Include, xrefs: 00BA3184, 00BA31C5
\, xrefs: 00BA328C
\Include\, xrefs: 00B63527

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 0a1c1f2654f470c274b532310665ac2490dfa46977083b25622ff923ea31b613
Instruction ID: 7179be431f52bea53873614262637f4f1c3eae99d3b6385805afb7b0685b4c64
Opcode Fuzzy Hash: 0a1c1f2654f470c274b532310665ac2490dfa46977083b25622ff923ea31b613
Instruction Fuzzy Hash: C4718A714183059ECB54EF65EC82AAFBBE8FF95740F40486EF545931B0EB349A48CB62

Function 00B62B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B62B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00B62B9D
LoadIconW.USER32(00000063), ref: 00B62BB3
LoadIconW.USER32(000000A4), ref: 00B62BC5
LoadIconW.USER32(000000A2), ref: 00B62BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B62BEF
RegisterClassExW.USER32(?), ref: 00B62C40

Part of subcall function 00B62CD4: GetSysColorBrush.USER32(0000000F), ref: 00B62D07
Part of subcall function 00B62CD4: RegisterClassExW.USER32(00000030), ref: 00B62D31
Part of subcall function 00B62CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B62D42
Part of subcall function 00B62CD4: InitCommonControlsEx.COMCTL32(?), ref: 00B62D5F
Part of subcall function 00B62CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B62D6F
Part of subcall function 00B62CD4: LoadIconW.USER32(000000A9), ref: 00B62D85
Part of subcall function 00B62CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B62D94

Strings

#, xrefs: 00B62C16
AutoIt v3, xrefs: 00B62C2F
0, xrefs: 00B62C0F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: adeb85f2559daa972195bc64698b0329e25fa52e0ece85d891a6edb9b6faf329
Instruction ID: 1645c6a3200eb7b17256c156a0bc03978a0a3553fafd9b23f7e1fa74b816f783
Opcode Fuzzy Hash: adeb85f2559daa972195bc64698b0329e25fa52e0ece85d891a6edb9b6faf329
Instruction Fuzzy Hash: E1214971E20318AFDB509FA6ED45BADBFB4FB08B50F08005AEA00A76B0D7B10954CF90

Function 00B63170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B6316A,?,?), ref: 00B631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00B6316A,?,?), ref: 00B63204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B63227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B6316A,?,?), ref: 00B63232
CreatePopupMenu.USER32 ref: 00B63246
PostQuitMessage.USER32(00000000), ref: 00B63267

Strings

TaskbarCreated, xrefs: 00B6322D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a68a4b7e449f19e911a56c20b492d29b17077a8411a61f19162214c7d54ba634
Instruction ID: 9579ef90e2b21c879097ff61bcd7ee2973574db7148cb20efdaeeef9ae15b4b5
Opcode Fuzzy Hash: a68a4b7e449f19e911a56c20b492d29b17077a8411a61f19162214c7d54ba634
Instruction Fuzzy Hash: 45411831264204ABDF146B7C9D99B7D3AD9EB06B50F0801A5FE02D72A1CB799E80DB61

Function 00B61410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B61459
CoUninitialize.COMBASE ref: 00B614F8
UnregisterHotKey.USER32(?), ref: 00B616DD
DestroyWindow.USER32(?), ref: 00BA24B9
FreeLibrary.KERNEL32(?), ref: 00BA251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BA254B

Strings

close all, xrefs: 00B61454

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: da463b33534cbe32c74dc3d884741a1588d188b07e0b4d2e1299a5380f46c8bc
Instruction ID: 8bc636c9a8e1ea28f5bfa687a9a519c3b387635fdab19a097fa79ae7dc5e928f
Opcode Fuzzy Hash: da463b33534cbe32c74dc3d884741a1588d188b07e0b4d2e1299a5380f46c8bc
Instruction Fuzzy Hash: BBD17A31B062128FCB19EF19C995A29F7E4FF15700F1885EDE44A6B261DB30AD12CF50

Function 00B610F3 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B61BF4
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B61BFC
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B61C07
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B61C12
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B61C1A
Part of subcall function 00B61BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B61C22

Part of subcall function 00B61B4A: RegisterWindowMessageW.USER32(00000004,?,00B612C4), ref: 00B61BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B6136A
OleInitialize.OLE32 ref: 00B61388
CloseHandle.KERNEL32(00000000,00000000), ref: 00BA24AB

Strings

P, xrefs: 00B611B2
h7, xrefs: 00B6116A
(1, xrefs: 00B6117E
hn, xrefs: 00B61292

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (1$h7$hn$P
API String ID: 1986988660-180628485
Opcode ID: 507f0b67267a72b3238378df9a496dd45689cfc0a174e6cf72b3e9de648dc282
Instruction ID: 714a5882653e6f94f6da1f85f4bf4e8df5c1b6bb42233e6c8945dfcfb7976d4f
Opcode Fuzzy Hash: 507f0b67267a72b3238378df9a496dd45689cfc0a174e6cf72b3e9de648dc282
Instruction Fuzzy Hash: DA71EAB59313048FC784EFB9A9457AD3AE0FB8934071D866AED0AC73A1EB344445CF59

Function 00B62C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B62C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B62CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B61CAD,?), ref: 00B62CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B61CAD,?), ref: 00B62CCF

Strings

AutoIt v3, xrefs: 00B62C89, 00B62C8E, 00B62C8F
edit, xrefs: 00B62CAC

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 72857aebde6c4133cdd5abf6d09263425c8a72948dd9911b54173c89fc4d982f
Instruction ID: d152f9f95494e02e3bf0b5cc80681b2fbe1c219c39ed3e06aa4abd18e382f03f
Opcode Fuzzy Hash: 72857aebde6c4133cdd5abf6d09263425c8a72948dd9911b54173c89fc4d982f
Instruction Fuzzy Hash: AEF0DA755502987EEB711B17AC08FBB6EBDD7C6F50B04405AFE04A35B0C6615898DEB0

Function 00B92DF8 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00B8F2DE,00B93863,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6), ref: 00B92DFD
_free.LIBCMT ref: 00B92E32
_free.LIBCMT ref: 00B92E59
SetLastError.KERNEL32(00000000,00B61129), ref: 00B92E66
SetLastError.KERNEL32(00000000,00B61129), ref: 00B92E6F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6692cc3fcc62fd629e3f0fb370dcb385f989b28d81df06c7c980915970c23333
Instruction ID: 0f7634020965e4e23ee2e83bb1d8afa43b6dca3e4e819759692b05f081f0fd49
Opcode Fuzzy Hash: 6692cc3fcc62fd629e3f0fb370dcb385f989b28d81df06c7c980915970c23333
Instruction Fuzzy Hash: A801A432E45E007BCE1267746DC6E2F2AEDEFD17A5B2540B9F425A3292EF748C414160

Function 00B63B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B63B0F,SwapMouseButtons,00000004,?), ref: 00B63B83

Strings

Control Panel\Mouse, xrefs: 00B63B3E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: aaae925e4bdb2bb62a1dcf484e1f7ddcfc3709abebed9decafff858cacf06650
Instruction ID: fb74a1526914a202e27c69ab16e28094c7332741c717dea93dddd6565c40903a
Opcode Fuzzy Hash: aaae925e4bdb2bb62a1dcf484e1f7ddcfc3709abebed9decafff858cacf06650
Instruction Fuzzy Hash: 951157B1610208FFDB208FA4DC84EEEBBF8EF05B40B1484AAE901D7110E6319E409BA0

Function 00B63923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BA33A2

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B63A04

Strings

Line: , xrefs: 00BA33EB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 438139af449257a151c28303531e1b6aedd37a2f8b5ce0490b328c4d8f59f301
Instruction ID: 715ac9b7d6644f5ab6df6c8aecec7c74482d60e9d6f46bcb94b446fcd34da6b6
Opcode Fuzzy Hash: 438139af449257a151c28303531e1b6aedd37a2f8b5ce0490b328c4d8f59f301
Instruction Fuzzy Hash: 6831D271408304AED725EB20DC45BEFB7D8AF40B10F0845AAF59A931E1DF789A48CBC6

Function 00B7FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B80668

Part of subcall function 00B832A4: RaiseException.KERNEL32(?,?,?,00B8068A,?,00C31444,?,?,?,?,?,?,00B8068A,00B61129,00C28738,00B61129), ref: 00B83304

__CxxThrowException@8.LIBVCRUNTIME ref: 00B80685

Strings

Unknown exception, xrefs: 00B80692

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: af1dc297fc7c23029b57602498e7627a6f23c24432b4a4fd4f552728e5a46549
Instruction ID: 47c005a4a9fa5d52c66e64da7983987cc9b6ec5b33b5b10ffdf733e99523b922
Opcode Fuzzy Hash: af1dc297fc7c23029b57602498e7627a6f23c24432b4a4fd4f552728e5a46549
Instruction Fuzzy Hash: FFF0C83490020EB78B14BA64E886CAD77EC9E00750B6085F1B928965B1EF71DA5DC794

Function 00BCC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B63A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BCC259
KillTimer.USER32(?,00000001,?,?), ref: 00BCC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BCC270

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 5f85e43286a44792cf3659dc8b3cee81570abedb92c6608fca0b089814996fa5
Instruction ID: 2b763749cf961eaf87f9d957e5f32e10410dd41bb990b927caf7eeea3904d18f
Opcode Fuzzy Hash: 5f85e43286a44792cf3659dc8b3cee81570abedb92c6608fca0b089814996fa5
Instruction Fuzzy Hash: D0319170904344AFEB729F648895BEBBFECAB26308F0404DED6DEA7241C7745A84CB51

Function 00B986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00B985CC,?,00C28CC8,0000000C), ref: 00B98704
GetLastError.KERNEL32(?,00B985CC,?,00C28CC8,0000000C), ref: 00B9870E
__dosmaperr.LIBCMT ref: 00B98739

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 553c994e8f7373f3f7f21b0869e6f368cc572bd964fad5be4d8063af49b39095
Instruction ID: f15f9d2fa204843af4b4d74f50e35f0100ef725e44a961ea1a5898a37b27a80b
Opcode Fuzzy Hash: 553c994e8f7373f3f7f21b0869e6f368cc572bd964fad5be4d8063af49b39095
Instruction Fuzzy Hash: B8012633A0962027DE356274A845B7E6BD98B83774F3901F9F9198F1D2DEB48C81C294

Function 00B6DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00B6DB7B
DispatchMessageW.USER32(?), ref: 00B6DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B6DB9F
Sleep.KERNELBASE(0000000A), ref: 00B6DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00BB1CC9

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 6afe2bd9fa82a225ff39a7cc594d56da23e80e88a430aa1f64981591c21d6a47
Instruction ID: 2f6c0029be1538dae536d6fe47405864b49fc922ba0841663d4c5c73a34dc9d2
Opcode Fuzzy Hash: 6afe2bd9fa82a225ff39a7cc594d56da23e80e88a430aa1f64981591c21d6a47
Instruction Fuzzy Hash: 14F05E316143449BEB30DBA08C99FFA77E8EB48310F544959E61A870D0DB74A488CB16

Function 00B71310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B717F6

Strings

CALL, xrefs: 00B717C6

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f990f918dbcf201d950203706a81565bd8e4d7ac6f021522ac2d2afe68a20bb8
Instruction ID: 2eb3834fad85307dbf2d9587a7f03e02904d75c17e6e4ed2db7dfb29ea9422e3
Opcode Fuzzy Hash: f990f918dbcf201d950203706a81565bd8e4d7ac6f021522ac2d2afe68a20bb8
Instruction Fuzzy Hash: 6C2289706082019FC714DF18C490A6ABBF1FF95314F1489ADF4AA8B3A1D775ED45CBA2

Function 00B62DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00BA2C8C

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00B62DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B62DC4

Strings

X, xrefs: 00BA2C5A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 4b8f0f0ad114f48d95a5bb2956765d064aae98424fb37b41aec4e2000efaae3c
Instruction ID: 05bd0b9527b1892c66f3430bbf4c9182a476e0bd6b952cc424edbf4892f79365
Opcode Fuzzy Hash: 4b8f0f0ad114f48d95a5bb2956765d064aae98424fb37b41aec4e2000efaae3c
Instruction Fuzzy Hash: 3221A571A002989FDF41EF98D845BEE7BF8EF49714F008099E505A7241DFB85A89CF61

Function 00B63837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B63908

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 23468f39487a34e84dcbce4b65de20e71b28291f703af0aabe0e4b0f20e31bbf
Instruction ID: 65c30d81396580b22907a0cc207a648bdc697252df72aebf58ae6957c8e20dd9
Opcode Fuzzy Hash: 23468f39487a34e84dcbce4b65de20e71b28291f703af0aabe0e4b0f20e31bbf
Instruction Fuzzy Hash: 3831A2705047019FD760DF24D8847DBBBE8FB49B08F04096EFA9A83290E775AA44CB52

Function 00B7F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B7F661

Part of subcall function 00B6D730: GetInputState.USER32 ref: 00B6D807

Sleep.KERNEL32(00000000), ref: 00BBF2DE

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: e6cba91e7c8a9767c0097762e2fddc3ec2ed322e1c1218bfd4a9256e44f2858f
Instruction ID: 76174f5aa5c7ffa12633d390bbb6ffc52ec6acc3e9842a66673a0def6fa836a4
Opcode Fuzzy Hash: e6cba91e7c8a9767c0097762e2fddc3ec2ed322e1c1218bfd4a9256e44f2858f
Instruction Fuzzy Hash: 41F08C312402059FD310EF69D959FBABBE8EF55760F0040B9E85AC7361EB70AC40CB91

Function 00B64ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B64E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E9C
Part of subcall function 00B64E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B64EAE
Part of subcall function 00B64E90: FreeLibrary.KERNEL32(00000000,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EFD

Part of subcall function 00B64E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E62
Part of subcall function 00B64E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B64E74
Part of subcall function 00B64E59: FreeLibrary.KERNEL32(00000000,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E87

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 64711ae935146f381795a60ec3a3e9e38ff187543a5bfd6c90e33f28657b63b2
Instruction ID: bbf1136367744c18312e96bc89b6bfd968333a87e7f25c01dd4cd029ebe316c9
Opcode Fuzzy Hash: 64711ae935146f381795a60ec3a3e9e38ff187543a5bfd6c90e33f28657b63b2
Instruction Fuzzy Hash: 7E112332600705AACB25BB60DC02FED77E4AF40B10F2084AEF546A71D1EF799A459B90

Function 00B98402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B98440

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8521b21c96813b3bb9dbf78b3aae857502d6818484b4ee006cdfcd4978753587
Instruction ID: 3cfaca47b8c41f26a7534fb45046bb09d2ad4ceb958e256927b467edb2852220
Opcode Fuzzy Hash: 8521b21c96813b3bb9dbf78b3aae857502d6818484b4ee006cdfcd4978753587
Instruction Fuzzy Hash: 5A11187590410AAFCF05DF58E941A9E7BF5EF49314F1040A9F808AB312DA31DA11CBA5

Function 00B8E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 843299ac119ce96f31a33c8428911f700e8bdf12ec91f8a774d7fa2e90c25d91
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 89F0F432510A14A6DA313A69DC05B5A37D89F53330F1407F6F434962F2EB74D802CBA5

Function 00B94C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00B61129,00000000,?,00B92E29,00000001,00000364,?,?,?,00B8F2DE,00B93863,00C31444,?,00B7FDF5,?), ref: 00B94CBE

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1c5fafb77ed47a9f1afd189897b69fd75b4b9fd7fcb9e14aeec473a838f656d5
Instruction ID: 0e1d47889ad0f31a23e5040a5e872804b21eb8cf756c011329229d7f10634d10
Opcode Fuzzy Hash: 1c5fafb77ed47a9f1afd189897b69fd75b4b9fd7fcb9e14aeec473a838f656d5
Instruction Fuzzy Hash: A6F0B4316022256EDF216F729C05F5B37E8FF417A1B1542B5B819A7191CB70D802C6A0

Function 00B93820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d55df8a9d889606ecbf539f54c179d0fdec8d30d75e6dfeb7738252080693856
Instruction ID: 9a57fe23ee88494276b1ea98af9a26c3360b1144ed6125eed39fb71ebca2468c
Opcode Fuzzy Hash: d55df8a9d889606ecbf539f54c179d0fdec8d30d75e6dfeb7738252080693856
Instruction Fuzzy Hash: A8E0E5311006259ADE213A679C84B9A36C9EF42FB0F1500F1BD05928A0DB10DE01D3E0

Function 00B64F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64F6D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: df038e427abc4e16661d9b3b62f00030268ec8d5f240bc17efa231a0ce27bab4
Instruction ID: d00264b31117becdeeab14f33713bd587b4a4ba9b84c3e78c62e7e170cee7826
Opcode Fuzzy Hash: df038e427abc4e16661d9b3b62f00030268ec8d5f240bc17efa231a0ce27bab4
Instruction Fuzzy Hash: ACF03071105B51CFDB389F64D490822BBE4EF1431931089BEE1EE83521CB359844DF10

Function 00BF2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BF2A66

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 56fa18146ae1696a48162fa38ba1a9cf85d99986448403ae7a96a7a3e8075b5a
Instruction ID: 70f1b3e0ea44646919c4417a077a7541c5ec97040be16b3c0cbbe583c3d65b79
Opcode Fuzzy Hash: 56fa18146ae1696a48162fa38ba1a9cf85d99986448403ae7a96a7a3e8075b5a
Instruction Fuzzy Hash: 0BE04F3635411AAAC714EB30EC809FAB7DCEB5039571045BAAD56D3100EB309A99D6A0

Function 00B630F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B6314E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6048af5b30f9d62287c145687e4cdb493b8c24eafe936436b5bfcd8134ddd0d8
Instruction ID: 87e34a5fdf57c5ff1f0df8bfb51420d300e4b1b119658307f29037de7c93e364
Opcode Fuzzy Hash: 6048af5b30f9d62287c145687e4cdb493b8c24eafe936436b5bfcd8134ddd0d8
Instruction Fuzzy Hash: 79F037709143189FEB929B24DC457D97BFCA701708F0400E5A54897291DB745788CF51

Function 00B62DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B62DC4

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 9d0e406b374f023fc2157e9d73b6d7a5e726691cf60d717cfae38fd9141a09ac
Instruction ID: 41e37ecc4d51e391596d02710fb86e3fd042a8dc7651a1f20ea25244f9498668
Opcode Fuzzy Hash: 9d0e406b374f023fc2157e9d73b6d7a5e726691cf60d717cfae38fd9141a09ac
Instruction Fuzzy Hash: BEE0CD766041245BC710965C9C06FEA77DDDFC8790F0440B1FD09D7248D964AD80C550

Function 00B62B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B63837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B63908

Part of subcall function 00B6D730: GetInputState.USER32 ref: 00B6D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00B62B6B

Part of subcall function 00B630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B6314E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: dc03a2e76bd189d9e2c288f5deb1099a980d50650c66a5b59df58a6f151cb402
Instruction ID: 59ec40c68d448488f95245932435815bc0040495fc7400094f295e4faf94ce1b
Opcode Fuzzy Hash: dc03a2e76bd189d9e2c288f5deb1099a980d50650c66a5b59df58a6f151cb402
Instruction Fuzzy Hash: 64E0CD317042840BCA08BB75A8526BDF7D9DBD1751F4419BEF546431A3CF3D49498352

Function 00BA039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00BA0704,?,?,00000000,?,00BA0704,00000000,0000000C), ref: 00BA03B7

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6f87200e69c9e59d16f50962c195aeb5d46468cc2d8cb90337cedb4864f83cec
Instruction ID: 1536021126fcaccfb6c8da31c26aa86778ab0494f2377f1aa97fcf891fbedf8c
Opcode Fuzzy Hash: 6f87200e69c9e59d16f50962c195aeb5d46468cc2d8cb90337cedb4864f83cec
Instruction Fuzzy Hash: 36D06C3204010DBBDF028F84DD06EDA3FAAFB48714F014000BE1866020C732E971EB90

Function 00B61CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00B61CBC

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 67cfda639c983899ccac04df6f097b47cbd51309ecbf4e043110c5cca879c57a
Instruction ID: 47db01a20c56d3fe3aaf6db96fe3e3f97650eb12e61011dd03924c4fb6945017
Opcode Fuzzy Hash: 67cfda639c983899ccac04df6f097b47cbd51309ecbf4e043110c5cca879c57a
Instruction Fuzzy Hash: 63C09236290308AFF6148B80BD4BF287B64A358B01F088001FA09AB5F3C7A22864EA50

Non-executed Functions

Function 00BF9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00BF961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BF965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00BF969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BF96C9
SendMessageW.USER32 ref: 00BF96F2
GetKeyState.USER32(00000011), ref: 00BF978B
GetKeyState.USER32(00000009), ref: 00BF9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BF97AE
GetKeyState.USER32(00000010), ref: 00BF97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BF97E9
SendMessageW.USER32 ref: 00BF9810
SendMessageW.USER32(?,00001030,?,00BF7E95), ref: 00BF9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00BF992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00BF9941
SetCapture.USER32(?), ref: 00BF994A
ClientToScreen.USER32(?,?), ref: 00BF99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00BF99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BF99D6
ReleaseCapture.USER32 ref: 00BF99E1
GetCursorPos.USER32(?), ref: 00BF9A19
ScreenToClient.USER32(?,?), ref: 00BF9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BF9A80
SendMessageW.USER32 ref: 00BF9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BF9AEB
SendMessageW.USER32 ref: 00BF9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BF9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BF9B4A
GetCursorPos.USER32(?), ref: 00BF9B68
ScreenToClient.USER32(?,?), ref: 00BF9B75
GetParent.USER32(?), ref: 00BF9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BF9BFA
SendMessageW.USER32 ref: 00BF9C2B
ClientToScreen.USER32(?,?), ref: 00BF9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BF9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BF9CDE
SendMessageW.USER32 ref: 00BF9D01
ClientToScreen.USER32(?,?), ref: 00BF9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BF9D82

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

GetWindowLongW.USER32(?,000000F0), ref: 00BF9E05

Strings

F, xrefs: 00BF9D07
@GUI_DRAGID, xrefs: 00BF997D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 69299c0cd9348b57a4038412ff8bf569a40accfcb2aae3bc1c22df08605d58f4
Instruction ID: bf1036f9883fc9924598a2981710cad81fa117034cbd3d62fa7faad7aafd9ba8
Opcode Fuzzy Hash: 69299c0cd9348b57a4038412ff8bf569a40accfcb2aae3bc1c22df08605d58f4
Instruction Fuzzy Hash: 7B428D34204209AFDB24DF24CD84BBABBE5FF49710F144699F699C72A1DB31A898CF51

Function 00BF4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00BF48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00BF4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00BF4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00BF494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00BF495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00BF497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00BF49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00BF49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00BF4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BF4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BF4A7E
IsMenu.USER32(?), ref: 00BF4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BF4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BF4B20
GetWindowLongW.USER32(?,000000F0), ref: 00BF4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00BF4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00BF4C82
wsprintfW.USER32 ref: 00BF4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00BF4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BF4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00BF4D5A

Strings

%d/%02d/%02d, xrefs: 00BF4CA8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 6e5a8048c01940ab5c4eb9526904c727b02c2286a7ddaffb0883cc0d3071bd38
Instruction ID: f0acfa45b78fd4878151f6dd17c84209c81f0449f8b871a0477bc1a19d350465
Opcode Fuzzy Hash: 6e5a8048c01940ab5c4eb9526904c727b02c2286a7ddaffb0883cc0d3071bd38
Instruction Fuzzy Hash: 6812CF71600259ABEB248F28CC49FBF7BF8EF45710F1041A9FA1ADB2A1DB749945CB50

Function 00B7F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00B7F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BBF474
IsIconic.USER32(00000000), ref: 00BBF47D
ShowWindow.USER32(00000000,00000009), ref: 00BBF48A
SetForegroundWindow.USER32(00000000), ref: 00BBF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BBF4AA
GetCurrentThreadId.KERNEL32 ref: 00BBF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BBF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BBF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BBF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00BBF4DE
SetForegroundWindow.USER32(00000000), ref: 00BBF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF4F6
keybd_event.USER32(00000012,00000000), ref: 00BBF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF50B
keybd_event.USER32(00000012,00000000), ref: 00BBF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF519
keybd_event.USER32(00000012,00000000), ref: 00BBF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BBF528
keybd_event.USER32(00000012,00000000), ref: 00BBF52D
SetForegroundWindow.USER32(00000000), ref: 00BBF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00BBF557

Strings

Shell_TrayWnd, xrefs: 00BBF46F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a58526e032f09001e4f02b988ab7dccf14ff4e7434b6c84609cbc9d18f5a1cab
Instruction ID: 6f2303501006fc0fbbe1594c6e0819deafddc60eb9b4ac265eb85b1f339215d6
Opcode Fuzzy Hash: a58526e032f09001e4f02b988ab7dccf14ff4e7434b6c84609cbc9d18f5a1cab
Instruction Fuzzy Hash: E2314F71A4021DBBEB206BB55D4AFBF7EACEB44B50F100065FA01E71D1CBB19D40EAA0

Function 00BC1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00BC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
Part of subcall function 00BC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
Part of subcall function 00BC16C3: GetLastError.KERNEL32 ref: 00BC174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00BC1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00BC12A8
CloseHandle.KERNEL32(?), ref: 00BC12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BC12D1
GetProcessWindowStation.USER32 ref: 00BC12EA
SetProcessWindowStation.USER32(00000000), ref: 00BC12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BC1310

Part of subcall function 00BC10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BC11FC), ref: 00BC10D4
Part of subcall function 00BC10BF: CloseHandle.KERNEL32(?,?,00BC11FC), ref: 00BC10E9

Strings

default, xrefs: 00BC130B
, xrefs: 00BC125A
winsta0, xrefs: 00BC12CC

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 80ab3682d7dc906a0cfb73bed8ff325645e86ddeaf29a50be60bbedc56332496
Instruction ID: 9b73bf645e1938dbf2bd310cc06b289795f79b91475d494bc70968c617f2892a
Opcode Fuzzy Hash: 80ab3682d7dc906a0cfb73bed8ff325645e86ddeaf29a50be60bbedc56332496
Instruction Fuzzy Hash: 15817871900209ABDF259FA8DD49FEE7BB9EF05704F1445A9F910B72A2DB308984CF60

Function 00BC0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
Part of subcall function 00BC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
Part of subcall function 00BC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
Part of subcall function 00BC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BC0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BC0C00
GetLengthSid.ADVAPI32(?), ref: 00BC0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00BC0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BC0C6D
GetLengthSid.ADVAPI32(?), ref: 00BC0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BC0C8C
HeapAlloc.KERNEL32(00000000), ref: 00BC0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BC0CB4
CopySid.ADVAPI32(00000000), ref: 00BC0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BC0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BC0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BC0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D45
HeapFree.KERNEL32(00000000), ref: 00BC0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D55
HeapFree.KERNEL32(00000000), ref: 00BC0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0D65
HeapFree.KERNEL32(00000000), ref: 00BC0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC0D78
HeapFree.KERNEL32(00000000), ref: 00BC0D7F

Part of subcall function 00BC1193: GetProcessHeap.KERNEL32(00000008,00BC0BB1,?,00000000,?,00BC0BB1,?), ref: 00BC11A1
Part of subcall function 00BC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BC0BB1,?), ref: 00BC11A8
Part of subcall function 00BC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BC0BB1,?), ref: 00BC11B7

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bee75659effae38db4e7c3d1bea5d66397d80bd5e63f545998313108dd802cc6
Instruction ID: 59750d439d50d0531e688b5e40e1e8dd2db01ed4be20587950c4ef35a9dbb9c0
Opcode Fuzzy Hash: bee75659effae38db4e7c3d1bea5d66397d80bd5e63f545998313108dd802cc6
Instruction Fuzzy Hash: 2E715C7290020AEBDF10EFA4DD44FAEBBB8FF04700F1446A9E915E7191DB71AA45CB60

Function 00BDEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00BFCC08), ref: 00BDEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00BDEB37
GetClipboardData.USER32(0000000D), ref: 00BDEB43
CloseClipboard.USER32 ref: 00BDEB4F
GlobalLock.KERNEL32(00000000), ref: 00BDEB87
CloseClipboard.USER32 ref: 00BDEB91
GlobalUnlock.KERNEL32(00000000), ref: 00BDEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00BDEBC9
GetClipboardData.USER32(00000001), ref: 00BDEBD1
GlobalLock.KERNEL32(00000000), ref: 00BDEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00BDEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00BDEC38
GetClipboardData.USER32(0000000F), ref: 00BDEC44
GlobalLock.KERNEL32(00000000), ref: 00BDEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00BDEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BDEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BDECD2
GlobalUnlock.KERNEL32(00000000), ref: 00BDECF3
CountClipboardFormats.USER32 ref: 00BDED14
CloseClipboard.USER32 ref: 00BDED59

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: cc394dfb89e49c42bf0c498ad99efe7ad7c0482d89abcdc560db912d4f2f5805
Instruction ID: dba7c4042ec047c30d9c36c963c0e20cf1a280dc140eeed80a5a3810300274c7
Opcode Fuzzy Hash: cc394dfb89e49c42bf0c498ad99efe7ad7c0482d89abcdc560db912d4f2f5805
Instruction Fuzzy Hash: C6619F34204206AFD300EF24D985F3ABBE4EF84714F14459AF4669B3A1EF31E949CB62

Function 00BD698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD69BE
FindClose.KERNEL32(00000000), ref: 00BD6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BD6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BD6A75

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00BD6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BD6ADF

Strings

%02d, xrefs: 00BD6C00, 00BD6C0A, 00BD6C5A, 00BD6CAA, 00BD6CFA, 00BD6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00BD6B32
%4d, xrefs: 00BD6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00BD6B6A
%03d, xrefs: 00BD6DA2

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 4b21bd78aa07d8724e9fd26a382377ec281be50a824e355eded18b7659227a1b
Instruction ID: 645c0ce30bd43c8367799652124b65aff21d8a1558a4cb0429122284c0f19f3c
Opcode Fuzzy Hash: 4b21bd78aa07d8724e9fd26a382377ec281be50a824e355eded18b7659227a1b
Instruction Fuzzy Hash: 2FD14171508340AFC714DBA4C981EABB7ECEF98704F04495EF589D7251EB78DA44CB62

Function 00BD9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00BD9663
GetFileAttributesW.KERNEL32(?), ref: 00BD96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00BD96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00BD96D3
FindClose.KERNEL32(00000000), ref: 00BD96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00BD96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD974A
SetCurrentDirectoryW.KERNEL32(00C26B7C), ref: 00BD9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BD9772
FindClose.KERNEL32(00000000), ref: 00BD977F
FindClose.KERNEL32(00000000), ref: 00BD978F

Strings

*.*, xrefs: 00BD96F5

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e154f76431f341df7f276a8585639fa8809e0614b46b093f81c3f73891a9f261
Instruction ID: 3802f2f8b2500d5cc324c8c7da13e69db583ed3d9f16f293c0f1980c314bbeae
Opcode Fuzzy Hash: e154f76431f341df7f276a8585639fa8809e0614b46b093f81c3f73891a9f261
Instruction Fuzzy Hash: 0331843254121D6ADF14AFB4ED49AEEBBECDF49321F1041A6E915E31A0EB30DD84CB64

Function 00BD979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00BD97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00BD9819
FindClose.KERNEL32(00000000), ref: 00BD9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00BD9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD9890
SetCurrentDirectoryW.KERNEL32(00C26B7C), ref: 00BD98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BD98B8
FindClose.KERNEL32(00000000), ref: 00BD98C5
FindClose.KERNEL32(00000000), ref: 00BD98D5

Part of subcall function 00BCDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BCDB00

Strings

*.*, xrefs: 00BD983B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 4f0c41848de4fdc4b112b2ee1d7da99793cbe06622dfcd6ed0a76fe101179fc0
Instruction ID: 06acc43bdf9c90ac78a539326e5383b2bcfb94e433be96e5f94f689513cca1b1
Opcode Fuzzy Hash: 4f0c41848de4fdc4b112b2ee1d7da99793cbe06622dfcd6ed0a76fe101179fc0
Instruction Fuzzy Hash: 9A31953254061D6ADF14AFA4EC48AEEB7ECDF06760F1441A6E514A32A0EB31D984DB64

Function 00BEBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00BEBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00BEBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BEC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BEC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BEC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BEC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00BEC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BEC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BEC382
RegCloseKey.ADVAPI32(00000000), ref: 00BEC38F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: c4802f8cf1e8e93939a4efd0dfa6d4b12f0326737854aa1f5a41952674596974
Instruction ID: 781062b2849992882ec6afd5a9eff0a122259ff3536bb8d36b17e81eba50f3da
Opcode Fuzzy Hash: c4802f8cf1e8e93939a4efd0dfa6d4b12f0326737854aa1f5a41952674596974
Instruction Fuzzy Hash: 97025F716042409FD714DF29C895E2ABBE5EF49318F18C49DF84ADB2A2DB31EC46CB91

Function 00BD8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BD8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00BD8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BD8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BD8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BD838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8395

Strings

*.*, xrefs: 00BD839B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e08682bf7fa7f5c27d2f0aefaef63608c3eccf636cf71eba06364e83c1ab9e6c
Instruction ID: 846e28686d7d291e0eac49c05aa694f81e4a8ddc7ce4d3d0ecb6e323d9c34ecb
Opcode Fuzzy Hash: e08682bf7fa7f5c27d2f0aefaef63608c3eccf636cf71eba06364e83c1ab9e6c
Instruction Fuzzy Hash: 3E616A725043459FCB10EF64C8409AEF7E8FF89320F0449AEF99997251EB35E949CB92

Function 00BCD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BCD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00BCD1DD
MoveFileW.KERNEL32(?,?), ref: 00BCD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BCD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCD237

Part of subcall function 00BCD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00BCD21C,?,?), ref: 00BCD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00BCD253
FindClose.KERNEL32(00000000), ref: 00BCD264

Strings

\*.*, xrefs: 00BCD0CD, 00BCD0D6, 00BCD0EB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3dc20f966c8374256df98fe0bcef510557e3d722cecd442928a1ac7ee0b0b8be
Instruction ID: 0f9df49f36ff4b1f5c8a01381ecf26534b93cb55c5bfb3b56a8ab6d3cdeb75ae
Opcode Fuzzy Hash: 3dc20f966c8374256df98fe0bcef510557e3d722cecd442928a1ac7ee0b0b8be
Instruction Fuzzy Hash: A8614A3580110DAACF15EBE0DA92EEDBBF9EF55340F2441A9E40277191EB34AF09DB60

Function 00BDED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00BDED91
EmptyClipboard.USER32 ref: 00BDED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00BDEDAC
CloseClipboard.USER32 ref: 00BDEEA3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f427fa83fe91071ab2e059e678da7d8c57e802360ea937c0843102a7a87dac76
Instruction ID: dea957120ca64b81f18dd9d7defb68b477c078336b303ca6975bb761bcee941b
Opcode Fuzzy Hash: f427fa83fe91071ab2e059e678da7d8c57e802360ea937c0843102a7a87dac76
Instruction Fuzzy Hash: BF417E35604651EFE720EF15D888B29BBE5EF44318F14C09AE4698F762DB75EC81CB90

Function 00BCE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
Part of subcall function 00BC16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
Part of subcall function 00BC16C3: GetLastError.KERNEL32 ref: 00BC174A

ExitWindowsEx.USER32(?,00000000), ref: 00BCE932

Strings

@, xrefs: 00BCE925
, xrefs: 00BCE920
, xrefs: 00BCE95C
SeShutdownPrivilege, xrefs: 00BCE902

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e14636d0395f863603d176309c70270b07fe734be64bf14527057eb69349e6c8
Instruction ID: c97b96fc8b158dc47dd9723b14ebd420d51ab259cfc1121c6ea16d1b9bd82622
Opcode Fuzzy Hash: e14636d0395f863603d176309c70270b07fe734be64bf14527057eb69349e6c8
Instruction Fuzzy Hash: BF012B32610215EBEB5426789C8AFBF72DCD714740F1449A9F823E30D2DAF09C808294

Function 00BE1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00BE1276
WSAGetLastError.WSOCK32 ref: 00BE1283
bind.WSOCK32(00000000,?,00000010), ref: 00BE12BA
WSAGetLastError.WSOCK32 ref: 00BE12C5
closesocket.WSOCK32(00000000), ref: 00BE12F4
listen.WSOCK32(00000000,00000005), ref: 00BE1303
WSAGetLastError.WSOCK32 ref: 00BE130D
closesocket.WSOCK32(00000000), ref: 00BE133C

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: d17324ca274b8626ad967931a48bbd4487c17ef4bcc3cb969f28caeb4e3cbe1c
Instruction ID: 3e8fce062dff851083819e4196f7a228e2af60742076ff7a326a35dda1ef8cf3
Opcode Fuzzy Hash: d17324ca274b8626ad967931a48bbd4487c17ef4bcc3cb969f28caeb4e3cbe1c
Instruction Fuzzy Hash: 2E41AF31600140AFD710DF69C988B69BBE5EF46318F2885D8E9569F292C771EC85CBA1

Function 00BCD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

FindFirstFileW.KERNEL32(?,?), ref: 00BCD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00BCD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCD481
FindClose.KERNEL32(00000000), ref: 00BCD498
FindClose.KERNEL32(00000000), ref: 00BCD4A1

Strings

\*.*, xrefs: 00BCD3F2

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f5b92c669c34b2ef90edde96b91bc5cb7031018b8f50e207e9a313bbae6dfa6f
Instruction ID: b1f783e2c30c718a8c620bd41616648644d91c5edbb044200b0da55fa938b894
Opcode Fuzzy Hash: f5b92c669c34b2ef90edde96b91bc5cb7031018b8f50e207e9a313bbae6dfa6f
Instruction Fuzzy Hash: 45318E310083459BC304EF64D9919AFBBE8EE92304F444AADF4D593291EB34AA09DB63

Function 00B9E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B9E645

Strings

1#SNAN, xrefs: 00B9F844
1#INF, xrefs: 00B9F852
1#QNAN, xrefs: 00B9F84B
1#IND, xrefs: 00B9F83D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1f6c801120bc4068196bc4f341b3781c2bf94b493670789bbd9facb6a7258f06
Instruction ID: 02afb6e3410a8773bd34bb290138d20ae3f0a8f9b4045c9aaef4227ec5dd1c3f
Opcode Fuzzy Hash: 1f6c801120bc4068196bc4f341b3781c2bf94b493670789bbd9facb6a7258f06
Instruction Fuzzy Hash: 29C23771E086298BDF25CE289D807EAB7F5EB48315F1541FAD85DE7240E778AE818F40

Function 00BD648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BD64DC
CoInitialize.OLE32(00000000), ref: 00BD6639
CoCreateInstance.OLE32(00BFFCF8,00000000,00000001,00BFFB68,?), ref: 00BD6650
CoUninitialize.OLE32 ref: 00BD68D4

Strings

.lnk, xrefs: 00BD64BA, 00BD6524, 00BD65E0

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d97b45ed7f4cf8222e7fc2f071e79aea7633fa338d1480b31ef950b105641600
Instruction ID: 07a56de05b624f83f2ad96c9b11f03594df98d0e44711ade279a2f3ee5ec75e7
Opcode Fuzzy Hash: d97b45ed7f4cf8222e7fc2f071e79aea7633fa338d1480b31ef950b105641600
Instruction Fuzzy Hash: A9D14A71508205AFC304EF24C88196BB7E9FF94708F1049ADF5958B2A1EB71ED49CBA2

Function 00BE22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00BE22E8

Part of subcall function 00BDE4EC: GetWindowRect.USER32(?,?), ref: 00BDE504

GetDesktopWindow.USER32 ref: 00BE2312
GetWindowRect.USER32(00000000), ref: 00BE2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00BE2355
GetCursorPos.USER32(?), ref: 00BE2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BE23DF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: f00da6cb8d2a56b6adc5fe803e1d1ac7bff0fba0b502da2a9a4e09db4d2a1700
Instruction ID: 96217207541fb0085d242e9517a1ce0bfddb6af096d6f299531065162ddbfde8
Opcode Fuzzy Hash: f00da6cb8d2a56b6adc5fe803e1d1ac7bff0fba0b502da2a9a4e09db4d2a1700
Instruction Fuzzy Hash: 0631DE72504345AFC720DF15C845B6BBBEAFB84310F000A1AF89497181DB34EA48CB92

Function 00BD9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00BD9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00BD9C8B

Part of subcall function 00BD3874: GetInputState.USER32 ref: 00BD38CB
Part of subcall function 00BD3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00BD9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00BD9C75

Strings

*.*, xrefs: 00BD9B5D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 20a8891374eee40daff57cdb3dd22483a7a475f564d4561b99190d0105c85c5e
Instruction ID: e1001d0b5d2441cb800aa8c685cc667bc2df7401fd477690f0c80b33cfe5a64d
Opcode Fuzzy Hash: 20a8891374eee40daff57cdb3dd22483a7a475f564d4561b99190d0105c85c5e
Instruction Fuzzy Hash: 8841537194420EAFDF15DF64C985AEEBBF8EF05310F244196E405A32A1EB319E84DF60

Function 00B7997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B79A4E
GetSysColor.USER32(0000000F), ref: 00B79B23
SetBkColor.GDI32(?,00000000), ref: 00B79B36

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 2f85edf201aefd4a0da9d3bbe58c7599857bc6eb50c97f8f61ffef9485ddabe4
Instruction ID: 450c7bb0fc26557edde3a87d9b36edff64e8fbdec65a79a283d1d9f94e9dd02d
Opcode Fuzzy Hash: 2f85edf201aefd4a0da9d3bbe58c7599857bc6eb50c97f8f61ffef9485ddabe4
Instruction Fuzzy Hash: 12A13570249508AFE728AA3D8C88FBF2ADDDB82300F2581C9F526C7695CE619D01D372

Function 00BE1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BE307A
Part of subcall function 00BE304E: _wcslen.LIBCMT ref: 00BE309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00BE185D
WSAGetLastError.WSOCK32 ref: 00BE1884
bind.WSOCK32(00000000,?,00000010), ref: 00BE18DB
WSAGetLastError.WSOCK32 ref: 00BE18E6
closesocket.WSOCK32(00000000), ref: 00BE1915

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 40028d8a7ab03d57c936cf25a997caa3ccf2324adac135e3cf27094c4cebb671
Instruction ID: 4107e7c7a7625050523983100a3cd2d36c6cfa52e82e956699904ca042a66d36
Opcode Fuzzy Hash: 40028d8a7ab03d57c936cf25a997caa3ccf2324adac135e3cf27094c4cebb671
Instruction Fuzzy Hash: 5851B275A002009FD710AF24C896F7A77E5EB44718F1884D8F95A9F393CB75AD41CBA1

Function 00BF1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00BF1CC0
IsWindowEnabled.USER32 ref: 00BF1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00BF1CDB
IsIconic.USER32 ref: 00BF1CE9
IsZoomed.USER32 ref: 00BF1CF7

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6cb9386cd688927c5374776248e4d4acaa63cf8094ae802c7efb03648bd7b6ab
Instruction ID: a6149eaed73ab25ff5986cc59745079c4f4789642eec689b994b0aa696b0c797
Opcode Fuzzy Hash: 6cb9386cd688927c5374776248e4d4acaa63cf8094ae802c7efb03648bd7b6ab
Instruction Fuzzy Hash: D72194317402189FD7208F1ED884B767BE5EF95314B1988A8E945CF351CB71DC4ACB90

Function 00B68060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00B6843C
ERCP, xrefs: 00B6813C
VUUU, xrefs: 00B683FA
VUUU, xrefs: 00BA5DF0
VUUU, xrefs: 00B683E8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 17c3ea6eebff8612e6cecf1db8f813f6f2e80c99084de3e5d91d88ee75a14ef2
Instruction ID: c9ab7858ab5eb2e8573949feb7aec456f32d056d485054044b06adb50f09d949
Opcode Fuzzy Hash: 17c3ea6eebff8612e6cecf1db8f813f6f2e80c99084de3e5d91d88ee75a14ef2
Instruction Fuzzy Hash: D8A24C71A0461ACBDF34CF58C8807ADB7F1FB55314F2482EAE855A7285EB749E81CB90

Function 00BCAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00BCAAAC
SetKeyboardState.USER32(00000080), ref: 00BCAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00BCAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00BCAB88

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 21fefd155f87ce77fd2557b2d601db2afd205a2994bd974327cc63bd2b64fe1b
Instruction ID: 55e9f83f6b31eea4c4731c1872742fff2bb012893d2a26f3d76b51b04e5aab66
Opcode Fuzzy Hash: 21fefd155f87ce77fd2557b2d601db2afd205a2994bd974327cc63bd2b64fe1b
Instruction Fuzzy Hash: 62310370A8020CAEFB359A68CC49FFA7BF6EB44328F04429EF581961D1D7758D85C762

Function 00B9BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B9BB7F

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

GetTimeZoneInformation.KERNEL32 ref: 00B9BB91
WideCharToMultiByte.KERNEL32(00000000,?,00C3121C,000000FF,?,0000003F,?,?), ref: 00B9BC09
WideCharToMultiByte.KERNEL32(00000000,?,00C31270,000000FF,?,0000003F,?,?,?,00C3121C,000000FF,?,0000003F,?,?), ref: 00B9BC36

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: afc95a30ad7a73384c111ba9b3faebfc0f44037aac1774d5362593fb6f9508a0
Instruction ID: 9f0a6dc521812ea9b76c9440f0216fbce91fda61070bf28450176c5071cc562d
Opcode Fuzzy Hash: afc95a30ad7a73384c111ba9b3faebfc0f44037aac1774d5362593fb6f9508a0
Instruction Fuzzy Hash: 5C31A070904205DFCF15DF69ED80A6EBBF8FF45760B1882BAE855D72A1D7319A40CB90

Function 00BDCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00BDCE89
GetLastError.KERNEL32(?,00000000), ref: 00BDCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00BDCEFE

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e87f2be227b45ffa17166b39c9826c647f2b0907be33afa5723e937478b68bad
Instruction ID: 21b0e008b684adf23f8426bb1e659623be42867440a3cea896a703b0d12c34e8
Opcode Fuzzy Hash: e87f2be227b45ffa17166b39c9826c647f2b0907be33afa5723e937478b68bad
Instruction Fuzzy Hash: 632190B15003069BD720DFA5C985BA7BBFCEB50354F1044AEE546D3251EB70ED48DB54

Function 00BC8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BC82AA

Strings

(, xrefs: 00BC82F0
|, xrefs: 00BC82DA

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 9ec2cc479a2ad6ecb29e87930d75d9a4ca2c6938cee2a8cd15beb39edf582ada
Instruction ID: cd0937ec0e3f1f3286a2820bbc1b0a619a647fccecdb1b187942583335d17b91
Opcode Fuzzy Hash: 9ec2cc479a2ad6ecb29e87930d75d9a4ca2c6938cee2a8cd15beb39edf582ada
Instruction Fuzzy Hash: 8F322474A006059FCB28CF59C481E6AB7F0FF48710B15C5AEE49ADB7A1EB70E981CB54

Function 00BD5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00BD5D17
FindClose.KERNEL32(?), ref: 00BD5D5F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 22886eec9a8c9a2e7744bfdef65ba42fa8c38f75234cb281a8101377fa9d7b07
Instruction ID: ec3bddc853572c6aa82c59373408f77287ef1108d6e5fa641f619e49f32609ad
Opcode Fuzzy Hash: 22886eec9a8c9a2e7744bfdef65ba42fa8c38f75234cb281a8101377fa9d7b07
Instruction Fuzzy Hash: FD517A746046019FC724DF28C494EA6FBE5FF49314F1485AEE99A8B3A1DB30E944CBA1

Function 00B92622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00B9271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B92724
UnhandledExceptionFilter.KERNEL32(?), ref: 00B92731

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2e67734d0c5f8905583287ec1a8b3a0d7881de191bfd74dfa6492463a3b61108
Instruction ID: e7ef3c6ae6936ef3fb0ba136dbb8ca79a1fdf124770022becde1f78f64052b17
Opcode Fuzzy Hash: 2e67734d0c5f8905583287ec1a8b3a0d7881de191bfd74dfa6492463a3b61108
Instruction Fuzzy Hash: 0D31C37491121CABCF21EF68D98879CBBF8AF08310F5041EAE41CA7260EB349F858F44

Function 00BD51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BD5238
SetErrorMode.KERNEL32(00000000), ref: 00BD52A1

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9368520dde16f7e09904d6c840474d73db367784a7acdbfd7b66f90dab76bd01
Instruction ID: 45697b266bbed8c548c111d55dfade78b754bba9686d53372a7624593a33eacd
Opcode Fuzzy Hash: 9368520dde16f7e09904d6c840474d73db367784a7acdbfd7b66f90dab76bd01
Instruction Fuzzy Hash: E1314B75A10518DFDB00DF94D884EADBBF4FF48314F048099E849AB3A2DB35E85ACB90

Function 00BC16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B80668
Part of subcall function 00B7FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B80685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC173A
GetLastError.KERNEL32 ref: 00BC174A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 347e04fba4e20fb51061635b651e564ccd0bda3cc9b64bcdaa49615b7bf0a80d
Instruction ID: 161fc92f2faf2b536b94c7cbbe043c59d0eecc097bce01653f0e23be54544a4c
Opcode Fuzzy Hash: 347e04fba4e20fb51061635b651e564ccd0bda3cc9b64bcdaa49615b7bf0a80d
Instruction Fuzzy Hash: 7B11C1B2400309FFD7289F68DCC6E7ABBF9EB04714B20856EE05693241EB70BC41CA24

Function 00BCD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BCD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00BCD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BCD650

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a5766de444cc56cd989766b8806b3c635839a49af4dd702b1f77664d45903e41
Instruction ID: 9e5570266ee72b423bb61c886a6d44300fa696df221290ef446ed8e4a9c2070c
Opcode Fuzzy Hash: a5766de444cc56cd989766b8806b3c635839a49af4dd702b1f77664d45903e41
Instruction Fuzzy Hash: B5113C75E05228BBDB108F999D45FAFBFBCEB45B50F108166F904E7290D6704A05CBA1

Function 00BC1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00BC168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BC16A1
FreeSid.ADVAPI32(?), ref: 00BC16B1

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6510ad21920b25c17a3586966737dd971d5461c647443d29eee9412f7fba026d
Instruction ID: 3f232d9a7ff76cb14c4eb3fc5a25eede0e6d63e213c429471962b5bf17516cad
Opcode Fuzzy Hash: 6510ad21920b25c17a3586966737dd971d5461c647443d29eee9412f7fba026d
Instruction Fuzzy Hash: F5F0F47195030DFBDB00DFF49D89EAEBBBCEB08604F5049A5E501E3181EB74AA449A54

Function 00BBD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00BBD28C

Strings

X64, xrefs: 00BBD2A8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8e166ed3641cfb796d2ae91aec90655be7f4013e63f9c9453c1f31c288fa8536
Instruction ID: e40e4ccba7fb3e70d5935cd327355c7e068567a092ce9623ef601e640cc7dc07
Opcode Fuzzy Hash: 8e166ed3641cfb796d2ae91aec90655be7f4013e63f9c9453c1f31c288fa8536
Instruction Fuzzy Hash: 4AD0C9B480111DEBCB94CBA0DCC8DE9B7BCBF04345F104195F106A2000DB7495498F10

Function 00B8CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 4721ac9dbf9fea738e2bb59410ca960eb5300eeea12fc41919ea2b5993f36347
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B9022CB1E002199BDF14DFA9C8806ADBBF1FF48314F2581AAD919E7390D730AE45CB94

Function 00BD68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BD6918
FindClose.KERNEL32(00000000), ref: 00BD6961

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 80779c5cb204b44458d96e91ab2edaa95eb58ac5323192d59903469c3f739b81
Instruction ID: d47419fe1dfd89771b89c43f2edfd6683c0b0f06145a76083391112eff65c1aa
Opcode Fuzzy Hash: 80779c5cb204b44458d96e91ab2edaa95eb58ac5323192d59903469c3f739b81
Instruction Fuzzy Hash: AE1190316142019FC710DF69D498A26FBE5FF89328F14C69AE4698F3A2DB34EC45CB91

Function 00BD37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00BE4891,?,?,00000035,?), ref: 00BD37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00BE4891,?,?,00000035,?), ref: 00BD37F4

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9537781985b58d9603cca919668b029517a6def4bfdcca04c1f9b53a73e3751b
Instruction ID: f7dd40965790d0438766163b78336542935fb23030463a7b24e35a2fb23e8598
Opcode Fuzzy Hash: 9537781985b58d9603cca919668b029517a6def4bfdcca04c1f9b53a73e3751b
Instruction Fuzzy Hash: 54F0E5B06052296AE72017668C4DFEB7AEEEFC5B61F0001A6F509E3281D9709D44C6B1

Function 00BCB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00BCB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00BCB270

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 43d0719f3b449608d8a51df73ebe5ac92bc84e0ff85bb18f9bbf62eb95cd17c2
Instruction ID: 0ae93a5626d214616b734dc8bc388fe724c16cd31942d97eb3047aa6f584c9c1
Opcode Fuzzy Hash: 43d0719f3b449608d8a51df73ebe5ac92bc84e0ff85bb18f9bbf62eb95cd17c2
Instruction Fuzzy Hash: 07F01D7180424DABDB059FA0C806BBE7FB4FF04305F008449F965AA191C7799655DF94

Function 00BC10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BC11FC), ref: 00BC10D4
CloseHandle.KERNEL32(?,?,00BC11FC), ref: 00BC10E9

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 4545f9bdef3d2d0e352daa13f5fe49994653109ac73a9d801bf4552e9ad95cb7
Instruction ID: 7d6c8ec21f93348cc5946b43f2e306c4a6eea0ffd5469ed64d777cbc0286bbf9
Opcode Fuzzy Hash: 4545f9bdef3d2d0e352daa13f5fe49994653109ac73a9d801bf4552e9ad95cb7
Instruction Fuzzy Hash: 75E04F32008601AEE7252B21FC05E737BE9EF04310F10C86DF4A5814B1DF626CE0DB18

Function 00B6CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00BB0C40

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: d73c27538b78e5919828aca66e8149b2bdc3fa9a3eb7751a1902e283c5feb4ac
Instruction ID: 8edb92843887b353c4df61863509edfd3f544504acb670ef815904ad75bec719
Opcode Fuzzy Hash: d73c27538b78e5919828aca66e8149b2bdc3fa9a3eb7751a1902e283c5feb4ac
Instruction Fuzzy Hash: D9326C70910218DBCF14EF94C895AFEBBF5FF04304F1480A9E846AB292D779AD49CB60

Function 00B9676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B96766,?,?,00000008,?,?,00B9FEFE,00000000), ref: 00B96998

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fc83978f4e01ac5b52c6acc852b88ac933473bedf58aada1dc2b9b8436b7e6d2
Instruction ID: f65479bcdbb78743831e29474c54f0773bfd80066aef1ccd05e3da0d7066a8af
Opcode Fuzzy Hash: fc83978f4e01ac5b52c6acc852b88ac933473bedf58aada1dc2b9b8436b7e6d2
Instruction Fuzzy Hash: ACB12A316106099FDB19CF28C48AB657BE0FF45364F2586A9E899CF2A2C735E991CB40

Function 00B7B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00BB851F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e9776c3998b694a09e8fdeaca5719c9fadbc8b6e6296276e6d12121792e32185
Instruction ID: 99e1a7ad360c0980c2858703d081952b4b75072a5b127634aeb6048db449e968
Opcode Fuzzy Hash: e9776c3998b694a09e8fdeaca5719c9fadbc8b6e6296276e6d12121792e32185
Instruction Fuzzy Hash: 1D124D759002299BCB24CF58C880BFEB7F9FF48710F14819AE859EB255DB749A81CF94

Function 00BDEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00BDEABD

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7417da719dc58e48402b8693fb79a68008ac890cf133fba011e17ae43278f7c7
Instruction ID: 4c8b3fe6e137eb95ac62165c05e32162644877b717a3381ee5248a37a609ee35
Opcode Fuzzy Hash: 7417da719dc58e48402b8693fb79a68008ac890cf133fba011e17ae43278f7c7
Instruction Fuzzy Hash: 64E048312102059FC710EF59D444D9AFBE9EF58760F008457FC49CB351DB74E8448B90

Function 00B809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00B803EE), ref: 00B809DA

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5a6572cd282b2e93488ca2bd0e7d4765ec021ab5c177012a07edf983bdc518da
Instruction ID: def020990cbccbadfad65955ebe5339d95faa1ba63fa53974f77520b3abc1cf9
Opcode Fuzzy Hash: 5a6572cd282b2e93488ca2bd0e7d4765ec021ab5c177012a07edf983bdc518da
Instruction Fuzzy Hash:

Function 00B8781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00B8798B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 604f760ad32741bf505ba461c7c7bc7f6228d3acbf347af20f6fff4c172bb15b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4F518A616CC605A7DB38B52A889DBBE27C9DB1234CF3805C9D886C72B2DE11DE01D352

Function 00B96DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44fd09c448c81afafb33fff2e3039d7b3a0cf142eacb3370665ec6a3e404a39
Instruction ID: 5a13b5ddf974f91503e75dd440b02b21623b00ea61894b510d65c8584e11fde2
Opcode Fuzzy Hash: b44fd09c448c81afafb33fff2e3039d7b3a0cf142eacb3370665ec6a3e404a39
Instruction Fuzzy Hash: D232F421D79F014DDB239634CC663396689AFB73C5F16D737E81AB5AA6EF29C4838100

Function 00B7CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f150253a4e41588b0850ca66d8436c7da024ee4c05e0ac20131962c7e3d9dbba
Instruction ID: 2bde3b97f17b8ea0c93448b7ee7501e1a4b22614d886172aec9aa2b28c45c5fa
Opcode Fuzzy Hash: f150253a4e41588b0850ca66d8436c7da024ee4c05e0ac20131962c7e3d9dbba
Instruction Fuzzy Hash: 9C32F231A001498BDF39CE29C4D06FD7FE1EB45300F2885EED4AA9B696D6B4DD81DB81

Function 00B67920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2545ef774d7c6ceecc8dc03b87306a214702f0653821d8c1d615b7d714a27836
Instruction ID: eecbcce771ee25419d8881cf7a261f61acaef317015b5abd9a2aba0ecd1c1405
Opcode Fuzzy Hash: 2545ef774d7c6ceecc8dc03b87306a214702f0653821d8c1d615b7d714a27836
Instruction Fuzzy Hash: 8922C470A0460ADFDF14CFA4C881BAEB3F5FF49304F2445A9E816A7291EB399E15CB54

Function 00B691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c96a794ac4ce53101bf78623906032f61351e1f9846c746a068058e2feacaf5
Instruction ID: 466ee13c983ec448c551b236999d771c207dbcf06ef7b9afba4681c5635c25ca
Opcode Fuzzy Hash: 7c96a794ac4ce53101bf78623906032f61351e1f9846c746a068058e2feacaf5
Instruction Fuzzy Hash: 7602B5B0E04206EBDB14DF54D881BAEB7F5FF45300F1081A9E816DB291EB35EA15CB95

Function 00B99EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e925e682e42c0db982995cd9d2316f673c0b809f3b4da5a23b661c4049a7a734
Instruction ID: 5046e8efa85e9bfbc4ce4a479d7d6993edbfa50ad49c7190dfd43a3d23f8a020
Opcode Fuzzy Hash: e925e682e42c0db982995cd9d2316f673c0b809f3b4da5a23b661c4049a7a734
Instruction Fuzzy Hash: EBB10520D2AF904DD7239639887133AB69CAFBB6D5F92D71BFC1674D72EB2185838140

Function 00B81C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 4b3f423485deba2eebd47f18c1bf825fc4af16a122c4a586f63b08f7aad1a92b
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5791A97210A0A34ADB29563E847417DFFE5DA523A231A0FEDD4F2CA1E5FE10C956D720

Function 00B81F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 001e13c70ac2c54668ffe992fe6020efb3fd3e63435ce930e71acbe4f458df78
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: F79175722090A34EEB69633D847803EFFE19A923A131A07DDD4F2DB1E5EE24C555E720

Function 00B819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 07a9b698cfb56c44e8ffe69022fd542ad59dc8afed20e1310dba686c93151962
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2E91737220B0A34ADB2D567E857403DFFE99A923A131A0BDED4F2CA1E1FD24C556D720

Function 00B87A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed6ff0d3cd0f8e333a91cfe5c1f53391dade4d23e868ead03dc7b92c620f927
Instruction ID: 11e3f5d73547f9a1074e6ce5af8e18877ffdba934b1a2aca47af071af0a76c5b
Opcode Fuzzy Hash: 7ed6ff0d3cd0f8e333a91cfe5c1f53391dade4d23e868ead03dc7b92c620f927
Instruction Fuzzy Hash: AF6168212C830997DA38BA2889E5BBE63D6DF5170CF3409D9E842DB2B1DE21DE42C755

Function 00B87CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96350a68e69f0eddea575a7d9c68ad78eb9792f9b4b87a66244969c71e4124a4
Instruction ID: 7005ca1d47976b202de1766167191e09ddc0f15bbbd0a57e0944d4a0e770b88a
Opcode Fuzzy Hash: 96350a68e69f0eddea575a7d9c68ad78eb9792f9b4b87a66244969c71e4124a4
Instruction Fuzzy Hash: 36615BB16C870997DA38B9288895BBE23C8DF5274CF3419E9E842DB2B1DE11DD41C355

Function 00B81706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bf8dad1d7f97ef9aaf2f9ac9583bc0cfb09003e8f939591053aadc98d047b5ee
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 2581C87660A0A309DB2D523E847443EFFE59A923A131A0FDDD4F2CB1E1EE24C956D720

Function 00BD2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44208767a20d661adcb41b1e684fbc2e4b04c3c6e4811ee1f01e9ab9631e8ff7
Instruction ID: c29b38aafecd6e2ea1d4a80c6955f4f5108efe1755982a229d4796361fa04613
Opcode Fuzzy Hash: 44208767a20d661adcb41b1e684fbc2e4b04c3c6e4811ee1f01e9ab9631e8ff7
Instruction Fuzzy Hash: 5B21A8326205118BDB28CF79C92377EB3E5A764310F15866EE4A7C37D0DE35A904C740

Function 00BE2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BE2B30
DeleteObject.GDI32(00000000), ref: 00BE2B43
DestroyWindow.USER32 ref: 00BE2B52
GetDesktopWindow.USER32 ref: 00BE2B6D
GetWindowRect.USER32(00000000), ref: 00BE2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00BE2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00BE2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2CF8
GetClientRect.USER32(00000000,?), ref: 00BE2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BE2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D80
GlobalLock.KERNEL32(00000000), ref: 00BE2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2D98
GlobalUnlock.KERNEL32(00000000), ref: 00BE2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2DA8
GlobalFree.KERNEL32(00000000), ref: 00BE2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BFFC38,00000000), ref: 00BE2DDB
GlobalFree.KERNEL32(00000000), ref: 00BE2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00BE2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00BE2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE303F

Strings

, xrefs: 00BE2FC5
DISPLAY, xrefs: 00BE2EA2
AutoIt v3, xrefs: 00BE2CF2
static, xrefs: 00BE2D3A, 00BE2E91

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 89d3d04d02b1e00ef6e8decc58f304c69c1fc6bb808d5b07acbd9ac0226c7a0d
Instruction ID: 1b438a38889c78148e88a17f93639f4ca3d1348b2382b67763b4f26f061333d0
Opcode Fuzzy Hash: 89d3d04d02b1e00ef6e8decc58f304c69c1fc6bb808d5b07acbd9ac0226c7a0d
Instruction Fuzzy Hash: 2F028A71910209AFDB14DFA4CD89EAE7BF9EF48710F048198F915AB2A1DB74ED41CB60

Function 00BF70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00BF712F
GetSysColorBrush.USER32(0000000F), ref: 00BF7160
GetSysColor.USER32(0000000F), ref: 00BF716C
SetBkColor.GDI32(?,000000FF), ref: 00BF7186
SelectObject.GDI32(?,?), ref: 00BF7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00BF71C0
GetSysColor.USER32(00000010), ref: 00BF71C8
CreateSolidBrush.GDI32(00000000), ref: 00BF71CF
FrameRect.USER32(?,?,00000000), ref: 00BF71DE
DeleteObject.GDI32(00000000), ref: 00BF71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00BF7230
FillRect.USER32(?,?,?), ref: 00BF7262
GetWindowLongW.USER32(?,000000F0), ref: 00BF7284

Part of subcall function 00BF73E8: GetSysColor.USER32(00000012), ref: 00BF7421
Part of subcall function 00BF73E8: SetTextColor.GDI32(?,?), ref: 00BF7425
Part of subcall function 00BF73E8: GetSysColorBrush.USER32(0000000F), ref: 00BF743B
Part of subcall function 00BF73E8: GetSysColor.USER32(0000000F), ref: 00BF7446
Part of subcall function 00BF73E8: GetSysColor.USER32(00000011), ref: 00BF7463
Part of subcall function 00BF73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BF7471
Part of subcall function 00BF73E8: SelectObject.GDI32(?,00000000), ref: 00BF7482
Part of subcall function 00BF73E8: SetBkColor.GDI32(?,00000000), ref: 00BF748B
Part of subcall function 00BF73E8: SelectObject.GDI32(?,?), ref: 00BF7498
Part of subcall function 00BF73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00BF74B7
Part of subcall function 00BF73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BF74CE
Part of subcall function 00BF73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00BF74DB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: f862b62f59b88c4f4f1ed21068ad61a2d9ea77997d003952e78245b664d2bc9a
Instruction ID: 49fbb7c9ae34901ee1dcfd7f4c2abcfe8a998779082d7de587ac5428db4a6278
Opcode Fuzzy Hash: f862b62f59b88c4f4f1ed21068ad61a2d9ea77997d003952e78245b664d2bc9a
Instruction Fuzzy Hash: F3A18F72008309AFD7009F64DD49E7A7BE9FB49320F100A59FA62A71A1DB71E989CB51

Function 00B78D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00B78E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00BB6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BB6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BB6F43

Part of subcall function 00B78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B78BE8,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78FC5

SendMessageW.USER32(?,00001053), ref: 00BB6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BB6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BB6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BB6FB7

Strings

0, xrefs: 00BB6DCF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f0dcaa88e47453d8e7726ec0ab2ccb31165e961e7636bc1ccf19d66fb19c7f8c
Instruction ID: ea83692bbbb5e1444c95a915b3b254eff2d659dcf1b492109011a1ce34e96c4c
Opcode Fuzzy Hash: f0dcaa88e47453d8e7726ec0ab2ccb31165e961e7636bc1ccf19d66fb19c7f8c
Instruction Fuzzy Hash: 54129C30605201EFDB25CF24C998BB9BBE5FB44310F1884A9E499CB261CB75EC92DB51

Function 00BE2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00BE273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BE286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00BE28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00BE28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00BE2900
GetClientRect.USER32(00000000,?), ref: 00BE290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00BE2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BE2964
GetStockObject.GDI32(00000011), ref: 00BE2974
SelectObject.GDI32(00000000,00000000), ref: 00BE2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00BE2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BE2991
DeleteDC.GDI32(00000000), ref: 00BE299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BE29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00BE29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00BE2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BE2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00BE2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00BE2A77
GetStockObject.GDI32(00000011), ref: 00BE2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BE2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00BE2A97

Strings

DISPLAY, xrefs: 00BE295A
AutoIt v3, xrefs: 00BE28F8
msctls_progress32, xrefs: 00BE2A13
static, xrefs: 00BE294F, 00BE2A71

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 71ec643c22d8c21b1fd7f63c1c18ad8ca0b8b6afb18140050e49b7706ef0e5e8
Instruction ID: 4ac21d7c651fd518bf3c08487b9a7635407a995dfc0b80e9eb73b99a156367a1
Opcode Fuzzy Hash: 71ec643c22d8c21b1fd7f63c1c18ad8ca0b8b6afb18140050e49b7706ef0e5e8
Instruction Fuzzy Hash: AFB16E71A50219AFEB14DF68CD89FAE7BB9EB08710F004155F915E72A0DB74ED40CBA0

Function 00BD4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD4AED
GetDriveTypeW.KERNEL32(?,00BFCB68,?,\\.\,00BFCC08), ref: 00BD4BCA
SetErrorMode.KERNEL32(00000000,00BFCB68,?,\\.\,00BFCC08), ref: 00BD4D36

Strings

SAS, xrefs: 00BD4CC9
USB, xrefs: 00BD4CB4
SCSI, xrefs: 00BD4C8A
Network, xrefs: 00BD4C02
RAMDisk, xrefs: 00BD4BF4
SATA, xrefs: 00BD4CD0
Virtual, xrefs: 00BD4CE5
Unknown, xrefs: 00BD4BED, 00BD4C83
1394, xrefs: 00BD4C9F
SSA, xrefs: 00BD4CA6
MMC, xrefs: 00BD4CDE
iSCSI, xrefs: 00BD4CC2
ATA, xrefs: 00BD4C98
PhysicalDrive, xrefs: 00BD4B76
Removable, xrefs: 00BD4C10, 00BD4C15
CDROM, xrefs: 00BD4BFB
ATAPI, xrefs: 00BD4C91
Fibre, xrefs: 00BD4CAD
SSD, xrefs: 00BD4C4A
Fixed, xrefs: 00BD4C09
RAID, xrefs: 00BD4CBB
FileBackedVirtual, xrefs: 00BD4CEC
\\.\, xrefs: 00BD4B3F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5bc4a12107a534d784fe816151d3706052793618261a6d90674fe61d7100e8d8
Instruction ID: 9db6e8ab3eb797e380fe12a45fa931bcad339738035de1ee020b085145006a47
Opcode Fuzzy Hash: 5bc4a12107a534d784fe816151d3706052793618261a6d90674fe61d7100e8d8
Instruction Fuzzy Hash: A561AF30616109ABCB04DF24DAC1978F7F1EB44304B2884E7F806ABB91EB35ED41DB51

Function 00BF73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00BF7421
SetTextColor.GDI32(?,?), ref: 00BF7425
GetSysColorBrush.USER32(0000000F), ref: 00BF743B
GetSysColor.USER32(0000000F), ref: 00BF7446
CreateSolidBrush.GDI32(?), ref: 00BF744B
GetSysColor.USER32(00000011), ref: 00BF7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BF7471
SelectObject.GDI32(?,00000000), ref: 00BF7482
SetBkColor.GDI32(?,00000000), ref: 00BF748B
SelectObject.GDI32(?,?), ref: 00BF7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00BF74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BF74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00BF74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BF752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BF7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00BF7572
DrawFocusRect.USER32(?,?), ref: 00BF757D
GetSysColor.USER32(00000011), ref: 00BF758E
SetTextColor.GDI32(?,00000000), ref: 00BF7596
DrawTextW.USER32(?,00BF70F5,000000FF,?,00000000), ref: 00BF75A8
SelectObject.GDI32(?,?), ref: 00BF75BF
DeleteObject.GDI32(?), ref: 00BF75CA
SelectObject.GDI32(?,?), ref: 00BF75D0
DeleteObject.GDI32(?), ref: 00BF75D5
SetTextColor.GDI32(?,?), ref: 00BF75DB
SetBkColor.GDI32(?,?), ref: 00BF75E5

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ac73cb3ba9f137d5eeabbd0ad279440091a8596f017782887b91a42bd67cb48f
Instruction ID: c76f206bd528cd12ae29fb2638edbaa5cfd9196399fd904d37605b2b543f0ed1
Opcode Fuzzy Hash: ac73cb3ba9f137d5eeabbd0ad279440091a8596f017782887b91a42bd67cb48f
Instruction Fuzzy Hash: 01615C7290421CAFDB019FA4DD49EEEBFB9EB08320F114155FA15BB2A1DB709980CB90

Function 00BF0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BF1128
GetDesktopWindow.USER32 ref: 00BF113D
GetWindowRect.USER32(00000000), ref: 00BF1144
GetWindowLongW.USER32(?,000000F0), ref: 00BF1199
DestroyWindow.USER32(?), ref: 00BF11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BF11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BF121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00BF1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00BF1245
IsWindowVisible.USER32(00000000), ref: 00BF12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00BF12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00BF12D0
GetWindowRect.USER32(00000000,?), ref: 00BF12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00BF130E
GetMonitorInfoW.USER32(00000000,?), ref: 00BF1328
CopyRect.USER32(?,?), ref: 00BF133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00BF13AA

Strings

tooltips_class32, xrefs: 00BF11E6
0, xrefs: 00BF10D3
(, xrefs: 00BF131B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 090093980d1167743b301287aa3c8d20d0fffd08811173beed319fe61046f6fc
Instruction ID: f7c5db6dd904ab3d7eb41b8dd0d7962df1a5fc0471954f771a5abce72e38f9fc
Opcode Fuzzy Hash: 090093980d1167743b301287aa3c8d20d0fffd08811173beed319fe61046f6fc
Instruction Fuzzy Hash: C0B16A71608345EFD704DF68C984B6ABBE4EF84750F008D5CFA99AB261DB71E848CB91

Function 00B78891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B78968
GetSystemMetrics.USER32(00000007), ref: 00B78970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B7899B
GetSystemMetrics.USER32(00000008), ref: 00B789A3
GetSystemMetrics.USER32(00000004), ref: 00B789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B78A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B78A3C
GetClientRect.USER32(00000000,000000FF), ref: 00B78A5A
GetStockObject.GDI32(00000011), ref: 00B78A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B78A81

Part of subcall function 00B7912D: GetCursorPos.USER32(?), ref: 00B79141
Part of subcall function 00B7912D: ScreenToClient.USER32(00000000,?), ref: 00B7915E
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000001), ref: 00B79183
Part of subcall function 00B7912D: GetAsyncKeyState.USER32(00000002), ref: 00B7919D

SetTimer.USER32(00000000,00000000,00000028,00B790FC), ref: 00B78AA8

Strings

AutoIt v3 GUI, xrefs: 00B78A20
InitializeCriticalSectionEx, xrefs: 00BB67BA

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$InitializeCriticalSectionEx
API String ID: 1458621304-260769550
Opcode ID: 9a3517a41e1fb00fe4d0d1e1a282af96af096d69a5611876325daeda957a7ff7
Instruction ID: 52d852041fc21f473dfb0a22a678a7ca8fed55448d428f3e5a61b9741d040ecd
Opcode Fuzzy Hash: 9a3517a41e1fb00fe4d0d1e1a282af96af096d69a5611876325daeda957a7ff7
Instruction Fuzzy Hash: DDB16B71A00209AFDB14DFA8CD89BFE3BF5FB48314F158169FA19A7290DB74A840CB51

Function 00BC0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
Part of subcall function 00BC10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
Part of subcall function 00BC10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
Part of subcall function 00BC10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
Part of subcall function 00BC10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BC0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BC0E29
GetLengthSid.ADVAPI32(?), ref: 00BC0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00BC0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BC0E96
GetLengthSid.ADVAPI32(?), ref: 00BC0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BC0EB5
HeapAlloc.KERNEL32(00000000), ref: 00BC0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BC0EDD
CopySid.ADVAPI32(00000000), ref: 00BC0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BC0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BC0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BC0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F6E
HeapFree.KERNEL32(00000000), ref: 00BC0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F7E
HeapFree.KERNEL32(00000000), ref: 00BC0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC0F8E
HeapFree.KERNEL32(00000000), ref: 00BC0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC0FA1
HeapFree.KERNEL32(00000000), ref: 00BC0FA8

Part of subcall function 00BC1193: GetProcessHeap.KERNEL32(00000008,00BC0BB1,?,00000000,?,00BC0BB1,?), ref: 00BC11A1
Part of subcall function 00BC1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BC0BB1,?), ref: 00BC11A8
Part of subcall function 00BC1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BC0BB1,?), ref: 00BC11B7

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 98cf8f45d0ef1077563c95b4a98f4ed6ab9b33ae5ea1dadbbb3e7e0b948ad4e3
Instruction ID: 7a20f3b2ac873d0bc491dfa7fc784f56200633f1154fb1feef9224be3ee7a670
Opcode Fuzzy Hash: 98cf8f45d0ef1077563c95b4a98f4ed6ab9b33ae5ea1dadbbb3e7e0b948ad4e3
Instruction Fuzzy Hash: C5715A7290020AEBDF20AFA4DD48FAEBBB8FF05300F144199F919E7191DB319A55CB60

Function 00BEC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00BFCC08,00000000,?,00000000,?,?), ref: 00BEC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00BEC5A4
_wcslen.LIBCMT ref: 00BEC5F4
_wcslen.LIBCMT ref: 00BEC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00BEC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00BEC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00BEC84D
RegCloseKey.ADVAPI32(?), ref: 00BEC881
RegCloseKey.ADVAPI32(00000000), ref: 00BEC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00BEC960

Strings

REG_EXPAND_SZ, xrefs: 00BEC5CD
REG_MULTI_SZ, xrefs: 00BEC6F5
REG_QWORD, xrefs: 00BEC8C3
REG_SZ, xrefs: 00BEC644
REG_BINARY, xrefs: 00BEC913
REG_DWORD, xrefs: 00BEC804

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 40f4734bedf250900e2b994bcdf894f147f8da2435da52772c65078675adbb1d
Instruction ID: 8a9d08f2768952418015cc9c743438067ebfff396f8616379787dd996bcf813c
Opcode Fuzzy Hash: 40f4734bedf250900e2b994bcdf894f147f8da2435da52772c65078675adbb1d
Instruction Fuzzy Hash: 25127A356042419FD714DF25C891A2ABBE5FF88714F14889DF88A9B3A2DB35FD42CB81

Function 00BF091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BF09C6
_wcslen.LIBCMT ref: 00BF0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BF0A54
_wcslen.LIBCMT ref: 00BF0A8A
_wcslen.LIBCMT ref: 00BF0B06
_wcslen.LIBCMT ref: 00BF0B81

Part of subcall function 00B7F9F2: _wcslen.LIBCMT ref: 00B7F9FD

Part of subcall function 00BC2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BC2BFA

Strings

COLLAPSE, xrefs: 00BF0B01, 00BF0B1C
SELECT, xrefs: 00BF0D11
EXISTS, xrefs: 00BF0B7C, 00BF0B97
GETTOTALCOUNT, xrefs: 00BF09F2, 00BF0A17
EXPAND, xrefs: 00BF0BF8
GETITEMCOUNT, xrefs: 00BF0C1E
ISCHECKED, xrefs: 00BF0CE1
CHECK, xrefs: 00BF0A85, 00BF0AA0
GETTEXT, xrefs: 00BF0C97
GETSELECTED, xrefs: 00BF0C4E
UNCHECK, xrefs: 00BF0D3E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 4e15270eccbe3f0fa94402fc30cab8318d735c1ba942c9d519daf50e24400053
Instruction ID: f490d7ab301cce3437eb8fd7ac08333ec8b17bec0a3aee3979abfe7d53d3c590
Opcode Fuzzy Hash: 4e15270eccbe3f0fa94402fc30cab8318d735c1ba942c9d519daf50e24400053
Instruction Fuzzy Hash: C8E17B352183058FCB14EF24C49093AB7E1FF98314B14899DF99A9B762DB30ED49CB81

Function 00BEC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
_wcslen.LIBCMT ref: 00BEC9F1
_wcslen.LIBCMT ref: 00BECA68
_wcslen.LIBCMT ref: 00BECA9E
_wcslen.LIBCMT ref: 00BECAF9
_wcslen.LIBCMT ref: 00BECB2F
_wcslen.LIBCMT ref: 00BECB7F

Strings

HKU, xrefs: 00BECBF0
HKEY_CURRENT_CONFIG, xrefs: 00BECB79, 00BECB7E
HKCC, xrefs: 00BECBAC
HKEY_CLASSES_ROOT, xrefs: 00BECAF3, 00BECAF8
HKEY_LOCAL_MACHINE, xrefs: 00BECA62, 00BECA67
HKEY_USERS, xrefs: 00BECBDF
HKEY_CURRENT_USER, xrefs: 00BECBBD
HKCR, xrefs: 00BECB29, 00BECB2E
HKLM, xrefs: 00BECA98, 00BECA9D
HKCU, xrefs: 00BECBCE

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 2bc31d8413435a1fd8d8b191700c593ab2944a44dae209574e88ed9d509e6d3d
Instruction ID: bc92e83746bbf64929cedc6a4046ffa3949817970c9f381fe283d88a96c409cf
Opcode Fuzzy Hash: 2bc31d8413435a1fd8d8b191700c593ab2944a44dae209574e88ed9d509e6d3d
Instruction Fuzzy Hash: 707108326001AA8BCF20DE7ED9815BE3BE5EF60754B2512B4F86697294E735CD46C390

Function 00BF833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BF835A
_wcslen.LIBCMT ref: 00BF836E
_wcslen.LIBCMT ref: 00BF8391
_wcslen.LIBCMT ref: 00BF83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BF83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00BF361A,?), ref: 00BF844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BF8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BF84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BF8501
FreeLibrary.KERNEL32(?), ref: 00BF850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BF851D
DestroyIcon.USER32(?), ref: 00BF852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BF8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BF8555

Strings

.exe, xrefs: 00BF8388
.icl, xrefs: 00BF8368
.dll, xrefs: 00BF83AB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: f040236962922eca4da5667498301e0a72ff1c61973bff19965b731efa8aca1d
Instruction ID: 5e4449e03b03f5067fc948f130650cf302e73759625b37c598727ca7338a54b1
Opcode Fuzzy Hash: f040236962922eca4da5667498301e0a72ff1c61973bff19965b731efa8aca1d
Instruction Fuzzy Hash: 9561DE7150021ABEEB14DF64CC82BBE7BA8FB14710F10468AF915DB1E1DF74A994CBA0

Function 00B67778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00B67817
#include-once, xrefs: 00B6782F
#comments-end, xrefs: 00B678D9
', xrefs: 00BA5169
#comments-start, xrefs: 00B6785F, 00B678B1
#include, xrefs: 00B67847
Cannot parse #include, xrefs: 00BA5279
#ce, xrefs: 00B678ED
#cs, xrefs: 00B67873, 00B678C5
#pragma compile, xrefs: 00B677D3
#requireadmin, xrefs: 00B677FF
Bad directive syntax error, xrefs: 00BA519A
#notrayicon, xrefs: 00B677E7
Unterminated group of comments, xrefs: 00BA528C
", xrefs: 00BA5153

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: bd01615bf04be2ab21feb15c069adc367b41f2ba3912638f32c142fe31cbd356
Instruction ID: cc20e234a9ea55484877ed2fb71a39c5150e8d31881617ab6e667514f6f7cfa1
Opcode Fuzzy Hash: bd01615bf04be2ab21feb15c069adc367b41f2ba3912638f32c142fe31cbd356
Instruction Fuzzy Hash: 7381C171684209ABDB20AF64CC82FBE37E8EF15304F1440E4F905AB1A6EB749A45C7A5

Function 00BD3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00BD3EF8
_wcslen.LIBCMT ref: 00BD3F03
_wcslen.LIBCMT ref: 00BD3F5A
_wcslen.LIBCMT ref: 00BD3F98
GetDriveTypeW.KERNEL32(?), ref: 00BD3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BD401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BD4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BD4087

Strings

open, xrefs: 00BD3F54, 00BD3F59
type cdaudio alias cd wait, xrefs: 00BD4001
close, xrefs: 00BD3EFE, 00BD3F18
set cd door , xrefs: 00BD4028
close cd wait, xrefs: 00BD4072
open , xrefs: 00BD3FE5
wait, xrefs: 00BD4044
closed, xrefs: 00BD3F08, 00BD3F2D, 00BD3F46, 00BD3F7E, 00BD3F97

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4e143887ea77a20b2506532a14e4898c69dc371f88f4a46f7d8ed4f00a99f0d5
Instruction ID: 38a2c30cc63a4c4a2696494c8c6b8f906050ee792b0a530e82f39f569406c329
Opcode Fuzzy Hash: 4e143887ea77a20b2506532a14e4898c69dc371f88f4a46f7d8ed4f00a99f0d5
Instruction Fuzzy Hash: 6B71F2726042169FC710EF24C88186AF7F4EF94758F1049AEF89697351EB34ED45CB92

Function 00BC5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00BC5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BC5A40
SetWindowTextW.USER32(?,?), ref: 00BC5A57
GetDlgItem.USER32(?,000003EA), ref: 00BC5A6C
SetWindowTextW.USER32(00000000,?), ref: 00BC5A72
GetDlgItem.USER32(?,000003E9), ref: 00BC5A82
SetWindowTextW.USER32(00000000,?), ref: 00BC5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BC5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BC5AC3
GetWindowRect.USER32(?,?), ref: 00BC5ACC
_wcslen.LIBCMT ref: 00BC5B33
SetWindowTextW.USER32(?,?), ref: 00BC5B6F
GetDesktopWindow.USER32 ref: 00BC5B75
GetWindowRect.USER32(00000000), ref: 00BC5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00BC5BD3
GetClientRect.USER32(?,?), ref: 00BC5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00BC5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BC5C2F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f09551332adb77909ce0735343e5b1b93c8d9e7fd68cb77d35e1ba2e81b418bb
Instruction ID: dcb54ff35199f2f16dffb254b4a92b8fc6a62a5c6702f7f767401f369ed094bc
Opcode Fuzzy Hash: f09551332adb77909ce0735343e5b1b93c8d9e7fd68cb77d35e1ba2e81b418bb
Instruction Fuzzy Hash: 22711A31900A09AFDB20DFA9CE85FAEBBF5EB48704F10455CE546A35A0DB75BD84CB50

Function 00BDFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00BDFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00BDFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00BDFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00BDFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00BDFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00BDFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00BDFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00BDFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00BDFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00BDFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00BDFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00BDFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00BDFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00BDFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00BDFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00BDFECC
GetCursorInfo.USER32(?), ref: 00BDFEDC
GetLastError.KERNEL32 ref: 00BDFF1E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 020fc3d61c2affb9231b430f24c66a80d8dbb4a6a032da22efe82647f6f313de
Instruction ID: 56c9844f893bb87033c82da5311713e574005a04de0079d135737e5f99e25a49
Opcode Fuzzy Hash: 020fc3d61c2affb9231b430f24c66a80d8dbb4a6a032da22efe82647f6f313de
Instruction Fuzzy Hash: 644124B0D0931AAADB109FBA8C8586EBFE8FF04754B50456AE11DE7281DB789901CF91

Function 00B800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00B800C6

Part of subcall function 00B800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00C3070C,00000FA0,FBC17DF9,?,?,?,?,00BA23B3,000000FF), ref: 00B8011C
Part of subcall function 00B800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BA23B3,000000FF), ref: 00B80127
Part of subcall function 00B800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BA23B3,000000FF), ref: 00B80138
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B8014E
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B8015C
Part of subcall function 00B800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B8016A
Part of subcall function 00B800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B80195
Part of subcall function 00B800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B801A0

___scrt_fastfail.LIBCMT ref: 00B800E7

Part of subcall function 00B800A3: __onexit.LIBCMT ref: 00B800A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B80122
kernel32.dll, xrefs: 00B80133
InitializeConditionVariable, xrefs: 00B80148
WakeAllConditionVariable, xrefs: 00B80162
SleepConditionVariableCS, xrefs: 00B80154

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c21aaf78ce44e191dcbc0a2b737ce8746933ad68c9e349c73c79cdc054c20432
Instruction ID: 97a3f3e0a058ea0c0185dbb1f912e6f3a4c54a10533cd9c54530bc026c974fd9
Opcode Fuzzy Hash: c21aaf78ce44e191dcbc0a2b737ce8746933ad68c9e349c73c79cdc054c20432
Instruction Fuzzy Hash: 5521F53365470A6BE7507B64AC49B3D76D4DF06BA0F1001B9F905B32B1DF609844CB94

Function 00BC30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC318D
_wcslen.LIBCMT ref: 00BC31F8

Strings

REGEXPCLASS, xrefs: 00BC3255, 00BC3266
NAME, xrefs: 00BC3335, 00BC3346
CLASS, xrefs: 00BC3188, 00BC31A5
INSTANCE, xrefs: 00BC3453
CLASSNN, xrefs: 00BC31F3, 00BC3204
TEXT, xrefs: 00BC347C

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1a7770dac8fb02493774def20a0ca9ef1f7690b2ba329a5c8ffaecf756ea31f8
Instruction ID: c728bf71f633bb521140366b49d2d2fff210435b034310894740503f688535df
Opcode Fuzzy Hash: 1a7770dac8fb02493774def20a0ca9ef1f7690b2ba329a5c8ffaecf756ea31f8
Instruction Fuzzy Hash: BCE18331A005169BCF189FA8C491BEEBBE4FF54B10F94C1ADE456F7250DB30AE859790

Function 00BD44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00BFCC08), ref: 00BD4527
_wcslen.LIBCMT ref: 00BD453B
_wcslen.LIBCMT ref: 00BD4599
_wcslen.LIBCMT ref: 00BD45F4
_wcslen.LIBCMT ref: 00BD463F
_wcslen.LIBCMT ref: 00BD46A7

Part of subcall function 00B7F9F2: _wcslen.LIBCMT ref: 00B7F9FD

GetDriveTypeW.KERNEL32(?,00C26BF0,00000061), ref: 00BD4743

Strings

cdrom, xrefs: 00BD458F, 00BD4594
ramdisk, xrefs: 00BD46F1
network, xrefs: 00BD469D, 00BD46A2
unknown, xrefs: 00BD4708
fixed, xrefs: 00BD4635, 00BD463A
all, xrefs: 00BD4531, 00BD4536
removable, xrefs: 00BD45EA, 00BD45EF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 39ebfdd4f920b1277b2f9568e87173ab5401172b1ae70dd98311046e38617c37
Instruction ID: d8e071243d06fe6be01191e69bbe35beeb4de87875279bc18ddfdf595d76c00d
Opcode Fuzzy Hash: 39ebfdd4f920b1277b2f9568e87173ab5401172b1ae70dd98311046e38617c37
Instruction Fuzzy Hash: 2FB1AD716083029FC710DF28D890A6AF7E5EFA5764F5049AEF49A87391E730D844CBA2

Function 00BE3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BFCC08), ref: 00BE40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BE40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00BFCC08), ref: 00BE40F2
FreeLibrary.KERNEL32(00000000,?,00BFCC08), ref: 00BE413E
StringFromGUID2.OLE32(?,?,00000028,?,00BFCC08), ref: 00BE41A8
SysFreeString.OLEAUT32(00000009), ref: 00BE4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BE42C8
SysFreeString.OLEAUT32(?), ref: 00BE42F2

Strings

kernel32.dll, xrefs: 00BE40B6
GetModuleHandleExW, xrefs: 00BE40C7

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 5dbe3c29196f607b1131e1916d34aa9e2b48ca3d4f0e35f6b65e62a977bb289b
Instruction ID: d750eceddc63f7eb2de1589928ddef5f12008970e75d3c534a8b935574038afb
Opcode Fuzzy Hash: 5dbe3c29196f607b1131e1916d34aa9e2b48ca3d4f0e35f6b65e62a977bb289b
Instruction Fuzzy Hash: 98125C75A00159EFDB14DF95C884EAEBBF9FF45314F248098E905AB251CB31ED86CBA0

Function 00B6326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00C31990), ref: 00BA2F8D
GetMenuItemCount.USER32(00C31990), ref: 00BA303D
GetCursorPos.USER32(?), ref: 00BA3081
SetForegroundWindow.USER32(00000000), ref: 00BA308A
TrackPopupMenuEx.USER32(00C31990,00000000,?,00000000,00000000,00000000), ref: 00BA309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BA30A9

Strings

0, xrefs: 00B6327D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 537696858a3312442109e1f456c718f6dbd4d4911bc856630c932233fc2443df
Instruction ID: 4c277ed7251c99af30be6711ad1839dccce98079379d6e21d775da293be8a8c1
Opcode Fuzzy Hash: 537696858a3312442109e1f456c718f6dbd4d4911bc856630c932233fc2443df
Instruction Fuzzy Hash: 39711970648205BEEB258F28CC89FAABFE4FF05724F204296F5156B1E0C7B5A954DB90

Function 00BF6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00BF6DEB

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BF6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BF6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF6E94
DestroyWindow.USER32(?), ref: 00BF6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B60000,00000000), ref: 00BF6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF6EFD
GetDesktopWindow.USER32 ref: 00BF6F16
GetWindowRect.USER32(00000000), ref: 00BF6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BF6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BF6F4D

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

Strings

0, xrefs: 00BF6D98
tooltips_class32, xrefs: 00BF6E58, 00BF6EDD

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 5825ca4e6dc1906f70b43e1e0cc19739df25e43491880eb0448800ff752a4a35
Instruction ID: b36a28470a82cccfd5bbdafd4fae0b6cc43c1dfe2d9774cff19ca81e3649ed62
Opcode Fuzzy Hash: 5825ca4e6dc1906f70b43e1e0cc19739df25e43491880eb0448800ff752a4a35
Instruction Fuzzy Hash: 8F715675104348AFDB21CF18D844BBABBE9FB89304F08495DFA9987261CB70AD4ADB11

Function 00BF911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

DragQueryPoint.SHELL32(?,?), ref: 00BF9147

Part of subcall function 00BF7674: ClientToScreen.USER32(?,?), ref: 00BF769A
Part of subcall function 00BF7674: GetWindowRect.USER32(?,?), ref: 00BF7710
Part of subcall function 00BF7674: PtInRect.USER32(?,?,00BF8B89), ref: 00BF7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00BF91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BF91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BF91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BF9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00BF923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00BF9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00BF9277
DragFinish.SHELL32(?), ref: 00BF927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00BF9371

Strings

@GUI_DRAGFILE, xrefs: 00BF9320
@GUI_DROPID, xrefs: 00BF929E
@GUI_DRAGID, xrefs: 00BF92E9

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 86145720abbf3c85a2524ea132f1030ee2a0606ade79eb18700002888b75b028
Instruction ID: 5f5594649756cc1d1396499d132d371f2fee20a2ee0116df104b3d3219a25de2
Opcode Fuzzy Hash: 86145720abbf3c85a2524ea132f1030ee2a0606ade79eb18700002888b75b028
Instruction Fuzzy Hash: 06617B71108305AFD701DF64DD85EAFBBE8EF88750F00096EF695931A1DB709A49CB52

Function 00BDC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BDC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BDC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BDC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00BDC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00BDC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00BDC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BDC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BDC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BDC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BDC5F0
InternetCloseHandle.WININET(00000000), ref: 00BDC5FB

Strings

, xrefs: 00BDC575

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 24f5551f418558914bec63cf352f7d6a182e3702bf5d553c08a59fba3a57b094
Instruction ID: bdde50084b292b0f1f387848384df2a3f0bfe00ac6dbbc5476fd8b5518f0c1e9
Opcode Fuzzy Hash: 24f5551f418558914bec63cf352f7d6a182e3702bf5d553c08a59fba3a57b094
Instruction Fuzzy Hash: EF515AB150020ABFDB219F60D989ABBBFFCFB18744F00445AF94697210EB30E944DB60

Function 00BF856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00BF8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00BF85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00BF85AD
CloseHandle.KERNEL32(00000000), ref: 00BF85BA
GlobalLock.KERNEL32(00000000), ref: 00BF85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00BF85D7
GlobalUnlock.KERNEL32(00000000), ref: 00BF85E0
CloseHandle.KERNEL32(00000000), ref: 00BF85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00BF85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BFFC38,?), ref: 00BF8611
GlobalFree.KERNEL32(00000000), ref: 00BF8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00BF8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00BF8671
DeleteObject.GDI32(00000000), ref: 00BF8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BF86AF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: cab483ad0dccfbf5e499a7dfdc73b44ddb55e0287f320b009edf86d2459080f7
Instruction ID: cf8d626c54c4239c89a7fe56677ce23052ba4648d55510651f6377527985e75a
Opcode Fuzzy Hash: cab483ad0dccfbf5e499a7dfdc73b44ddb55e0287f320b009edf86d2459080f7
Instruction Fuzzy Hash: FC41F875600208BFDB11DFA5DD88EBA7BB8EF89B55F104058F905EB260DB309D45DB60

Function 00BD14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00BD1502
VariantCopy.OLEAUT32(?,?), ref: 00BD150B
VariantClear.OLEAUT32(?), ref: 00BD1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00BD15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00BD1657
VariantInit.OLEAUT32(?), ref: 00BD1708
SysFreeString.OLEAUT32(?), ref: 00BD178C
VariantClear.OLEAUT32(?), ref: 00BD17D8
VariantClear.OLEAUT32(?), ref: 00BD17E7
VariantInit.OLEAUT32(00000000), ref: 00BD1823

Strings

Default, xrefs: 00BD16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00BD1625

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b7aedb8ba4f39667a2cf40ebfe561e9e839e27dd988f0705481e3656b5eb4a8d
Instruction ID: b010d487acfb64268e93db804ca526d8e3279e9cc726d059d92d5c4802d7b0a7
Opcode Fuzzy Hash: b7aedb8ba4f39667a2cf40ebfe561e9e839e27dd988f0705481e3656b5eb4a8d
Instruction Fuzzy Hash: B6D1CC71A00505EBDB109F69E885B79F7F5FF45704F1088E6E406AB290EB38EC45DB62

Function 00BEB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00BEB80A
RegCloseKey.ADVAPI32(?), ref: 00BEB87E
RegCloseKey.ADVAPI32(?), ref: 00BEB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00BEB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BEB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00BEB922
FreeLibrary.KERNEL32(00000000), ref: 00BEB983
RegCloseKey.ADVAPI32(00000000), ref: 00BEB994

Strings

advapi32.dll, xrefs: 00BEB8ED
RegDeleteKeyExW, xrefs: 00BEB8FE

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 15ba3e19a02d7609fad9156b64b3f549bc9349fe3ae5c2ce534c98ff53ca5434
Instruction ID: 6703167818452e5f8b681d648ccc242fded752a270b92f630bd77d2be05a0bb3
Opcode Fuzzy Hash: 15ba3e19a02d7609fad9156b64b3f549bc9349fe3ae5c2ce534c98ff53ca5434
Instruction Fuzzy Hash: 52C18934208281AFD710DF25C495F2ABBE5FF84308F14859CE49A8B7A2CB75ED46CB91

Function 00BE255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BE25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00BE25E8
CreateCompatibleDC.GDI32(?), ref: 00BE25F4
SelectObject.GDI32(00000000,?), ref: 00BE2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00BE266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00BE26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00BE26D0
SelectObject.GDI32(?,?), ref: 00BE26D8
DeleteObject.GDI32(?), ref: 00BE26E1
DeleteDC.GDI32(?), ref: 00BE26E8
ReleaseDC.USER32(00000000,?), ref: 00BE26F3

Strings

(, xrefs: 00BE268D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 34a8e8d94e61a2bcc34b4d1b3cb9ff91c708cb6925386a7fea1bf6d85dd8edd2
Instruction ID: 6a41e0af216bcd2845d06204222d27b7b5ae54753f2e26e065b2969cbe6eaa99
Opcode Fuzzy Hash: 34a8e8d94e61a2bcc34b4d1b3cb9ff91c708cb6925386a7fea1bf6d85dd8edd2
Instruction Fuzzy Hash: 5A61C075D00219EFCF04CFA8D984AAEBBF9FF48310F248569E955A7250D770A951CF50

Function 00B9DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B9DAA1

Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D659
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D66B
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D67D
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D68F
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6A1
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6B3
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6C5
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6D7
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6E9
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D6FB
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D70D
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D71F
Part of subcall function 00B9D63C: _free.LIBCMT ref: 00B9D731

_free.LIBCMT ref: 00B9DA96

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9DAB8
_free.LIBCMT ref: 00B9DACD
_free.LIBCMT ref: 00B9DAD8
_free.LIBCMT ref: 00B9DAFA
_free.LIBCMT ref: 00B9DB0D
_free.LIBCMT ref: 00B9DB1B
_free.LIBCMT ref: 00B9DB26
_free.LIBCMT ref: 00B9DB5E
_free.LIBCMT ref: 00B9DB65
_free.LIBCMT ref: 00B9DB82
_free.LIBCMT ref: 00B9DB9A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4bd014ba321d88124a7dbdd45b642f2899972074cdc682dac13b78eb384d3a7a
Instruction ID: 57a75b513357fd144cf34a461a6d2d62a15299e3d09b27498330ce3485c1d5ba
Opcode Fuzzy Hash: 4bd014ba321d88124a7dbdd45b642f2899972074cdc682dac13b78eb384d3a7a
Instruction Fuzzy Hash: 84314971A04305AFEF21AB3AE845B5AB7E9FF10320F5544B9E549D7291DF31AC90CB60

Function 00BC365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00BC369C
_wcslen.LIBCMT ref: 00BC36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BC3797
GetClassNameW.USER32(?,?,00000400), ref: 00BC380C
GetDlgCtrlID.USER32(?), ref: 00BC385D
GetWindowRect.USER32(?,?), ref: 00BC3882
GetParent.USER32(?), ref: 00BC38A0
ScreenToClient.USER32(00000000), ref: 00BC38A7
GetClassNameW.USER32(?,?,00000100), ref: 00BC3921
GetWindowTextW.USER32(?,?,00000400), ref: 00BC395D

Strings

%s%u, xrefs: 00BC3734

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 790a6a4450617e511a34203c7c6fa63763b167877bd9ecad1f1f3115deda026e
Instruction ID: 0a662418cb9910609298a9c48058cbcb8780fd87313954375e2a878c4f0ce010
Opcode Fuzzy Hash: 790a6a4450617e511a34203c7c6fa63763b167877bd9ecad1f1f3115deda026e
Instruction Fuzzy Hash: 6491AF71204606AFDB18DF24C885FAAF7E8FF44750F40856DF99AD3190DB70AA45CB91

Function 00BC4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00BC4994
GetWindowTextW.USER32(?,?,00000400), ref: 00BC49DA
_wcslen.LIBCMT ref: 00BC49EB
CharUpperBuffW.USER32(?,00000000), ref: 00BC49F7
_wcsstr.LIBVCRUNTIME ref: 00BC4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00BC4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00BC4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00BC4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00BC4B20
GetWindowRect.USER32(?,?), ref: 00BC4B8B

Strings

ThumbnailClass, xrefs: 00BC4A6F, 00BC4AF1

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: e12977a9eaa9ad212d57a7c8f696c00e4125d8825f3dbc0e7e7e14163e7b65ad
Instruction ID: 37c9ef074b078e9307f6b2a8dc1c1c3c36836a7c4ed69cdb2fe3d8dc6515a5cf
Opcode Fuzzy Hash: e12977a9eaa9ad212d57a7c8f696c00e4125d8825f3dbc0e7e7e14163e7b65ad
Instruction Fuzzy Hash: 72919D71108209AFDB14DF14C995FAA7BE8EF44314F0484ADFD859B1A6DB30EE45CBA1

Function 00BCBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00C31990,000000FF,00000000,00000030), ref: 00BCBFAC
SetMenuItemInfoW.USER32(00C31990,00000004,00000000,00000030), ref: 00BCBFE1
Sleep.KERNEL32(000001F4), ref: 00BCBFF3
GetMenuItemCount.USER32(?), ref: 00BCC039
GetMenuItemID.USER32(?,00000000), ref: 00BCC056
GetMenuItemID.USER32(?,-00000001), ref: 00BCC082
GetMenuItemID.USER32(?,?), ref: 00BCC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BCC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BCC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BCC145

Strings

0, xrefs: 00BCBF3D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 0291c6ebd69301935fc82ca6e9be97df136015b77617263742dd4c7ef345b1d5
Instruction ID: 28c0d7886eb05e668a3ea4087a510ee2bcf8daa64c02a8cf68daa55645b942d4
Opcode Fuzzy Hash: 0291c6ebd69301935fc82ca6e9be97df136015b77617263742dd4c7ef345b1d5
Instruction Fuzzy Hash: 44617BB090024AAFDF11CF64DD89FBE7FE8EB25344F144099E859A3291CB35AD45CB60

Function 00BECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00BECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BECD48

Part of subcall function 00BECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00BECCAA
Part of subcall function 00BECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00BECCBD
Part of subcall function 00BECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BECCCF
Part of subcall function 00BECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BECD05
Part of subcall function 00BECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00BECCF3

Strings

advapi32.dll, xrefs: 00BECCB8
RegDeleteKeyExW, xrefs: 00BECCC9

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: d3124abdd6ea17dffa7763f1a39bba5687e4cc0940e5914d5ea29e26156cbdd7
Instruction ID: 27e5ab802335025db3c95aba6cad8122f5cc05c2737dbfe5d13e6fae390e326f
Opcode Fuzzy Hash: d3124abdd6ea17dffa7763f1a39bba5687e4cc0940e5914d5ea29e26156cbdd7
Instruction Fuzzy Hash: F9316E7190112DBBDB208B65DC88EFFBFBCEF55750F1041B5A906E3240DB349A86DAA0

Function 00BD3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BD3D40
_wcslen.LIBCMT ref: 00BD3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BD3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BD3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00BD3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BD3E55
CloseHandle.KERNEL32(00000000), ref: 00BD3E60
CloseHandle.KERNEL32(00000000), ref: 00BD3E6B

Strings

\??\%s, xrefs: 00BD3D5B
\, xrefs: 00BD3D77
:, xrefs: 00BD3D82

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 7104db0bb2e9958d92563cee96f0c5dbcc7d5f8996ff6f133fbe657f48d00d71
Instruction ID: bcaf2bba3ea48977bd45f4e33fee99229993a83f452359c4b44add3dc6192e28
Opcode Fuzzy Hash: 7104db0bb2e9958d92563cee96f0c5dbcc7d5f8996ff6f133fbe657f48d00d71
Instruction Fuzzy Hash: 35318C7290020AAADB209FA0DC49FEB77F9EF88B40F1040B6F50997161EB709784CB25

Function 00BCE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BCE6B4

Part of subcall function 00B7E551: timeGetTime.WINMM(?,?,00BCE6D4), ref: 00B7E555

Sleep.KERNEL32(0000000A), ref: 00BCE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00BCE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BCE727
SetActiveWindow.USER32 ref: 00BCE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BCE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00BCE773
Sleep.KERNEL32(000000FA), ref: 00BCE77E
IsWindow.USER32 ref: 00BCE78A
EndDialog.USER32(00000000), ref: 00BCE79B

Strings

BUTTON, xrefs: 00BCE719

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0b4a14146a00afacf17ba9b289493d3e64045bf247d44c7a0484eb4fbfc0a380
Instruction ID: dc28bba8e1343ebfa98157170e139c23c78aa59cf18839b2481e3e4fd162253f
Opcode Fuzzy Hash: 0b4a14146a00afacf17ba9b289493d3e64045bf247d44c7a0484eb4fbfc0a380
Instruction Fuzzy Hash: BE216DB1210A08EFEB005F21ED8AF3A3FA9EB54748B105469F925C31B1DF71EC50CA64

Function 00BCE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BCEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BCEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BCEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BCEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BCEAA7

Strings

play PlayMe, xrefs: 00BCEAA2
close PlayMe, xrefs: 00BCEA6E, 00BCEA9B
open , xrefs: 00BCEA0C
status PlayMe mode, xrefs: 00BCEA58
play PlayMe wait, xrefs: 00BCEA91
alias PlayMe, xrefs: 00BCEA36

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ff0d345cef54acdce3586803bf630d89c417ccb6db8489065df14ad319cdc079
Instruction ID: f7e86c7d370909a048b63aaabd87f79ceaf36342c84149c50ada864687ac4a4d
Opcode Fuzzy Hash: ff0d345cef54acdce3586803bf630d89c417ccb6db8489065df14ad319cdc079
Instruction Fuzzy Hash: 54112131A90269BDD720B7A5ED4AEFF6AFCEBD2B40F440479B411A20D1EEB05945C9B0

Function 00BC9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BCA012
SetKeyboardState.USER32(?), ref: 00BCA07D
GetAsyncKeyState.USER32(000000A0), ref: 00BCA09D
GetKeyState.USER32(000000A0), ref: 00BCA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00BCA0E3
GetKeyState.USER32(000000A1), ref: 00BCA0F4
GetAsyncKeyState.USER32(00000011), ref: 00BCA120
GetKeyState.USER32(00000011), ref: 00BCA12E
GetAsyncKeyState.USER32(00000012), ref: 00BCA157
GetKeyState.USER32(00000012), ref: 00BCA165
GetAsyncKeyState.USER32(0000005B), ref: 00BCA18E
GetKeyState.USER32(0000005B), ref: 00BCA19C

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4ec21a27239eb749155da2cf4239256efb1002a474e6b8eae0f37846f4518810
Instruction ID: 5f3a675c79d6195c5f591beb2b72937045cc51d1649982671cc1cd5ad63e1d88
Opcode Fuzzy Hash: 4ec21a27239eb749155da2cf4239256efb1002a474e6b8eae0f37846f4518810
Instruction Fuzzy Hash: 3E51672090478C29FB35DBB08955FEAAFF5DF12384F0845DDD5C25B1C2DA54AA4CC762

Function 00BC5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00BC5CE2
GetWindowRect.USER32(00000000,?), ref: 00BC5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00BC5D59
GetDlgItem.USER32(?,00000002), ref: 00BC5D69
GetWindowRect.USER32(00000000,?), ref: 00BC5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00BC5DCF
GetDlgItem.USER32(?,000003E9), ref: 00BC5DDD
GetWindowRect.USER32(00000000,?), ref: 00BC5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00BC5E31
GetDlgItem.USER32(?,000003EA), ref: 00BC5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BC5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00BC5E67

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1e493fa428e2224faba850f9c3cae1a5d4038f258812ca2414ae799ad6d41dc7
Instruction ID: 891c7065b1ae8d8cf97da349696c03a5058da28a989064e055eac45085f62604
Opcode Fuzzy Hash: 1e493fa428e2224faba850f9c3cae1a5d4038f258812ca2414ae799ad6d41dc7
Instruction Fuzzy Hash: 0151FF71A00609AFDF18DF68DD89EAEBBF5EB48310F148169F516E7290DB70AE44CB50

Function 00B78BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B78F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B78BE8,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78FC5

DestroyWindow.USER32(?), ref: 00B78C81
KillTimer.USER32(00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00B78D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00BB6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00BB69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000,?), ref: 00BB69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B78BBA,00000000), ref: 00BB69D4
DeleteObject.GDI32(00000000), ref: 00BB69E6

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f820765fa0d69c0082d3d76d4636a2b1de96791a85b5ebad4dae3e37e8c4b396
Instruction ID: 1d58fb3908dd22fbbf287fc3437e0c1efd649b0c3320c94e03221350a25c6554
Opcode Fuzzy Hash: f820765fa0d69c0082d3d76d4636a2b1de96791a85b5ebad4dae3e37e8c4b396
Instruction Fuzzy Hash: 78618C30511704DFCB269F24DA48B79BBF1FB44322F1885A8E45A9B5A0CB75AD80CF90

Function 00B79838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00B79944: GetWindowLongW.USER32(?,000000EB), ref: 00B79952

GetSysColor.USER32(0000000F), ref: 00B79862

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 23463b65e64f6aecd5b9fd0479f3527a8e9a09d6eabc6e3ffbcfcadf894bb5a2
Instruction ID: 7afd25e9c8058e520969a49217bcdd0378fc6e7d2a2ff5f3215eaf09e80250dd
Opcode Fuzzy Hash: 23463b65e64f6aecd5b9fd0479f3527a8e9a09d6eabc6e3ffbcfcadf894bb5a2
Instruction Fuzzy Hash: 9B41F331104604AFDB209F389C84BB93BE5EB57370F148685F9B69B2E1CB709D82DB11

Function 00BC96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00BC9717
LoadStringW.USER32(00000000,?,00BAF7F8,00000001), ref: 00BC9720

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BAF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00BC9742
LoadStringW.USER32(00000000,?,00BAF7F8,00000001), ref: 00BC9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00BC9866

Strings

Line %d (File "%s"):, xrefs: 00BC978F
^ ERROR, xrefs: 00BC97FB
Error: , xrefs: 00BC981D
%s (%d) : ==> %s: %s %s, xrefs: 00BC984A
Line %d:, xrefs: 00BC97A0

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: fb209b2ad537a4242fbb015c1517c1e5cbb35a7454d38f9070d214e57f8f0308
Instruction ID: 5b177e8965de2d9531b11a0e3b4f725bf0c3118af132cfaffa8970d88fba2e9e
Opcode Fuzzy Hash: fb209b2ad537a4242fbb015c1517c1e5cbb35a7454d38f9070d214e57f8f0308
Instruction Fuzzy Hash: DE412B72800219AADF04EBE0DE86EEE77BCAF55740F1400A5F60573192EB396F48CB61

Function 00BC06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00BC07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00BC07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00BC07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00BC0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00BC082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BC0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BC083C

Strings

\IPC$, xrefs: 00BC0784
\CLSID, xrefs: 00BC0724
SOFTWARE\Classes\, xrefs: 00BC070E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 253b4144dd9bc3aa79c8370a7379ac7ab5a96b0c0ee67f866b8c460c1fe32909
Instruction ID: 765cd345092acfeac217650a872825a334d4bca824c32c65d4658395a2d91791
Opcode Fuzzy Hash: 253b4144dd9bc3aa79c8370a7379ac7ab5a96b0c0ee67f866b8c460c1fe32909
Instruction Fuzzy Hash: 8C41F572C10229EBDF15EFA4DC95DEEB7B8FF04750B1441A9E901A31A1EB349E45CBA0

Function 00BF3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BF403B
CreateCompatibleDC.GDI32(00000000), ref: 00BF4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BF4055
SelectObject.GDI32(00000000,00000000), ref: 00BF405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BF4068
DeleteDC.GDI32(00000000), ref: 00BF4072
GetWindowLongW.USER32(?,000000EC), ref: 00BF407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00BF4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00BF409E

Strings

static, xrefs: 00BF3FD3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 326501705ad5b7a252ee2443509c74f932b216790e7620f6d01333b1a44209f7
Instruction ID: 620c669df98aa99a98119690d6054aaa41760c629b2d1a283296b8550bf1a02b
Opcode Fuzzy Hash: 326501705ad5b7a252ee2443509c74f932b216790e7620f6d01333b1a44209f7
Instruction Fuzzy Hash: 9C313832501219ABDF219FA8CD49FEA3FA8EF09720F110251FA14A71A0CB75D864DB54

Function 00BE3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE3C5C
CoInitialize.OLE32(00000000), ref: 00BE3C8A
CoUninitialize.OLE32 ref: 00BE3C94
_wcslen.LIBCMT ref: 00BE3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00BE3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00BE3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00BE3F0E
CoGetObject.OLE32(?,00000000,00BFFB98,?), ref: 00BE3F2D
SetErrorMode.KERNEL32(00000000), ref: 00BE3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BE3FC4
VariantClear.OLEAUT32(?), ref: 00BE3FD8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 91a03ca3e12774f30e65a3ef3cd89c2a5bee6bc5c0a41b3d64d73ef449e2e553
Instruction ID: 216e34a8160e0a9b40aa2056b066288e5848fdb8d5656ac16159a470928ead39
Opcode Fuzzy Hash: 91a03ca3e12774f30e65a3ef3cd89c2a5bee6bc5c0a41b3d64d73ef449e2e553
Instruction Fuzzy Hash: 9CC159716043459FC700DF65C88892BBBE9FF89B44F1049ADF98A9B210DB31ED45CB92

Function 00BD7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BD7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BD7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00BD7BA3
CoCreateInstance.OLE32(00BFFD08,00000000,00000001,00C26E6C,?), ref: 00BD7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BD7C74
CoTaskMemFree.OLE32(?,?), ref: 00BD7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00BD7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BD7D7A
CoTaskMemFree.OLE32(00000000), ref: 00BD7D81
CoTaskMemFree.OLE32(00000000), ref: 00BD7DD6
CoUninitialize.OLE32 ref: 00BD7DDC

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a94205fa30c93c3e87cb2a2ba26b0b3f884399069dc16d425021039bddabe632
Instruction ID: 9f08d36b25f48149c1256ff8b8dec8f91dce544d6d1a6abef0ab97c70d2ccbc3
Opcode Fuzzy Hash: a94205fa30c93c3e87cb2a2ba26b0b3f884399069dc16d425021039bddabe632
Instruction Fuzzy Hash: 64C10C75A04109AFCB14DF64C894DAEBBF9FF48314B1484A9E91ADB361EB30ED45CB90

Function 00BF541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BF5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF5515
CharNextW.USER32(00000158), ref: 00BF5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BF5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BF559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF55AC

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 1d8a1de4e893f2ca7fbf5dce260fdc2a6c7de5778b149ed5036e003fb64a1bf6
Instruction ID: ff663bc63516b987272200feecd80f30fa07b2e4a43b5f9f8967a202d2f02ad6
Opcode Fuzzy Hash: 1d8a1de4e893f2ca7fbf5dce260fdc2a6c7de5778b149ed5036e003fb64a1bf6
Instruction Fuzzy Hash: A5616D7490460CAFDF209F54CC85AFE7BF9EB09721F108189FB25A7290D7749A89DB60

Function 00BBFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BBFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00BBFB08
VariantInit.OLEAUT32(?), ref: 00BBFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00BBFB3A
VariantCopy.OLEAUT32(?,?), ref: 00BBFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00BBFBA1
VariantClear.OLEAUT32(?), ref: 00BBFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00BBFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BBFBCC
VariantClear.OLEAUT32(?), ref: 00BBFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BBFBE9

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: ca216a0e7bc95e964baa73813ea88536ba216326fadb3fee4cb9f0815865858e
Instruction ID: 8265da55002ce7133f9c8214815f0655a37a4159dc8eae9c77b6807f2f3845ac
Opcode Fuzzy Hash: ca216a0e7bc95e964baa73813ea88536ba216326fadb3fee4cb9f0815865858e
Instruction Fuzzy Hash: 82415E35A0021A9FCF14DF68DC549FEBFB9EF48344F0084A9E955A7361CB70A945CBA0

Function 00BC9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BC9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00BC9D22
GetKeyState.USER32(000000A0), ref: 00BC9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00BC9D57
GetKeyState.USER32(000000A1), ref: 00BC9D6C
GetAsyncKeyState.USER32(00000011), ref: 00BC9D84
GetKeyState.USER32(00000011), ref: 00BC9D96
GetAsyncKeyState.USER32(00000012), ref: 00BC9DAE
GetKeyState.USER32(00000012), ref: 00BC9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00BC9DD8
GetKeyState.USER32(0000005B), ref: 00BC9DEA

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b2e1262326d2f528547808ed1bab58024cefe50e77390c7b666a80d93b419b2a
Instruction ID: 36d09c95fb2711e6824339c3e967ece0b7d0e2590941d5b10b5238342ab89232
Opcode Fuzzy Hash: b2e1262326d2f528547808ed1bab58024cefe50e77390c7b666a80d93b419b2a
Instruction Fuzzy Hash: C141D8745047CA69FF308764940CBB6BEE0EB21344F0480EEDAC7675C2DBA499C8C7A2

Function 00BE055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BE05BC
inet_addr.WSOCK32(?), ref: 00BE061C
gethostbyname.WSOCK32(?), ref: 00BE0628
IcmpCreateFile.IPHLPAPI ref: 00BE0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BE06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BE06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00BE07B9
WSACleanup.WSOCK32 ref: 00BE07BF

Strings

Ping, xrefs: 00BE0676

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e5fdcd28fff1f760c4d3b4ff52e44c7d78c666a5dc0afca38a51fc4058422f66
Instruction ID: 201c9e1b33f2991045f88ab0262f536df5c1965d5fcda0d615152e037ee83714
Opcode Fuzzy Hash: e5fdcd28fff1f760c4d3b4ff52e44c7d78c666a5dc0afca38a51fc4058422f66
Instruction Fuzzy Hash: 0A919F356182419FD320EF16C588F2ABBE0EF44318F1485E9F4699B6A2C7B4ED85CF91

Function 00BE8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00BE8CF3

Part of subcall function 00BC8E54: _wcslen.LIBCMT ref: 00BC8E77

_wcslen.LIBCMT ref: 00BE8D4E
_wcslen.LIBCMT ref: 00BE8D9C
_wcslen.LIBCMT ref: 00BE8DDC
_wcslen.LIBCMT ref: 00BE8E6E

Strings

cdecl, xrefs: 00BE8D48, 00BE8D4D
none, xrefs: 00BE8E65, 00BE8E6A
winapi, xrefs: 00BE8D96, 00BE8D9B
stdcall, xrefs: 00BE8DD6, 00BE8DDB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 8ed325ab5350143b18be1294fe5866ff4a02ba69e28961df2e36062799c4d419
Instruction ID: d5733c1c03ac805bc5e4bdbe85cddb98f2a487dc56176a52ed420dcaeff5112e
Opcode Fuzzy Hash: 8ed325ab5350143b18be1294fe5866ff4a02ba69e28961df2e36062799c4d419
Instruction Fuzzy Hash: 62519031A009569BCF24DF6DC9819BEB7E6FF64724B2042A9E42AE72C4DB35DD40C790

Function 00BE372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00BE3774
CoUninitialize.OLE32 ref: 00BE377F
CoCreateInstance.OLE32(?,00000000,00000017,00BFFB78,?), ref: 00BE37D9
IIDFromString.OLE32(?,?), ref: 00BE384C
VariantInit.OLEAUT32(?), ref: 00BE38E4
VariantClear.OLEAUT32(?), ref: 00BE3936

Strings

Failed to create object, xrefs: 00BE37E4, 00BE389A
NULL Pointer assignment, xrefs: 00BE381E
Invalid parameter, xrefs: 00BE3865

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 90ea7ed92e0bafbb27b4e8a7616963eacf18a0cc7e1c1404a5ac2c505d49b3a1
Instruction ID: e2073eada117a9c2a2c5c5b2987e0eb5aae28cb445ce8f0e3f869abb87e58550
Opcode Fuzzy Hash: 90ea7ed92e0bafbb27b4e8a7616963eacf18a0cc7e1c1404a5ac2c505d49b3a1
Instruction Fuzzy Hash: BF61B071608341AFD310DF55D888F6ABBE8EF48B14F10499DF9859B291DB70EE48CB92

Function 00BD3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00BD33CF

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00BD33F0

Strings

Line %d (File "%s"):, xrefs: 00BD3443, 00BD345C
^ ERROR , xrefs: 00BD349E
Incorrect parameters to object property !, xrefs: 00BD34AB
Error: , xrefs: 00BD34D1
"%s" (%d) : ==> %s:, xrefs: 00BD3522
"%s" (%d) : ==> %s:%s%s, xrefs: 00BD3504

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 1021da21d7cf67635a916b2b9e4d69ec07e40c61f3ddbd33acbaeba1a4fa85aa
Instruction ID: a73d9087b3bc17a119c731022e256a8966f9d1737dc87da015606f3abaf6f485
Opcode Fuzzy Hash: 1021da21d7cf67635a916b2b9e4d69ec07e40c61f3ddbd33acbaeba1a4fa85aa
Instruction Fuzzy Hash: C9516D32900209AADF15EBA0DE46EEEB7F8EF14740F1440A5F505731A2EB356F58DB61

Function 00BCB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BCB5FC
_wcslen.LIBCMT ref: 00BCB608
_wcslen.LIBCMT ref: 00BCB64D
_wcslen.LIBCMT ref: 00BCB68C
_wcslen.LIBCMT ref: 00BCB6C7

Strings

EXISTS, xrefs: 00BCB686, 00BCB68B
REMOVE, xrefs: 00BCB602, 00BCB607
APPEND, xrefs: 00BCB6C1, 00BCB6C6
KEYS, xrefs: 00BCB647, 00BCB64C

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d9546f7bc442abeed0ea8c49412d81e2219a8897b1ff29d753fa868c14e7dd75
Instruction ID: deb569baf99b114b1f480b418f0ceaa914ae0e1c369699c2e3dc712b622511ed
Opcode Fuzzy Hash: d9546f7bc442abeed0ea8c49412d81e2219a8897b1ff29d753fa868c14e7dd75
Instruction Fuzzy Hash: 2A419532A001269ACB206F7DC992EBEB7E5EB60B54F2441BEE465D7284E735CD81C790

Function 00BD5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BD5416
GetLastError.KERNEL32 ref: 00BD5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00BD54A7

Strings

INVALID, xrefs: 00BD5459
READONLY, xrefs: 00BD5452
READY, xrefs: 00BD5460, 00BD5468
UNKNOWN, xrefs: 00BD5444
NOTREADY, xrefs: 00BD544B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d5665ad8c3d6ceda33fbff2253d2a469f4a833990c42944c53e55f11b33c0707
Instruction ID: aca7c217db1df24fcdc5ca9ffc764b825101cdb2380c6d8bd46a4ccbb700a511
Opcode Fuzzy Hash: d5665ad8c3d6ceda33fbff2253d2a469f4a833990c42944c53e55f11b33c0707
Instruction Fuzzy Hash: 18319375A005089FCB20DF68C584AAABBF4EF45305F1480AAE405DB356EB71DD86CF92

Function 00BF3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00BF3C79
SetMenu.USER32(?,00000000), ref: 00BF3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF3D10
IsMenu.USER32(?), ref: 00BF3D24
CreatePopupMenu.USER32 ref: 00BF3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BF3D5B
DrawMenuBar.USER32 ref: 00BF3D63

Strings

0, xrefs: 00BF3C54
F, xrefs: 00BF3D4E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 1423eb9fd20769e4a489113b912db91430b3fd6b384a323d8b09a5ce325d0fee
Instruction ID: f93e26c0566d58c56abc9ee8d4bdac78d67dc44f5a2b13ae1b4507b5e3051035
Opcode Fuzzy Hash: 1423eb9fd20769e4a489113b912db91430b3fd6b384a323d8b09a5ce325d0fee
Instruction Fuzzy Hash: 0B416779A01209EFDB14DF64D884BAA7BF5FF49750F140068EA56A7360D730AA18CF94

Function 00BC1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00BC1F64
GetDlgCtrlID.USER32 ref: 00BC1F6F
GetParent.USER32 ref: 00BC1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC1F8E
GetDlgCtrlID.USER32(?), ref: 00BC1F97
GetParent.USER32(?), ref: 00BC1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC1FAE

Strings

ListBox, xrefs: 00BC1F21
ComboBox, xrefs: 00BC1EEC

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 87c46047cda797fd875bd6ca598a57ebc4142eb7c37ec318fc02c1e2f93a898f
Instruction ID: f4e65f321312a423ec6b77be12c54819ab2b56f22216e13f33b99035e8f8a7fb
Opcode Fuzzy Hash: 87c46047cda797fd875bd6ca598a57ebc4142eb7c37ec318fc02c1e2f93a898f
Instruction Fuzzy Hash: E821C270A00218BBCF04AFA4DC85EFEBBF8EF16350F004599F961A7291CB385958DB60

Function 00BC1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00BC2043
GetDlgCtrlID.USER32 ref: 00BC204E
GetParent.USER32 ref: 00BC206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC206D
GetDlgCtrlID.USER32(?), ref: 00BC2076
GetParent.USER32(?), ref: 00BC208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC208D

Strings

ListBox, xrefs: 00BC2002
ComboBox, xrefs: 00BC1FCD

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ccab9642058b3b477b78173ff4b128b6d8fc68d07f747fc095de7e34476702a0
Instruction ID: d6d51195d1ca378cfbb03194bfdd7cf89c9f0add173faa15aae51255b8ecec58
Opcode Fuzzy Hash: ccab9642058b3b477b78173ff4b128b6d8fc68d07f747fc095de7e34476702a0
Instruction Fuzzy Hash: 3521C375A00218BBCF14AFA0DD85EFEBFF8EF15340F00409AF951A71A1DA798954DB60

Function 00BF3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BF3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BF3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00BF3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BF3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BF3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00BF3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00BF3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00BF3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00BF3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00BF3C13

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b381c857980687635a5d1beaf54e1a525b642591a3b31675fcb9c2574ac1aa13
Instruction ID: 623e301219065cf71ad0b4a94211fcffedb686c07a877f92bba4d723f1b3fbb5
Opcode Fuzzy Hash: b381c857980687635a5d1beaf54e1a525b642591a3b31675fcb9c2574ac1aa13
Instruction Fuzzy Hash: 60613775A00248AFDB10DFA8CC81FFE77F8EB09710F144199FA15A72A2D774AA45DB50

Function 00B92C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B92C94

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B92CA0
_free.LIBCMT ref: 00B92CAB
_free.LIBCMT ref: 00B92CB6
_free.LIBCMT ref: 00B92CC1
_free.LIBCMT ref: 00B92CCC
_free.LIBCMT ref: 00B92CD7
_free.LIBCMT ref: 00B92CE2
_free.LIBCMT ref: 00B92CED
_free.LIBCMT ref: 00B92CFB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 21bc71fa06f005f563a6c4ab7db46d3d14216f72aa6341639c71d8a6980c9fe2
Instruction ID: 8444479e3de099674d58b9a10b088086dd399b6f3f3e1445aa0d5de05fa5705c
Opcode Fuzzy Hash: 21bc71fa06f005f563a6c4ab7db46d3d14216f72aa6341639c71d8a6980c9fe2
Instruction Fuzzy Hash: DE114076910108BFCF02EF94D982CDD7BA9FF05350F9145B5FA489B322DA31EA509B90

Function 00BD7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BD7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD7FC1
GetFileAttributesW.KERNEL32(?), ref: 00BD7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00BD8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00BD8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BD80B0

Strings

*.*, xrefs: 00BD8066

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: d8cfafaa19be46b49621509ab89ace4912c1473b33e71195b094938aa5365614
Instruction ID: f34d7d00ec18bda9e99ad0354551049f2a8be8618df09bbe4d4ed6e6317e13dd
Opcode Fuzzy Hash: d8cfafaa19be46b49621509ab89ace4912c1473b33e71195b094938aa5365614
Instruction Fuzzy Hash: 998180715482459BCB20EF54C8849AAF7E8EB88314F14489FF889D7351FB35DD49CB92

Function 00B65BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B65C7A

Part of subcall function 00B65D0A: GetClientRect.USER32(?,?), ref: 00B65D30
Part of subcall function 00B65D0A: GetWindowRect.USER32(?,?), ref: 00B65D71
Part of subcall function 00B65D0A: ScreenToClient.USER32(?,?), ref: 00B65D99

GetDC.USER32 ref: 00BA46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BA4708
SelectObject.GDI32(00000000,00000000), ref: 00BA4716
SelectObject.GDI32(00000000,00000000), ref: 00BA472B
ReleaseDC.USER32(?,00000000), ref: 00BA4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BA47C4

Strings

U, xrefs: 00BA4693

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3e67e69b4e77a465b32157cff37ea7e4a46cfe6813176aca97ca3775dbf4cc19
Instruction ID: 0d09926c3da35a362d789e787ac76fb9331e6d5bcad8216702e6ff3ec2284211
Opcode Fuzzy Hash: 3e67e69b4e77a465b32157cff37ea7e4a46cfe6813176aca97ca3775dbf4cc19
Instruction Fuzzy Hash: DB71D031408249DFCF218F68C984ABA7BF5FF8A320F1842E9ED555A1A6C7B49C91DF50

Function 00BD359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00BD35E4

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

LoadStringW.USER32(00C32390,?,00000FFF,?), ref: 00BD360A

Strings

Line %d (File "%s"):, xrefs: 00BD366B
^ ERROR, xrefs: 00BD36C9
Error: , xrefs: 00BD36EF
"%s" (%d) : ==> %s:, xrefs: 00BD3742
"%s" (%d) : ==> %s:%s%s, xrefs: 00BD3724

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 5a91b6b1a2a56e700a45a02ff256892a261427ce0b78bdfed9cc84347b8dde91
Instruction ID: 8491cd3d8cfe838364c74644932389faac0254ca149e3cc9e1e194e0e90c5011
Opcode Fuzzy Hash: 5a91b6b1a2a56e700a45a02ff256892a261427ce0b78bdfed9cc84347b8dde91
Instruction Fuzzy Hash: 73518F72800209BADF14EBA0DD42EEDBBF8EF14700F1441A5F505721A2EB345B98DFA5

Function 00BDC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BDC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BDC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BDC2CA
GetLastError.KERNEL32 ref: 00BDC322
SetEvent.KERNEL32(?), ref: 00BDC336
InternetCloseHandle.WININET(00000000), ref: 00BDC341

Strings

, xrefs: 00BDC2BB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8f196d55576fafb7e670897eae903ee893fd7e53ef8b9b7b4c3c5046e0a9df96
Instruction ID: 3efc66c9eb69827050057f14b0bef1072f5dcce8d440809031c876df6ee020a5
Opcode Fuzzy Hash: 8f196d55576fafb7e670897eae903ee893fd7e53ef8b9b7b4c3c5046e0a9df96
Instruction Fuzzy Hash: 93316BB1600609AFDB21AF658988ABBBFFCEB49754B10855EF44693310EB30ED44DB64

Function 00BC989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BA3AAF,?,?,Bad directive syntax error,00BFCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00BC98BC
LoadStringW.USER32(00000000,?,00BA3AAF,?), ref: 00BC98C3

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00BC9987

Strings

Line %d (File "%s"):, xrefs: 00BC992D
., xrefs: 00BC996D
%s (%d) : ==> %s.: %s %s, xrefs: 00BC98F1
Line %d:, xrefs: 00BC9912
Error: , xrefs: 00BC9955

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 028af32b8cbf6d446da098dae3bb73f36fb323de8c702f4e1a9749007fd528ee
Instruction ID: 743e5ce878b0df147e7a0b418b0506e6ba4638a948c80711cda7375568f7982a
Opcode Fuzzy Hash: 028af32b8cbf6d446da098dae3bb73f36fb323de8c702f4e1a9749007fd528ee
Instruction Fuzzy Hash: A021803180021EABDF11EF90CC0AEFE77B9FF18700F0444A9F515620A2EB759A58DB60

Function 00BC209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00BC20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00BC20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BC214D

Strings

SHELLDLL_DefView, xrefs: 00BC20CC
largeicons, xrefs: 00BC20E1
list, xrefs: 00BC212F
smallicons, xrefs: 00BC2115
details, xrefs: 00BC20FB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 76bd63e64d11535e195845196cd2637c88c1cd937fb83069e505a2472a0fb40d
Instruction ID: a3442e7a54a616f781eb62f36f1282e39662e0d8762f4e06af52822231b3a9b9
Opcode Fuzzy Hash: 76bd63e64d11535e195845196cd2637c88c1cd937fb83069e505a2472a0fb40d
Instruction Fuzzy Hash: 4411C676688717BAFA157720EC06EB777DCDF05725B2001BAFB04FA0E1EE7168419A14

Function 00B98D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d569d7e095ecfa9189968394314080498e5d56d931f76af64e254cc24438add
Instruction ID: b2aa85dac2e3af061b5ffb18d17f7ba6a7ca4622392b47d9d1a46720936c66d7
Opcode Fuzzy Hash: 8d569d7e095ecfa9189968394314080498e5d56d931f76af64e254cc24438add
Instruction Fuzzy Hash: 74C1BE75D04249AFDF11EFACC891BADBBF0AF0A310F1440E9F425A7292D7309941CB61

Function 00B9CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B9CEB7
_free.LIBCMT ref: 00B9CF22
_free.LIBCMT ref: 00B9CF48
_free.LIBCMT ref: 00B9CF71
_free.LIBCMT ref: 00B9CFA9
_free.LIBCMT ref: 00B9CFDA
_free.LIBCMT ref: 00B9D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00B9D09C
_free.LIBCMT ref: 00B9D0B5

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 94aecd8600f8d8543518859f4c1f8f24f7bb71c524b2b906839cc76d8fc2bfd4
Instruction ID: 8e7351d4a81bbdfbbe08626227bf8c22a3db63cd793d5e8120135a86d15f4e72
Opcode Fuzzy Hash: 94aecd8600f8d8543518859f4c1f8f24f7bb71c524b2b906839cc76d8fc2bfd4
Instruction Fuzzy Hash: DC61E072A04205AFDF21AFB49891BAE7FE5EF05360F1441FDF945A7282E7329D098790

Function 00BF50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00BF5186
ShowWindow.USER32(?,00000000), ref: 00BF51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00BF51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00BF51D1

Part of subcall function 00BF6FBA: DeleteObject.GDI32(00000000), ref: 00BF6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00BF520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BF524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00BF5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00BF5296

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 81e7e7359001964423f0593e9b4f3599324a198b12bdf673b64175bbfa590f85
Instruction ID: 4cb7ba2e3496301ab1b49bcaea5292b2c656bbd9963c68e0d36c3a8914108a60
Opcode Fuzzy Hash: 81e7e7359001964423f0593e9b4f3599324a198b12bdf673b64175bbfa590f85
Instruction Fuzzy Hash: 0D516F30A50A0CBEEF349F24CC45BB97BE5EB05321F148291F725A72E0C775AA98DB41

Function 00B78B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00BB6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BB68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BB68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BB68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BB68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B78874,00000000,00000000,00000000,000000FF,00000000), ref: 00BB6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BB691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B78874,00000000,00000000,00000000,000000FF,00000000), ref: 00BB692D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 339bf5e69b7ac45d1be17f0c12ee32762add0f5a9142d3c51b935f2f97dd28fb
Instruction ID: 75301d2f0f70e593cb4c113fbceaea3f3e7efc9587810cf17ce7463fa9180001
Opcode Fuzzy Hash: 339bf5e69b7ac45d1be17f0c12ee32762add0f5a9142d3c51b935f2f97dd28fb
Instruction Fuzzy Hash: 08518A70600209EFDB20CF24CC95BBA7BF5EB48760F108558F95A972A0DBB1ED90DB50

Function 00BDC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BDC182
GetLastError.KERNEL32 ref: 00BDC195
SetEvent.KERNEL32(?), ref: 00BDC1A9

Part of subcall function 00BDC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BDC272
Part of subcall function 00BDC253: GetLastError.KERNEL32 ref: 00BDC322
Part of subcall function 00BDC253: SetEvent.KERNEL32(?), ref: 00BDC336
Part of subcall function 00BDC253: InternetCloseHandle.WININET(00000000), ref: 00BDC341

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 303f5bbfffe902531f33a7845081d9255065a7d540cad9b9a4803c39803717da
Instruction ID: 5513cb2c31a5d7f73f52bb89bad3d47f3984a741ea2f456787b4b0d177a88380
Opcode Fuzzy Hash: 303f5bbfffe902531f33a7845081d9255065a7d540cad9b9a4803c39803717da
Instruction Fuzzy Hash: A1314771600A06AFDB219FA59D44A76FFE9FF18300B14446EF95A93710EB31E854DBA0

Function 00BC25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BC25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00BC25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BC2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00BC2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BC260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BC2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00BC2627

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6053fe05029f5726704e8a7c6c9ed0ad16d8df85ee582f15e889d9eb894ef6da
Instruction ID: 304151a10dfd8c92194e63de886a9292f9a94674b4f5ea51ee7696dac245cd4b
Opcode Fuzzy Hash: 6053fe05029f5726704e8a7c6c9ed0ad16d8df85ee582f15e889d9eb894ef6da
Instruction Fuzzy Hash: C801D430394214BBFB1067689C8AF693F99DF4EB12F600015F318AF0D1CDF26494CA69

Function 00BC1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00BC1449,?,?,00000000), ref: 00BC180C
HeapAlloc.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BC1449,?,?,00000000), ref: 00BC1828
GetCurrentProcess.KERNEL32(?,00000000,?,00BC1449,?,?,00000000), ref: 00BC1830
DuplicateHandle.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BC1449,?,?,00000000), ref: 00BC1843
GetCurrentProcess.KERNEL32(00BC1449,00000000,?,00BC1449,?,?,00000000), ref: 00BC184B
DuplicateHandle.KERNEL32(00000000,?,00BC1449,?,?,00000000), ref: 00BC184E
CreateThread.KERNEL32(00000000,00000000,00BC1874,00000000,00000000,00000000), ref: 00BC1868

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 190588a69bdee4f7d3d48346bcd83d82e356f76403443114547dd8dc268186a7
Instruction ID: 606141d915eacb2bccd0f5b83b8abfa18ebd4183ca8f91eddd1a1ff491c9a547
Opcode Fuzzy Hash: 190588a69bdee4f7d3d48346bcd83d82e356f76403443114547dd8dc268186a7
Instruction Fuzzy Hash: C901BBB5240308BFE710ABA5DD4DF6B3FACEB89B11F104411FA05EB1A2CA709950DB60

Function 00BEA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00BCD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00BCD501
Part of subcall function 00BCD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00BCD50F
Part of subcall function 00BCD4DC: CloseHandle.KERNELBASE(00000000), ref: 00BCD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BEA16D
GetLastError.KERNEL32 ref: 00BEA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BEA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00BEA268
GetLastError.KERNEL32(00000000), ref: 00BEA273
CloseHandle.KERNEL32(00000000), ref: 00BEA2C4

Strings

SeDebugPrivilege, xrefs: 00BEA18F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 425108eaf639c1a4c993e7d07674cc68e1446e6ffd3ce97fe366a3ab5e248728
Instruction ID: 7c616e683ae85e4fd78e0518455f45d9fd70f9f8df1d240a5d5ffc79d562d765
Opcode Fuzzy Hash: 425108eaf639c1a4c993e7d07674cc68e1446e6ffd3ce97fe366a3ab5e248728
Instruction Fuzzy Hash: 1C617A302042829FD710DF19C494F25BBE5AF44318F1484DCE56A9B7A3C776ED89CB92

Function 00BF3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BF3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00BF393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BF3954
_wcslen.LIBCMT ref: 00BF3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00BF39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BF39F4

Strings

SysListView32, xrefs: 00BF38F7

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0159503e845be8baab70f1521e95bd95da2cea71f1dde515e835d84f88782261
Instruction ID: d049b83cc5f7e5b82a73512a447a945b8b74efa5de25825fd0a1a01bab62203e
Opcode Fuzzy Hash: 0159503e845be8baab70f1521e95bd95da2cea71f1dde515e835d84f88782261
Instruction Fuzzy Hash: 5641C231A0021CABDF219F64CC45BFA7BE9EF08750F100566FA49E7281D7B59A84CB90

Function 00BCBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BCBCFD
IsMenu.USER32(00000000), ref: 00BCBD1D
CreatePopupMenu.USER32 ref: 00BCBD53
GetMenuItemCount.USER32(00DF7238), ref: 00BCBDA4
InsertMenuItemW.USER32(00DF7238,?,00000001,00000030), ref: 00BCBDCC

Strings

2, xrefs: 00BCBD37
0, xrefs: 00BCBCA8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2126d93e4768ef5a9ada0c9937b9dad1b23dcc45eac39a1e0d853a2d00931fbb
Instruction ID: 4e7c3768990505f8585a67135a639e6b8b64e22221766fc71f604a1dbeae0d82
Opcode Fuzzy Hash: 2126d93e4768ef5a9ada0c9937b9dad1b23dcc45eac39a1e0d853a2d00931fbb
Instruction Fuzzy Hash: 2951BC70A00209ABDB10CFA8D8C6FAEBBF8FF55314F2441ADE452EB290D7709945CB61

Function 00BCC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00BCC913

Strings

blank, xrefs: 00BCC895
warning, xrefs: 00BCC8FC
stop, xrefs: 00BCC8E4
question, xrefs: 00BCC8CC
info, xrefs: 00BCC8B4

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e20b02f3a68267f948b97e098d4b48ed905a9c0e82286c899685397f32532764
Instruction ID: ebe80c66337142715050f04b7cb591ee244a20fc2bc08b4ab48bf177b9d92e32
Opcode Fuzzy Hash: e20b02f3a68267f948b97e098d4b48ed905a9c0e82286c899685397f32532764
Instruction Fuzzy Hash: 35110D31689317BAE705AB54AC83EAB6BECDF25754B1000BEF508A62D2D7F09D409365

Function 00BCDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BCDE42
gethostname.WSOCK32(?,00000100), ref: 00BCDE5C
gethostbyname.WSOCK32(?), ref: 00BCDE69
inet_ntoa.WSOCK32(?), ref: 00BCDEAB
_strcat.LIBCMT ref: 00BCDEB9
WSACleanup.WSOCK32 ref: 00BCDEDE

Strings

0.0.0.0, xrefs: 00BCDE87

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: b6c6ba468931c43d3f422a5b38866556932bbb8dc8dbb523b1ca337d22db52ef
Instruction ID: 667017a02837bf1d224c82395bb0f8784442a58cb6d1a5a07f982677e7756e3c
Opcode Fuzzy Hash: b6c6ba468931c43d3f422a5b38866556932bbb8dc8dbb523b1ca337d22db52ef
Instruction Fuzzy Hash: 6911D53590411AAFCB207B249C4AEEA77ECDB14711F0101FEF509970A1EF708A85CB60

Function 00BF9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

GetSystemMetrics.USER32(0000000F), ref: 00BF9FC7
GetSystemMetrics.USER32(0000000F), ref: 00BF9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BFA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BFA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BFA263
ShowWindow.USER32(00000003,00000000), ref: 00BFA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00BFA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00BFA2CA

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 4463c9b604474054d3863e0cfe01bafa9965d13d91f02c9cbd180eaf879cc0c0
Instruction ID: 1a7f220199eca48cb7a02757bd77fae59af984a3dee1b9260376b0ea55e27211
Opcode Fuzzy Hash: 4463c9b604474054d3863e0cfe01bafa9965d13d91f02c9cbd180eaf879cc0c0
Instruction Fuzzy Hash: AFB18B716002199FDF18CF68C9857BE7BF2FF44701F0980A9EE49AB295D731AA44CB51

Function 00BCED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00BCED2A
_wcslen.LIBCMT ref: 00BCED3B
_wcslen.LIBCMT ref: 00BCED79
_wcslen.LIBCMT ref: 00BCEDAF
_wcslen.LIBCMT ref: 00BCEDDF
_wcslen.LIBCMT ref: 00BCEDEF
_wcslen.LIBCMT ref: 00BCEE2B
_wcslen.LIBCMT ref: 00BCEE5A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: cc29b8e023ce0fc8fff1297bba620e47201b3d98fcb793194db202c5fd376237
Instruction ID: f2bd29289de704be0bf733d6b79551ad65d479a58ca0ddfb7f38bef225dd3758
Opcode Fuzzy Hash: cc29b8e023ce0fc8fff1297bba620e47201b3d98fcb793194db202c5fd376237
Instruction Fuzzy Hash: BB418365C10119B6CB21FBB4C88AACFB7E8AF45710F5084A7E528E3172FB34D655C3A5

Function 00B7F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00B7F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BBF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BBF454

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 76d1cc5174ab850c2e64f49eb4f4d03495febd78eb9e249f66e0cc35852c02dd
Instruction ID: dced9dd6682ce9a39781d1d660f8e1c8ddac22809183e66c86f6e5e2d71fd03b
Opcode Fuzzy Hash: 76d1cc5174ab850c2e64f49eb4f4d03495febd78eb9e249f66e0cc35852c02dd
Instruction Fuzzy Hash: 9C41F831608642BBC7399B2D8DC87BA7BD2EB56310F14C4BCE66F57660DA71E880CB15

Function 00BF2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BF2D1B
GetDC.USER32(00000000), ref: 00BF2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BF2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00BF2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BF2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BF2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BF5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00BF2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BF2DE1

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d82331c70930a2e59056d8741134deae886f41c1d011bdb9a7dd6daa419c73c0
Instruction ID: 613d5b36c4ff6a7eea2501f5d643b411f537d021f8f459bc4b868a3e6b165938
Opcode Fuzzy Hash: d82331c70930a2e59056d8741134deae886f41c1d011bdb9a7dd6daa419c73c0
Instruction Fuzzy Hash: 91317C76201618BBEB118F50CC89FBB3FA9EB09711F044065FE08DB291CA759C95C7A0

Function 00BC5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BC5637
_memcmp.LIBVCRUNTIME ref: 00BC5659
_memcmp.LIBVCRUNTIME ref: 00BC5671
_memcmp.LIBVCRUNTIME ref: 00BC5684
_memcmp.LIBVCRUNTIME ref: 00BC569E
_memcmp.LIBVCRUNTIME ref: 00BC56B1
_memcmp.LIBVCRUNTIME ref: 00BC56C9
_memcmp.LIBVCRUNTIME ref: 00BC56E4

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 938d8fa97ffa333bdb66455a3f433932943f92d119dfdebac5534f5312d2196b
Instruction ID: 10d0d7793e72490df4f11d1104a24b9d657e36314f92b375968173210a135cf4
Opcode Fuzzy Hash: 938d8fa97ffa333bdb66455a3f433932943f92d119dfdebac5534f5312d2196b
Instruction Fuzzy Hash: B521A761641A1A77D624AE248D82FBA33DCEF21384F4404F9FE049B591F721FD95C2A9

Function 00BE4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00BE502E, 00BE5383
Not an Object type, xrefs: 00BE5007

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d8d41ce020985458f196b693ac8f3fde3e7a2c608e7c60064a660996300d80ac
Instruction ID: ac2fdc356ff952315e573d323f962a4986ab324afa8414d2bc5f1ec2e213f01f
Opcode Fuzzy Hash: d8d41ce020985458f196b693ac8f3fde3e7a2c608e7c60064a660996300d80ac
Instruction Fuzzy Hash: 30D1B371A0064A9FDF20CF99C881BAEB7F5FF48358F1481A9E915AB281E770DD45CB50

Function 00BA1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00BA15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00BA1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BA16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00BA16FB

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BA1777
__freea.LIBCMT ref: 00BA17A2
__freea.LIBCMT ref: 00BA17AE

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9a23e65992c7ca0c7672f64fce822725ae70a034ad371052dd16c617fae4244f
Instruction ID: bf60ec053638ef62ee9cdbfd8ad0e1fba2925c1b3753182f89bac65c82ac3a8b
Opcode Fuzzy Hash: 9a23e65992c7ca0c7672f64fce822725ae70a034ad371052dd16c617fae4244f
Instruction Fuzzy Hash: D991C571E082169ADF648E7CC881EEE7BF5DF5A710F184AA9E802E7181DB35DD40CB60

Function 00BE4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE4648
VariantInit.OLEAUT32(?), ref: 00BE4749
VariantClear.OLEAUT32(?), ref: 00BE4753
VariantClear.OLEAUT32(?), ref: 00BE47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00BE472C
Null Object assignment in FOR..IN loop, xrefs: 00BE45D8, 00BE4706, 00BE47BE

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1694e264ba35023b940dac3026414678cecf2d006e38336a6b6c9ceb017b233b
Instruction ID: 4784eb15f87aa7c2332968a474570f57347111e2528e92ca192fed2518548a86
Opcode Fuzzy Hash: 1694e264ba35023b940dac3026414678cecf2d006e38336a6b6c9ceb017b233b
Instruction Fuzzy Hash: 1A917F71A00259AFDF20CFA6D884FAEBBF8EF46714F108599F515AB280D7709D45CBA0

Function 00BD1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00BD125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BD1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00BD12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BD1430

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 05a24d38d145c4eeea7177ffc3bcddf0031e3500015e3f4f17eeeb62e54df7b4
Instruction ID: 05dcdb139bf826fc901a052c3850097aba3dd4a4eb93897ff1c4104956f300ce
Opcode Fuzzy Hash: 05a24d38d145c4eeea7177ffc3bcddf0031e3500015e3f4f17eeeb62e54df7b4
Instruction Fuzzy Hash: 5491AF71A00209AFDB009F98C885BBEB7F5FF45325F1488AAE910E7391E775A941CF94

Function 00B7948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 20f52b5242d2c8aca5a0fc8db78c598802b7526467f84aae4834beea3381aaf3
Instruction ID: 7e0f5f80849f88698f780e25daf0d9980e83fc5a7025ac35b65323ce7dfb073a
Opcode Fuzzy Hash: 20f52b5242d2c8aca5a0fc8db78c598802b7526467f84aae4834beea3381aaf3
Instruction Fuzzy Hash: 8E911571D44219EFCB10CFA9C884AEEBBF8FF89320F148595E525B7251D774AA42CB60

Function 00BE3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE396B
CharUpperBuffW.USER32(?,?), ref: 00BE3A7A
_wcslen.LIBCMT ref: 00BE3A8A
VariantClear.OLEAUT32(?), ref: 00BE3C1F

Part of subcall function 00BD0CDF: VariantInit.OLEAUT32(00000000), ref: 00BD0D1F
Part of subcall function 00BD0CDF: VariantCopy.OLEAUT32(?,?), ref: 00BD0D28
Part of subcall function 00BD0CDF: VariantClear.OLEAUT32(?), ref: 00BD0D34

Strings

AUTOIT.ERROR, xrefs: 00BE3A80, 00BE3A85
Incorrect Parameter format, xrefs: 00BE39A6, 00BE3BA1

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 09504ff35b931a626e4ba75e7e40683f60ca362f8769b2f81d613029944d3f09
Instruction ID: fe477084ab3aa2942362a2812249800ce5f61d8af616535cc425329bdf147282
Opcode Fuzzy Hash: 09504ff35b931a626e4ba75e7e40683f60ca362f8769b2f81d613029944d3f09
Instruction Fuzzy Hash: 37918B746083459FC700DF29C58496AB7E4FF88714F1488AEF88A9B351DB31EE45CB92

Function 00BE4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00BC000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?,?,00BC035E), ref: 00BC002B
Part of subcall function 00BC000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0046
Part of subcall function 00BC000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0054
Part of subcall function 00BC000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?), ref: 00BC0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00BE4C51
_wcslen.LIBCMT ref: 00BE4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00BE4DCF
CoTaskMemFree.OLE32(?), ref: 00BE4DDA

Strings

NULL Pointer assignment, xrefs: 00BE4E23, 00BE4E52

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 6defa4a1fc88a2fd9ba0e56d4b2eb8cf282caea402dc7ea7fc74cb32c8d27545
Instruction ID: de88e52f17a56de4ae72d9372a387f2defdd04dd0f202cc3a4db50950f8bba51
Opcode Fuzzy Hash: 6defa4a1fc88a2fd9ba0e56d4b2eb8cf282caea402dc7ea7fc74cb32c8d27545
Instruction Fuzzy Hash: 49910471D0025DAFDF14DFA5D891AEEBBB8FF08300F1085A9E915A7291EB749A44CF60

Function 00BF20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00BF2183
GetMenuItemCount.USER32(00000000), ref: 00BF21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BF21DD
_wcslen.LIBCMT ref: 00BF2213
GetMenuItemID.USER32(?,?), ref: 00BF224D
GetSubMenu.USER32(?,?), ref: 00BF225B

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BF22E3

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: adacfd14aefb214732bcc4bf89a7beea864ea0165d72e2b707675b55939e8f2a
Instruction ID: ddd7979de55ee07af6c4959d8520a24ef909db7ec5ba5baf360e9900f26db47a
Opcode Fuzzy Hash: adacfd14aefb214732bcc4bf89a7beea864ea0165d72e2b707675b55939e8f2a
Instruction Fuzzy Hash: 30714E75A00209AFCB14DFA4C885ABEBBF5EF48310F148499E956EB351DB34EE45CB90

Function 00BF7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00DF7008), ref: 00BF7F37
IsWindowEnabled.USER32(00DF7008), ref: 00BF7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00BF801E
SendMessageW.USER32(00DF7008,000000B0,?,?), ref: 00BF8051
IsDlgButtonChecked.USER32(?,?), ref: 00BF8089
GetWindowLongW.USER32(00DF7008,000000EC), ref: 00BF80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BF80C3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a7082954fe187c4fa6857d1cd91af081781db5546297be8fffbd1268ca1e88ad
Instruction ID: 04d9626f55bfff08a8ae17f42585e7e823280b1daba2f402153c2301ea3bea05
Opcode Fuzzy Hash: a7082954fe187c4fa6857d1cd91af081781db5546297be8fffbd1268ca1e88ad
Instruction Fuzzy Hash: 37717D3464824DAFEB219F64C884FFABBF9EF19300F1444D9EA45972A1CF31A949DB50

Function 00BCAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BCAEF9
GetKeyboardState.USER32(?), ref: 00BCAF0E
SetKeyboardState.USER32(?), ref: 00BCAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00BCAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00BCAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00BCAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BCB020

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0f44895ca20cb1f9d6363384e78c3b6732fbf3c71687d0aafb281eaf8c0448df
Instruction ID: 44dab5380b61decde1b2667889c437abb2c498baf5f7e3f75ab7e1f71d826201
Opcode Fuzzy Hash: 0f44895ca20cb1f9d6363384e78c3b6732fbf3c71687d0aafb281eaf8c0448df
Instruction Fuzzy Hash: 2F5192A06046D93DFB3652348C46FBE7EE99B06308F0885CDE1D5968C2D7A9ACC4D752

Function 00BCACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00BCAD19
GetKeyboardState.USER32(?), ref: 00BCAD2E
SetKeyboardState.USER32(?), ref: 00BCAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BCADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BCADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BCAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BCAE38

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1c6fbea113725d3e65dc7c496383735b0b49fdffcc88a16578e95761a1eddf4a
Instruction ID: 4ac61b30f1aab688da738adc49e129bdf5e42709dbda6ec14ac173848e07fa56
Opcode Fuzzy Hash: 1c6fbea113725d3e65dc7c496383735b0b49fdffcc88a16578e95761a1eddf4a
Instruction Fuzzy Hash: FB51E6A15047DA3DFB3283348C85F7ABEE89B45309F0884DCE1D6968C3C694EC84D7A2

Function 00B9542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00BA3CD6,?,?,?,?,?,?,?,?,00B95BA3,?,?,00BA3CD6,?,?), ref: 00B95470
__fassign.LIBCMT ref: 00B954EB
__fassign.LIBCMT ref: 00B95506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BA3CD6,00000005,00000000,00000000), ref: 00B9552C
WriteFile.KERNEL32(?,00BA3CD6,00000000,00B95BA3,00000000,?,?,?,?,?,?,?,?,?,00B95BA3,?), ref: 00B9554B
WriteFile.KERNEL32(?,?,00000001,00B95BA3,00000000,?,?,?,?,?,?,?,?,?,00B95BA3,?), ref: 00B95584

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1674fec7c898b2e5c991e4f0af44a96eeac21a51c66c2ed311893efc215f128a
Instruction ID: 0a278ce0bdc047bed412c5ec7e6f9c2ae2abcb15ca8b8bf63413664988776301
Opcode Fuzzy Hash: 1674fec7c898b2e5c991e4f0af44a96eeac21a51c66c2ed311893efc215f128a
Instruction Fuzzy Hash: 9551D471A006099FDF21CFA8D885BEEBBF9EF19300F1541AAF555E7292D7309A41CB60

Function 00B82D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B82D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00B82D53
_ValidateLocalCookies.LIBCMT ref: 00B82DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00B82E0C
_ValidateLocalCookies.LIBCMT ref: 00B82E61

Strings

csm, xrefs: 00B82DF6

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 298818f65833379b2e4e7318679e50d1d115c487f2c9566d1446ffc0b33e30c0
Instruction ID: 728a610ab9a0c00dbdf6108306ff88c35d47b9eea178f02f16bdb945ee8367be
Opcode Fuzzy Hash: 298818f65833379b2e4e7318679e50d1d115c487f2c9566d1446ffc0b33e30c0
Instruction Fuzzy Hash: 51418434A00209ABCF10EF68C885A9EBFF5FF45724F1481A5E8156B3B2D7759A15CBD0

Function 00BE10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BE307A
Part of subcall function 00BE304E: _wcslen.LIBCMT ref: 00BE309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00BE1112
WSAGetLastError.WSOCK32 ref: 00BE1121
WSAGetLastError.WSOCK32 ref: 00BE11C9
closesocket.WSOCK32(00000000), ref: 00BE11F9

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: bb3c34883fe33be57e19f99cae1a1b6caa95d5b657b3777c125d0268922837cf
Instruction ID: 178760ef1a448ab2add51490d1e508bf99e404e67b8e2be4be6fad29c6336f54
Opcode Fuzzy Hash: bb3c34883fe33be57e19f99cae1a1b6caa95d5b657b3777c125d0268922837cf
Instruction Fuzzy Hash: F7411A31600144AFDB109F59C884BB9BBE9FF45354F248499FD05AB291CB74ED85CBE2

Function 00BCCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BCCF22,?), ref: 00BCDDFD

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BCCF22,?), ref: 00BCDE16

lstrcmpiW.KERNEL32(?,?), ref: 00BCCF45
MoveFileW.KERNEL32(?,?), ref: 00BCCF7F
_wcslen.LIBCMT ref: 00BCD005
_wcslen.LIBCMT ref: 00BCD01B
SHFileOperationW.SHELL32(?), ref: 00BCD061

Strings

\*.*, xrefs: 00BCCFF3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 5d61f9c1b35af916270c271e9d96351e8ad6711e2bdba58130cb1b380fc5658b
Instruction ID: 96a9312dcedbbef6d34e3d54b5aa2a3607b9f0f5da5eb45fbde109f639f702f2
Opcode Fuzzy Hash: 5d61f9c1b35af916270c271e9d96351e8ad6711e2bdba58130cb1b380fc5658b
Instruction Fuzzy Hash: 084143759052189EDF12EBA4C981FDDB7F8EF18380F0000EEE509EB141EA34A688CB50

Function 00BF2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00BF2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00BF2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00BF2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00BF2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00BF2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00BF2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF2F0B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8e41bca9ddd2d1a2ececaaad011cb0d036b35b56258a52b8299bfef9a7126969
Instruction ID: 5283d219c2857174a77466762a577f6b29e53b22423390235bf35208ac44c10a
Opcode Fuzzy Hash: 8e41bca9ddd2d1a2ececaaad011cb0d036b35b56258a52b8299bfef9a7126969
Instruction Fuzzy Hash: 4031F630654258EFDB218F58DD85F793BE1EB5A720F2901A4FA00CF2B1CB71A848DB41

Function 00BC7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC778F
SysAllocString.OLEAUT32(00000000), ref: 00BC7792
SysAllocString.OLEAUT32(?), ref: 00BC77B0
SysFreeString.OLEAUT32(?), ref: 00BC77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00BC77DE
SysAllocString.OLEAUT32(?), ref: 00BC77EC

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 84b4c50d9c356f168822deec04645c32f570af2f404747d2116fd56a75f5ac2a
Instruction ID: 822dbbe826ae9475395a4b68bf0b75ea139edadf68f7f03b6913acaffc19c3ca
Opcode Fuzzy Hash: 84b4c50d9c356f168822deec04645c32f570af2f404747d2116fd56a75f5ac2a
Instruction Fuzzy Hash: F821B27660421DAFDB10DFA8CC88DBB77ECEB09364700806AF914DB250DA70DC85CBA4

Function 00BC77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BC7868
SysAllocString.OLEAUT32(00000000), ref: 00BC786B
SysAllocString.OLEAUT32 ref: 00BC788C
SysFreeString.OLEAUT32 ref: 00BC7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00BC78AF
SysAllocString.OLEAUT32(?), ref: 00BC78BD

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 376e0756fe6cc49499267b8f5ca5baa87273827d01d834d2abae37c5f3997697
Instruction ID: 83ffa6d2e784f7297a58d6582b2d49a25ea08bc8789b2e16b557d8f26b79dacb
Opcode Fuzzy Hash: 376e0756fe6cc49499267b8f5ca5baa87273827d01d834d2abae37c5f3997697
Instruction Fuzzy Hash: DD214735604109AFDB109FA9DC8DEBA7BECEB097607108169FA15CB2A1DE74DC41CB64

Function 00BD04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00BD04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BD052E

Strings

nul, xrefs: 00BD0567

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 44a3fae4aadc80ca9fe2d3e7c5e53d8e9519a81449a17f2b109b6a29f660dc8a
Instruction ID: 342fd00cc89bdbd42cacd7480db5d3186b9712561f22af3560d750a5c7c60eb9
Opcode Fuzzy Hash: 44a3fae4aadc80ca9fe2d3e7c5e53d8e9519a81449a17f2b109b6a29f660dc8a
Instruction Fuzzy Hash: 3E215175510305DBDB20AF29E885B5ABBF4EF54728F204A5AECA1D72E0E7709950DF20

Function 00BD05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BD05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BD0601

Strings

nul, xrefs: 00BD0639

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 49207d3eb4eed52e4c087f90ebd99865c52a00a456db0109f904b399409a6b64
Instruction ID: 3587786f35b7ec6815b5e14d395a1af839df1fe66bc1f7fe985b89f489608e3f
Opcode Fuzzy Hash: 49207d3eb4eed52e4c087f90ebd99865c52a00a456db0109f904b399409a6b64
Instruction Fuzzy Hash: 6D2144755103059BDB20AF799C44B5AB7E4EF95724F200A9AE8A1E73D0E770D960CB10

Function 00BF40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
Part of subcall function 00B6600E: GetStockObject.GDI32(00000011), ref: 00B66060
Part of subcall function 00B6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BF4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BF411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BF412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BF4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BF4145

Strings

Msctls_Progress32, xrefs: 00BF40E3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 430d87b5db8039b733a1c62fe98d17b35f8ac72e2d0627e2df1395276f91d410
Instruction ID: 05421f643ad82d52a49812f3a427ac5dbf58bfa20cd516cf30d69e4c86a24ba2
Opcode Fuzzy Hash: 430d87b5db8039b733a1c62fe98d17b35f8ac72e2d0627e2df1395276f91d410
Instruction Fuzzy Hash: B2118EB215021DBEEF118E64CC85EE77F9DEF08798F014110BB18A7090CB729C61DBA4

Function 00B9D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9D7A3: _free.LIBCMT ref: 00B9D7CC

_free.LIBCMT ref: 00B9D82D

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9D838
_free.LIBCMT ref: 00B9D843
_free.LIBCMT ref: 00B9D897
_free.LIBCMT ref: 00B9D8A2
_free.LIBCMT ref: 00B9D8AD
_free.LIBCMT ref: 00B9D8B8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 92cd939704d49c68216578c674035423cf9d4060196888192ea6c8844692a1be
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 33112B71940B04BADE21FFF1CC47FCB7BDCAF04700F4148B5B29DA6592DA69B90586A0

Function 00BCDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BCDA74
LoadStringW.USER32(00000000), ref: 00BCDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BCDA91
LoadStringW.USER32(00000000), ref: 00BCDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BCDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00BCDAB9

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 138e56dbda104e7ee105c574f21f29be7fe1050a26865bbd4532e1fd39b84ae5
Instruction ID: 644244fd1f52abecd460ef13b69c2c8a6f4b70d819f95df686f9875255324ff5
Opcode Fuzzy Hash: 138e56dbda104e7ee105c574f21f29be7fe1050a26865bbd4532e1fd39b84ae5
Instruction Fuzzy Hash: 880162F650020C7FE750ABA49E89EF7766CE708701F4004A5B746E3041EA749EC48F74

Function 00BD096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00DEDE30,00DEDE30), ref: 00BD097B
EnterCriticalSection.KERNEL32(00DEDE10,00000000), ref: 00BD098D
TerminateThread.KERNEL32(?,000001F6), ref: 00BD099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00BD09A9
CloseHandle.KERNEL32(?), ref: 00BD09B8
InterlockedExchange.KERNEL32(00DEDE30,000001F6), ref: 00BD09C8
LeaveCriticalSection.KERNEL32(00DEDE10), ref: 00BD09CF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c595e68e132ce3e507036ecb0f50c8b340c8c6451729c17a28b8845f472e66bb
Instruction ID: e6b52668b84aa7a284f2734b90cb95db28f99b3390085713a84c6fef983a6f9b
Opcode Fuzzy Hash: c595e68e132ce3e507036ecb0f50c8b340c8c6451729c17a28b8845f472e66bb
Instruction Fuzzy Hash: 84F01D31442506ABD7415B94EF88BE6BA25FF01702F501016F101928A0DB7494A5DF90

Function 00B65D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B65D30
GetWindowRect.USER32(?,?), ref: 00B65D71
ScreenToClient.USER32(?,?), ref: 00B65D99
GetClientRect.USER32(?,?), ref: 00B65ED7
GetWindowRect.USER32(?,?), ref: 00B65EF8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 6a58de99e7ba4e720471cf613b1d6e4d21ad30164529f388395ca975073bd219
Instruction ID: e098f947d25a4f1485226cc08f9921528fedaae72109c9d756d527279d0251f7
Opcode Fuzzy Hash: 6a58de99e7ba4e720471cf613b1d6e4d21ad30164529f388395ca975073bd219
Instruction Fuzzy Hash: 3BB17A34A0464ADFDB20CFA8C4807EEB7F1FF58310F14845AE8A9D7250DB78AA61DB50

Function 00B901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B900D6
__allrem.LIBCMT ref: 00B900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B9010B
__allrem.LIBCMT ref: 00B90122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B90140

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: c7a4d79a12cd9cddd16cb0ee4c1e0667e016db6e5ee0e07ef3345d6209432145
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 6181E572A017169FEB24BF68CC81B6BB3E9EF41724F2445BAF551D6291E770D900CB90

Function 00BE1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00BE101C,00000000,?,?,00000000), ref: 00BE3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00BE1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BE1DE1
WSAGetLastError.WSOCK32 ref: 00BE1DF2
inet_ntoa.WSOCK32(?), ref: 00BE1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00BE1EDB
_strlen.LIBCMT ref: 00BE1F35

Part of subcall function 00BC39E8: _strlen.LIBCMT ref: 00BC39F2

Part of subcall function 00B66D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00B7CF58,?,?,?), ref: 00B66DBA
Part of subcall function 00B66D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00B7CF58,?,?,?), ref: 00B66DED

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 795c814805fd3efa27884f14a10c444d637d3097c942faa12a0bb0ecf13442d4
Instruction ID: 84be378d1463c8a254dbc1ab3221a481c24d5cf3a75329132ef5c82b34f0905b
Opcode Fuzzy Hash: 795c814805fd3efa27884f14a10c444d637d3097c942faa12a0bb0ecf13442d4
Instruction Fuzzy Hash: 31A1B131104380AFC324DF29C895F2A7BE5EF84318F64899CF4569B2A2DB71ED85CB91

Function 00B961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B882D9,00B882D9,?,?,?,00B9644F,00000001,00000001,8BE85006), ref: 00B96258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B9644F,00000001,00000001,8BE85006,?,?,?), ref: 00B962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B963D8
__freea.LIBCMT ref: 00B963E5

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

__freea.LIBCMT ref: 00B963EE
__freea.LIBCMT ref: 00B96413

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3e503fa73bdb211c55b68cdbdf18da1dbe0a2f157913ab0ca7e1eccc259fc775
Instruction ID: ea4978aee00d3f5a66997484be552d2524c8bfe2efb2833054e53c7826f36015
Opcode Fuzzy Hash: 3e503fa73bdb211c55b68cdbdf18da1dbe0a2f157913ab0ca7e1eccc259fc775
Instruction Fuzzy Hash: A451CF72A04216ABEF268F68CC81EAF7BE9EB44750F1546B9F805D7140EB34DC50D664

Function 00BEBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEBD25
RegCloseKey.ADVAPI32(00000000), ref: 00BEBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BEBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BEBDF3
RegCloseKey.ADVAPI32(?), ref: 00BEBDFF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: f854c42f043ff1e4a4937ec41b2f3efe7cd909186bd93f5e97e64e391e61d112
Instruction ID: a16a8b3298521ecb86673f712827c83a6546bfe9b57734365195ddd9200e5bd6
Opcode Fuzzy Hash: f854c42f043ff1e4a4937ec41b2f3efe7cd909186bd93f5e97e64e391e61d112
Instruction Fuzzy Hash: D3816F31118241AFD714DF25C895E2BBBE5FF84308F1489ACF55A4B2A2DB31ED45CB92

Function 00BBF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00BBF7B9
SysAllocString.OLEAUT32(00000001), ref: 00BBF860
VariantCopy.OLEAUT32(00BBFA64,00000000), ref: 00BBF889
VariantClear.OLEAUT32(00BBFA64), ref: 00BBF8AD
VariantCopy.OLEAUT32(00BBFA64,00000000), ref: 00BBF8B1
VariantClear.OLEAUT32(?), ref: 00BBF8BB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: d0a07fe738af5b72af6e5569b00fe814cd3ef2d3ab714ad4d06e9d4742cfc5b1
Instruction ID: dde9eef3057df425278935626b781da9cf32d06906812d368c6e3b19ca9abbc3
Opcode Fuzzy Hash: d0a07fe738af5b72af6e5569b00fe814cd3ef2d3ab714ad4d06e9d4742cfc5b1
Instruction Fuzzy Hash: E6519E31600312BBCF24AB65DC95BB9B3E8EF45710B2494F7E906DF291DAB08C40CB96

Function 00BD910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00BD94E5
_wcslen.LIBCMT ref: 00BD9506
_wcslen.LIBCMT ref: 00BD952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00BD9585

Strings

X, xrefs: 00BD9412

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 15ce33a77885f8552218388c75897058e9a58861ee788b2db99369782d44b1a4
Instruction ID: 584c3c7a00f78273f104e760d8b5fcb326d78d65d90af0731ca50cc3a25b8b07
Opcode Fuzzy Hash: 15ce33a77885f8552218388c75897058e9a58861ee788b2db99369782d44b1a4
Instruction Fuzzy Hash: 25E1A2315043009FD724EF24C881A6AB7E4FF95314F1489AEF8999B3A2EB31DD45CB92

Function 00B7920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

BeginPaint.USER32(?,?,?), ref: 00B79241
GetWindowRect.USER32(?,?), ref: 00B792A5
ScreenToClient.USER32(?,?), ref: 00B792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B792D3
EndPaint.USER32(?,?,?,?,?), ref: 00B79321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00BB71EA

Part of subcall function 00B79339: BeginPath.GDI32(00000000), ref: 00B79357

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 3d322bc52137260b679e7604c641a8a3d31ff6d2a727a39541148276263cbe29
Instruction ID: 7d86c8ae4e42f309bfd45307eb9c9f27d410ebf6ade2e62de31476b87927a25b
Opcode Fuzzy Hash: 3d322bc52137260b679e7604c641a8a3d31ff6d2a727a39541148276263cbe29
Instruction Fuzzy Hash: FA41AD70108300AFD710DF28DC84FBA7BE8EF85320F1442A9F9A9972A2CB719845DB61

Function 00BD07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00BD080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00BD0847
EnterCriticalSection.KERNEL32(?), ref: 00BD0863
LeaveCriticalSection.KERNEL32(?), ref: 00BD08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00BD08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00BD0921

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: e6d45c356c1eabe7529ce67c4ffe622ddb03ef1a66fb4ef881d43215ee2f5274
Instruction ID: 9db1c0a9fbf72fcb768f456900bb8eb1392b3fd88f20d8c9afd803c623774bc1
Opcode Fuzzy Hash: e6d45c356c1eabe7529ce67c4ffe622ddb03ef1a66fb4ef881d43215ee2f5274
Instruction Fuzzy Hash: 17417C71910205EBDF14AF54DC85B6ABBB8FF04300F1480A5ED04AB297EB31DE65DBA4

Function 00BF81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00BBF3AB,00000000,?,?,00000000,?,00BB682C,00000004,00000000,00000000), ref: 00BF824C
EnableWindow.USER32(?,00000000), ref: 00BF8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00BF82D1
ShowWindow.USER32(?,00000004), ref: 00BF82E5
EnableWindow.USER32(?,00000001), ref: 00BF830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00BF832F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: db0b944bde3579417e84244d78c08606f022c8f7999c88ad9192916f89449613
Instruction ID: 515ab2914329974fea48a7b2ff0ce42810cccc390e0771bb2fe8b574a935e470
Opcode Fuzzy Hash: db0b944bde3579417e84244d78c08606f022c8f7999c88ad9192916f89449613
Instruction Fuzzy Hash: F9413234601648EFDB16CF15D999BF87BE1FB4A714F1841A9EA084B272CB31A849CF54

Function 00BC4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00BC4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BC4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BC4CEA
_wcslen.LIBCMT ref: 00BC4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BC4D10
_wcsstr.LIBVCRUNTIME ref: 00BC4D1A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: d665ec74ff4285a5bb99df9253ca96f12032f7fcb7a60fb7ba6a2316e144ad64
Instruction ID: 2c63171db84ee437f95b903624d8dee3750b38071dbefdd816830d5d77d28236
Opcode Fuzzy Hash: d665ec74ff4285a5bb99df9253ca96f12032f7fcb7a60fb7ba6a2316e144ad64
Instruction Fuzzy Hash: 3421C5326042057BEB256B299D59F7B7BE8DF45750F1080BDF80ACB1A1EB61DD40D6A0

Function 00BD581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B63A97,?,?,00B62E7F,?,?,?,00000000), ref: 00B63AC2

_wcslen.LIBCMT ref: 00BD587B
CoInitialize.OLE32(00000000), ref: 00BD5995
CoCreateInstance.OLE32(00BFFCF8,00000000,00000001,00BFFB68,?), ref: 00BD59AE
CoUninitialize.OLE32 ref: 00BD59CC

Strings

.lnk, xrefs: 00BD5876, 00BD58C1, 00BD5985

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 0bc86a027a8cf54faaffde3444f2545e9efc12f2a6d729f3303af093f9abdc6f
Instruction ID: a3ee5d9709c4a83cf9aceb63a00e9f42b3d97be1b823ca1c2d6c8a1d7061d08f
Opcode Fuzzy Hash: 0bc86a027a8cf54faaffde3444f2545e9efc12f2a6d729f3303af093f9abdc6f
Instruction Fuzzy Hash: CDD154716047019FC724DF24C490A2AFBE5EF89714F14889EF88A9B361EB35EC45CB92

Function 00BC175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BC0FCA
Part of subcall function 00BC0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BC0FD6
Part of subcall function 00BC0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BC0FE5
Part of subcall function 00BC0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BC0FEC
Part of subcall function 00BC0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BC1002

GetLengthSid.ADVAPI32(?,00000000,00BC1335), ref: 00BC17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BC17BA
HeapAlloc.KERNEL32(00000000), ref: 00BC17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00BC17DA
GetProcessHeap.KERNEL32(00000000,00000000,00BC1335), ref: 00BC17EE
HeapFree.KERNEL32(00000000), ref: 00BC17F5

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7a0bac7c0c966abb5cbd259a161d76c912078d5fe6f40f6caf718aed1f615309
Instruction ID: 4e0b49b38e720cc359cd8a23dce4f66657bd9b27626dde9761a68ec64a3cc5c2
Opcode Fuzzy Hash: 7a0bac7c0c966abb5cbd259a161d76c912078d5fe6f40f6caf718aed1f615309
Instruction Fuzzy Hash: 10118C71500209EFDB109FA8CD49FAE7BE9EF42355F10485DE441A7211CB359D95CB60

Function 00BC14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BC14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00BC1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BC1515
CloseHandle.KERNEL32(00000004), ref: 00BC1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BC154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00BC1563

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b31095102a73a5da545ff9d438654744a7f795b3effcc9d9ac27af2a8db7aa99
Instruction ID: 130f9bef2bc3f02b651f40dd5428dda9b7566cdcacc9cc889831d1bd6a213091
Opcode Fuzzy Hash: b31095102a73a5da545ff9d438654744a7f795b3effcc9d9ac27af2a8db7aa99
Instruction Fuzzy Hash: 6D11597250020DABDF11CFA8DE49FEE7BA9EF49744F044058FA05A2160C771CEA5EB60

Function 00B83382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B83379,00B82FE5), ref: 00B83390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B8339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B833B7
SetLastError.KERNEL32(00000000,?,00B83379,00B82FE5), ref: 00B83409

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3736741e7df5e9c79761cff834fbe3ad5e813323d852e95c5a3596b8025b587f
Instruction ID: d0e2358e1caa019ecfcc505d96e39735c58ea9f8761cb98bb1ac4c60f0ab9cc8
Opcode Fuzzy Hash: 3736741e7df5e9c79761cff834fbe3ad5e813323d852e95c5a3596b8025b587f
Instruction Fuzzy Hash: 3601D43261D311BEAA2537B8BCC5B6E2AD4EB05F7972002A9F410822F1EF114E02D788

Function 00B92D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B95686,00BA3CD6,?,00000000,?,00B95B6A,?,?,?,?,?,00B8E6D1,?,00C28A48), ref: 00B92D78
_free.LIBCMT ref: 00B92DAB
_free.LIBCMT ref: 00B92DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00B8E6D1,?,00C28A48,00000010,00B64F4A,?,?,00000000,00BA3CD6), ref: 00B92DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00B8E6D1,?,00C28A48,00000010,00B64F4A,?,?,00000000,00BA3CD6), ref: 00B92DEC
_abort.LIBCMT ref: 00B92DF2

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9d7a26ec4ce2a9c8cf7cd71bfbe724c21fbfdf58ecec14dd0bc32caaf3a01737
Instruction ID: 9b5849caaac8cd4e276f359096ef2949949d83b9e82681affa0352a4513cc1dd
Opcode Fuzzy Hash: 9d7a26ec4ce2a9c8cf7cd71bfbe724c21fbfdf58ecec14dd0bc32caaf3a01737
Instruction Fuzzy Hash: 56F0A436D0560037CE226738AC46F2E29E9EFC27A1F2505B9F824932A2EE34884241A0

Function 00BF8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796A2
Part of subcall function 00B79639: BeginPath.GDI32(?), ref: 00B796B9
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00BF8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00BF8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00BF8A70
LineTo.GDI32(?,00000000,00000003), ref: 00BF8A80
EndPath.GDI32(?), ref: 00BF8A90
StrokePath.GDI32(?), ref: 00BF8AA0

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 78bf04cc8f7ce7ec9003ccabc6fa8e9e3effc5c792bb9130602c6aa0aae12700
Instruction ID: a4f0c500e77750c55e7ce9d60acc84c35834f009bc996b8f0f842d0217b79591
Opcode Fuzzy Hash: 78bf04cc8f7ce7ec9003ccabc6fa8e9e3effc5c792bb9130602c6aa0aae12700
Instruction Fuzzy Hash: 1E11C97600010DFFDB129F94DD88FAA7FADEB08354F048052BA199B1A1DB719D95DBA0

Function 00BC51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BC5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00BC5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BC5230
ReleaseDC.USER32(00000000,00000000), ref: 00BC5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00BC524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00BC5261

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5f04c63ee24f6239d48db4e1521d1f1a710b76d5f55b84ee21d9cac9dc18eabf
Instruction ID: 12390649eb028f6a91a75c3d3eef5b661f1fb75106c8442db70dc2c8f1d382ab
Opcode Fuzzy Hash: 5f04c63ee24f6239d48db4e1521d1f1a710b76d5f55b84ee21d9cac9dc18eabf
Instruction Fuzzy Hash: 9C018F75A00708BBEB109BA59D49F6EBFB8EB48351F044065FA04EB380DA709850CBA0

Function 00B61BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B61BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B61BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B61C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B61C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B61C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B61C22

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f0f65917348a286a9d721dca1227baca62466f0b9dc45aa6a7076a32fe05225d
Instruction ID: e7ec3db64bf007369be1484dda33aed18ca5ecd60fb317313d04a77bc7b2ed6a
Opcode Fuzzy Hash: f0f65917348a286a9d721dca1227baca62466f0b9dc45aa6a7076a32fe05225d
Instruction Fuzzy Hash: D5016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00BCEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BCEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BCEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00BCEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BCEB75

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1cb417ab88f70b97c87315c1c40cc94aba8d91c8224abc4f0a118cc41a8fe71b
Instruction ID: fb9115e4b6dc9fa0d6b187e19d71a22c91b993787f9eb2de9eb7c11bdd7d950d
Opcode Fuzzy Hash: 1cb417ab88f70b97c87315c1c40cc94aba8d91c8224abc4f0a118cc41a8fe71b
Instruction Fuzzy Hash: 49F01772240158BBE7215B629D0EEFB3E7CEFCAB11F000158F611E30919BA05A41D6B5

Function 00BB7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00BB7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00BB7469
GetWindowDC.USER32(?), ref: 00BB7475
GetPixel.GDI32(00000000,?,?), ref: 00BB7484
ReleaseDC.USER32(?,00000000), ref: 00BB7496
GetSysColor.USER32(00000005), ref: 00BB74B0

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 3e7ea766de640aa8ed81f92d89451bcb9db2bf8946fdd86c87026cfc1f5e26b1
Instruction ID: 70aac4c39f47842a9a5437f909f4ca8c252afc03c7aeaa1e930484fb1075ca58
Opcode Fuzzy Hash: 3e7ea766de640aa8ed81f92d89451bcb9db2bf8946fdd86c87026cfc1f5e26b1
Instruction Fuzzy Hash: 08014031404209EFEB505BA4DE09BBA7EB5FB04322F2400A0E926A32A0CF311E91EB10

Function 00BC1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BC187F
UnloadUserProfile.USERENV(?,?), ref: 00BC188B
CloseHandle.KERNEL32(?), ref: 00BC1894
CloseHandle.KERNEL32(?), ref: 00BC189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC18A5
HeapFree.KERNEL32(00000000), ref: 00BC18AC

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5b8cd7b2282abcf9d9b55b85b60f92b3e93368151b2af008d33e6ba6d73bcb2c
Instruction ID: a9d707b0d2b30bf5ac819f359464e056480c78b574b2bf929c7154cf26a746fd
Opcode Fuzzy Hash: 5b8cd7b2282abcf9d9b55b85b60f92b3e93368151b2af008d33e6ba6d73bcb2c
Instruction Fuzzy Hash: 7DE0C236004109BBDA016BA1EE0CD1ABF29FF49B22B108220F22593070CF3294B0EB50

Function 00BCC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BCC6EE
_wcslen.LIBCMT ref: 00BCC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BCC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BCC7CA

Strings

0, xrefs: 00BCC6AF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 661d90d6d12f7c2f481120036ba58a8ab15059812a2f87d41fd8b31442e9bcdc
Instruction ID: 0fa090313945fc4dfd1c7dde76c8d17c3c6360e14bb3786779de5da33e15dfa2
Opcode Fuzzy Hash: 661d90d6d12f7c2f481120036ba58a8ab15059812a2f87d41fd8b31442e9bcdc
Instruction Fuzzy Hash: D551BE716143019BD7119F28C985F6BBBE4EB69310F080AAEF999D31A0DB74DD04CB56

Function 00BEAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00BEAEA3

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

GetProcessId.KERNEL32(00000000), ref: 00BEAF38
CloseHandle.KERNEL32(00000000), ref: 00BEAF67

Strings

<, xrefs: 00BEAE6B
@, xrefs: 00BEAE72

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ddc061c55f8f6a260edd7a88628b792646326bc73af6d907e5a04a4e5ec35c05
Instruction ID: ddec7bcabedff63ca9ecce53857f19a07013b881a314e2686aa5939d9e327e96
Opcode Fuzzy Hash: ddc061c55f8f6a260edd7a88628b792646326bc73af6d907e5a04a4e5ec35c05
Instruction Fuzzy Hash: 59715670A00259DFCB14EF55C494A9EBBF4FF08314F148499E81AAB3A2CB74ED45CB91

Function 00BC719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BC7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BC723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BC724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BC72CF

Strings

DllGetClassObject, xrefs: 00BC7242

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c797d73879f708d6ac1b41da0c128a1c28d2b321324fb9322b4397f591c095f7
Instruction ID: 212bc71b234119c132469deefe61589ad35dc7d2369b277f7d638a7480410086
Opcode Fuzzy Hash: c797d73879f708d6ac1b41da0c128a1c28d2b321324fb9322b4397f591c095f7
Instruction Fuzzy Hash: 6D411A71A44204AFDB15CF54C984FAA7BE9EF45310B2480ADBD099F20ADBB1DA45CFA0

Function 00BF3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF3E35
IsMenu.USER32(?), ref: 00BF3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BF3E92
DrawMenuBar.USER32 ref: 00BF3EA5

Strings

0, xrefs: 00BF3D89

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 5d65b27fff5db33f3b56fad76d58d20dd0845f8670274fb1c807e107055e31f8
Instruction ID: 099920541fdd8f7566eaa677b0b17bc342731ab6ed43834f63ac86a7688e3257
Opcode Fuzzy Hash: 5d65b27fff5db33f3b56fad76d58d20dd0845f8670274fb1c807e107055e31f8
Instruction Fuzzy Hash: DC412475A1120DEFDF10DF60D884AEABBF9FF48764F0441A9EA05A7250D730AE49CB60

Function 00BC1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BC1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BC1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00BC1EA9

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Strings

ListBox, xrefs: 00BC1E25
ComboBox, xrefs: 00BC1DF0

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: c91b4a2dc3567e1dbbbe312eb16c80c000bdc215374e6f13208eb62ffb4791bb
Instruction ID: a85e5f4f829e58b650c2d12a6f94db08c946ab4b2b9efa15d6ccd132cb3bebfe
Opcode Fuzzy Hash: c91b4a2dc3567e1dbbbe312eb16c80c000bdc215374e6f13208eb62ffb4791bb
Instruction Fuzzy Hash: 6C213571A00109BBDB14AB68DD46DFFBBF8DF46350B1485ADF825E31E2DB38494AC620

Function 00BEC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BEC9F1
_wcslen.LIBCMT ref: 00BECA68
_wcslen.LIBCMT ref: 00BECA9E
_wcslen.LIBCMT ref: 00BECAF9
_wcslen.LIBCMT ref: 00BECB2F
_wcslen.LIBCMT ref: 00BECB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00BECA62, 00BECA67
HKLM, xrefs: 00BECA98, 00BECA9D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 170a358b91a15e6add61e656fdbd599091c565b0f613df1084efa702c0cb7a78
Instruction ID: a92c32a58d94df218fa3f3750c36948e8448ac97437072c5e4d1be153df503db
Opcode Fuzzy Hash: 170a358b91a15e6add61e656fdbd599091c565b0f613df1084efa702c0cb7a78
Instruction Fuzzy Hash: 44310673A001EA4BCB20EF2ED9805BE3BD1DBA1750B1561B9F855AB25DE770CD42D3A0

Function 00BF2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BF2F8D
LoadLibraryW.KERNEL32(?), ref: 00BF2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BF2FA9
DestroyWindow.USER32(?), ref: 00BF2FB1

Strings

SysAnimate32, xrefs: 00BF2F68

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6034d1f6c542770ac4193e8bb5f04b981f61065badb8f7d509cfc4832cde167d
Instruction ID: 382ad4b961e5294a09213c52082f864c75dc6c5e3272bf45d15c21c246e04562
Opcode Fuzzy Hash: 6034d1f6c542770ac4193e8bb5f04b981f61065badb8f7d509cfc4832cde167d
Instruction Fuzzy Hash: 2721977222420AABEB104FA4DC80EBB37F9EB69364F104668FA50D31A0D771DC959760

Function 00B84D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B84D1E,00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002), ref: 00B84D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B84DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00B84D1E,00B928E9,?,00B84CBE,00B928E9,00C288B8,0000000C,00B84E15,00B928E9,00000002,00000000), ref: 00B84DC3

Strings

mscoree.dll, xrefs: 00B84D86
CorExitProcess, xrefs: 00B84D98

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4c58a28c722a5ccbffa1faf875c6c25a8ab1ceaf6dd2c3e25eaa41fb45a62465
Instruction ID: 7985d461c7e29fb880a7633de9cce7ee5cbea796bffa3bfaff8a75aeb089338d
Opcode Fuzzy Hash: 4c58a28c722a5ccbffa1faf875c6c25a8ab1ceaf6dd2c3e25eaa41fb45a62465
Instruction Fuzzy Hash: B4F03C34A40219ABDB11AB94DD49BAEBFF5EF44751F0000A4A809A36A0CF745E94CB91

Function 00B64E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B64EAE
FreeLibrary.KERNEL32(00000000,?,?,00B64EDD,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64EC0

Strings

kernel32.dll, xrefs: 00B64E94
Wow64DisableWow64FsRedirection, xrefs: 00B64EA8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d77d8c085f3bcca413307422f9e50021e30f2b33103bc6a9a171fbe987f62046
Instruction ID: 04bb6d0d7d370203b3e571386688a4f5af7010cfa1fac1893f1aadaaed79cadb
Opcode Fuzzy Hash: d77d8c085f3bcca413307422f9e50021e30f2b33103bc6a9a171fbe987f62046
Instruction Fuzzy Hash: 09E0CD35E019365BD23117257D18B7F69D4EF81F627050165FD04F3111DF68CE45C4A0

Function 00B64E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B64E74
FreeLibrary.KERNEL32(00000000,?,?,00BA3CDE,?,00C31418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B64E87

Strings

kernel32.dll, xrefs: 00B64E5B
Wow64RevertWow64FsRedirection, xrefs: 00B64E6E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 657966b4e0b9391d8d7dd75778a5639409031f19dc425a0a7e956a67133886c6
Instruction ID: 45dffb9b90085b16ba97048670ef24e25219371248e47046fb9115fd399583db
Opcode Fuzzy Hash: 657966b4e0b9391d8d7dd75778a5639409031f19dc425a0a7e956a67133886c6
Instruction Fuzzy Hash: C7D0C239502A365B46221B247C08EAB6E58EF81B113050161B904B3110CF29CE52C1D0

Function 00BD2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2C05
DeleteFileW.KERNEL32(?), ref: 00BD2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BD2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD2CC0

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 099753dcdb78d22b80196922c820ff16ae27c205191b8f4834862cb608414b0f
Instruction ID: 06b4200732f028a7c8d19594177911e6bc17313dc5ee00d6cd9bd35ac5abf4bb
Opcode Fuzzy Hash: 099753dcdb78d22b80196922c820ff16ae27c205191b8f4834862cb608414b0f
Instruction Fuzzy Hash: 21B13C71D00119ABDF21EBA4CC85EEEBBBDEF59350F1040E6F909A7251EA349E44CB61

Function 00BEA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00BEA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BEA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BEA468
CloseHandle.KERNEL32(?), ref: 00BEA63D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 580f5a3bab08eb919c49f71fe34b650059b0de3eceb49bd65b11678b1acce516
Instruction ID: b4d22cbb12453d829f53fa9c8f11ca24eb3cb4e312b159805aaf30972bb2d28b
Opcode Fuzzy Hash: 580f5a3bab08eb919c49f71fe34b650059b0de3eceb49bd65b11678b1acce516
Instruction Fuzzy Hash: 9EA18E71604340AFD720DF25C886F2AB7E5AF84714F14889DF59A9B392DBB4EC41CB92

Function 00BCE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BCCF22,?), ref: 00BCDDFD

Part of subcall function 00BCDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BCCF22,?), ref: 00BCDE16

Part of subcall function 00BCE199: GetFileAttributesW.KERNEL32(?,00BCCF95), ref: 00BCE19A

lstrcmpiW.KERNEL32(?,?), ref: 00BCE473
MoveFileW.KERNEL32(?,?), ref: 00BCE4AC
_wcslen.LIBCMT ref: 00BCE5EB
_wcslen.LIBCMT ref: 00BCE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00BCE650

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 143d765cb7846b330ad04736f1e3a607c28e5951ada430c1ac29dbb5a26b9db1
Instruction ID: b09171b5480c546f82863b7ba67dbc14c80fac2e78afc5afaeba31addfd6922a
Opcode Fuzzy Hash: 143d765cb7846b330ad04736f1e3a607c28e5951ada430c1ac29dbb5a26b9db1
Instruction Fuzzy Hash: 46514FB24087459BC724EB90D881EDFB7ECEF94340F00496EF59993191EE74E688CB66

Function 00BEB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BEC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BEB6AE,?,?), ref: 00BEC9B5
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BEC9F1
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA68
Part of subcall function 00BEC998: _wcslen.LIBCMT ref: 00BECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BEBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BEBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BEBB63
RegCloseKey.ADVAPI32(?,?), ref: 00BEBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00BEBBB3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 347f532e24463c481a67deb9dace676a55c364d769326daec6b0936bf4a00fee
Instruction ID: 9fa35ac41d19b13a34fbaaea0ac02d3e34490cb526495f10b8069032d1dfea74
Opcode Fuzzy Hash: 347f532e24463c481a67deb9dace676a55c364d769326daec6b0936bf4a00fee
Instruction Fuzzy Hash: 25618131208241AFD714DF25C890E2BBBE5FF84348F5495ACF4998B2A2DB35ED45CB92

Function 00BC8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BC8BCD
VariantClear.OLEAUT32 ref: 00BC8C3E
VariantClear.OLEAUT32 ref: 00BC8C9D
VariantClear.OLEAUT32(?), ref: 00BC8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BC8D3B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ea2f38f77451a6e484b91f11472ea0c620b94ac91a57ea151065f53377315a84
Instruction ID: 257a24d76785055fa94d7b2b900574b8a7f99b29993b93b253bc904a12c619f2
Opcode Fuzzy Hash: ea2f38f77451a6e484b91f11472ea0c620b94ac91a57ea151065f53377315a84
Instruction Fuzzy Hash: B0515BB5A00219EFCB14CF58D894EAABBF5FF89310B15856DE906DB350E730E911CB90

Function 00BD8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BD8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00BD8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BD8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BD8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BD8C5F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 65c60c081a2bb78aa5f6135b790f8f7dc9184d7c63fa214cd5f2f0006e7c1cbb
Instruction ID: 7a6acc52a455250e220334d9d30c85e5c854eb337b498718bf04898a9b7a85c4
Opcode Fuzzy Hash: 65c60c081a2bb78aa5f6135b790f8f7dc9184d7c63fa214cd5f2f0006e7c1cbb
Instruction Fuzzy Hash: 3A515A35A10219EFCB05DF64C880A6DBBF5FF48314F088099E84AAB362DB35ED51CB90

Function 00BE8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00BE8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00BE8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00BE8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00BE9032
FreeLibrary.KERNEL32(00000000), ref: 00BE9052

Part of subcall function 00B7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00BD1043,?,753CE610), ref: 00B7F6E6
Part of subcall function 00B7F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00BBFA64,00000000,00000000,?,?,00BD1043,?,753CE610,?,00BBFA64), ref: 00B7F70D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3b0805eac6c84ed49ce590193140337fcb75576026ce52c55fa49256b09a6e40
Instruction ID: ce72ddf07ffb619fa484046b561da2ae6ec0ee74c7dcebf335a6ebb61b405c85
Opcode Fuzzy Hash: 3b0805eac6c84ed49ce590193140337fcb75576026ce52c55fa49256b09a6e40
Instruction Fuzzy Hash: 11513835600645DFCB11DF59C4948ADBBF1FF59324B0480E9E80AAB362DB31ED85CB90

Function 00BF6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00BF6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00BF6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00BF6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00BDAB79,00000000,00000000), ref: 00BF6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00BF6CC7

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 626ff1ee4e8029142c522ca9cf36d1410532ea3751f8d785316362d80282b7c6
Instruction ID: 4fa8cf00e02610c1c98bf31e2b48553f849cc0f4d94e99fdc34c898c725b1a11
Opcode Fuzzy Hash: 626ff1ee4e8029142c522ca9cf36d1410532ea3751f8d785316362d80282b7c6
Instruction Fuzzy Hash: B941AF35A04108AFDB24CF68CD99FB97BE5EB09360F1502A8EE95E72A1C771AD45CA40

Function 00B92051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B920C3
_free.LIBCMT ref: 00B920E3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c59e0398f1c20ccf84b78b4d21f438ba11cdbada708ddaf19d8bbf5bd38b20ca
Instruction ID: bf089363635f7fa964a4b40d5d3d1993e19ed568f7a343aafa5b36af7d96a6a5
Opcode Fuzzy Hash: c59e0398f1c20ccf84b78b4d21f438ba11cdbada708ddaf19d8bbf5bd38b20ca
Instruction Fuzzy Hash: 8241AF32E00210AFCF24DF78C881A6DB7E5EF89314F1585B9E615EB392DA31AD01CB81

Function 00B7912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B79141
ScreenToClient.USER32(00000000,?), ref: 00B7915E
GetAsyncKeyState.USER32(00000001), ref: 00B79183
GetAsyncKeyState.USER32(00000002), ref: 00B7919D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: bdda7b454c86e7539a06be4d4a908f87d1cd7eb0dccd7496594005b74bf8291c
Instruction ID: f6933155710367d3133cc1a196fbd9de9ef1e65793b959a437478036545e2e48
Opcode Fuzzy Hash: bdda7b454c86e7539a06be4d4a908f87d1cd7eb0dccd7496594005b74bf8291c
Instruction Fuzzy Hash: 7D416E7190850ABBDF059F68C844BFEB7B4FB45320F208295E429B72D0CB745954DBA1

Function 00BD3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00BD38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00BD3922
TranslateMessage.USER32(?), ref: 00BD394B
DispatchMessageW.USER32(?), ref: 00BD3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD3966

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4b98ec6da0f0593bc7613cc22c9cea3923fa53c700a82442e1a619babfdbfb94
Instruction ID: 5e79f1c35f966855a9d6d4d8edfeb7beda31f368aee9c6cb5997400793ccd23f
Opcode Fuzzy Hash: 4b98ec6da0f0593bc7613cc22c9cea3923fa53c700a82442e1a619babfdbfb94
Instruction Fuzzy Hash: FB31FB705143419EEB35CB349898B76BBE4DB05710F0805ABE463832E2F7F99A84DB13

Function 00BDCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00BDCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00BDC21E,00000000), ref: 00BDCFF2

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 2598026ef7a729725077b2578514fd7a51d8317dde7a01b1a75624ee880a3a20
Instruction ID: fad84aafe533676f2a08b15ed646965d53ff12a239306c0620b9260f55ad508f
Opcode Fuzzy Hash: 2598026ef7a729725077b2578514fd7a51d8317dde7a01b1a75624ee880a3a20
Instruction Fuzzy Hash: F4312F71504206AFDB20DFA5C9849ABBFF9EB14351B1044AEF51AD3251EB30AD49DB60

Function 00BC1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BC1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00BC19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00BC19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00BC19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00BC19E2

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3ae4c43f1d29fe559be876aad6e0f0e14372aceb9f6de411ebac2edd2b86c8e6
Instruction ID: fa263ea4d20b9ff15390b8633494e508820ee7d44931ea3395d833d455e8124c
Opcode Fuzzy Hash: 3ae4c43f1d29fe559be876aad6e0f0e14372aceb9f6de411ebac2edd2b86c8e6
Instruction Fuzzy Hash: F731CF71A00219EFCB00CFACC998BEE7BB5EB05314F108669F921E72D1C7B09955CB90

Function 00BF5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BF5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00BF579D
_wcslen.LIBCMT ref: 00BF57AF
_wcslen.LIBCMT ref: 00BF57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF5816

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5855abe6ee3dd5c84b2f7edab7d9c400760b1a2c82711f19973a92897ce4c1c4
Instruction ID: 20ea9a62e8c37ddf25d34b1d7fce10280fbe2276e367a7b5c893d778a73a63ae
Opcode Fuzzy Hash: 5855abe6ee3dd5c84b2f7edab7d9c400760b1a2c82711f19973a92897ce4c1c4
Instruction Fuzzy Hash: F521307190461CAADB309F64CC85AFDBBF8EF04724F108296EB29EB194D7709989CF50

Function 00BE0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BE0951
GetForegroundWindow.USER32 ref: 00BE0968
GetDC.USER32(00000000), ref: 00BE09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00BE09B0
ReleaseDC.USER32(00000000,00000003), ref: 00BE09E8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b3d5d251b33e81f544bc9fc23685e74d6a010a897067fe7b4eda70c495bf6514
Instruction ID: 2cdd91d11ba6004a2fabb7a7077e68ba4f44e4c411aa0241662e14c011f1bfe5
Opcode Fuzzy Hash: b3d5d251b33e81f544bc9fc23685e74d6a010a897067fe7b4eda70c495bf6514
Instruction Fuzzy Hash: FA219335600204AFD704EF69D984AAEBBF5EF44700F0484ADF84AD7362DB74AD44CB50

Function 00B9CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B9CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B9CDE9

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B9CE0F
_free.LIBCMT ref: 00B9CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B9CE31

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 275461099c054bf378a9320df33f2de97eda8e09029a4deed161e7844112cdd0
Instruction ID: 17d637374272fa676da1ee0ad5a1826ccd3785572fa2fb1932679dd6ed5cb9a0
Opcode Fuzzy Hash: 275461099c054bf378a9320df33f2de97eda8e09029a4deed161e7844112cdd0
Instruction Fuzzy Hash: EF01D472601A157F2B211ABA6C88C7B6EEDDEC6BA131501B9F906D7200EE609E01C2B4

Function 00B79639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
SelectObject.GDI32(?,00000000), ref: 00B796A2
BeginPath.GDI32(?), ref: 00B796B9
SelectObject.GDI32(?,00000000), ref: 00B796E2

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7a963d730cc0a759ec70035eeddb446674b7b29fad70cf6bdfbdbd2afb9a4e86
Instruction ID: ff0afcd27ffec59acc371080a0ebf8946ad9ca9fb18d318510da65025d26f311
Opcode Fuzzy Hash: 7a963d730cc0a759ec70035eeddb446674b7b29fad70cf6bdfbdbd2afb9a4e86
Instruction Fuzzy Hash: 36217C30812305EFDB119F28ED08BBD3BE8FB41725F188396F828A71A0D7709991CB94

Function 00BC5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00BC5726
_memcmp.LIBVCRUNTIME ref: 00BC5744
_memcmp.LIBVCRUNTIME ref: 00BC5757
_memcmp.LIBVCRUNTIME ref: 00BC576F
_memcmp.LIBVCRUNTIME ref: 00BC5787

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 15f3affdbab19036f0874525d4148cb5555da34de9258615f664166dbe04835c
Instruction ID: e2b11cbef11613b6e2878b2a49103dd010621e982a8b7e102d88f9fe3fb3765b
Opcode Fuzzy Hash: 15f3affdbab19036f0874525d4148cb5555da34de9258615f664166dbe04835c
Instruction Fuzzy Hash: 59019671741619BA922866149D82FBA63DCDF21394B0044AAFE049B251F660FD95C2A8

Function 00BC000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?,?,00BC035E), ref: 00BC002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?), ref: 00BC0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BBFF41,80070057,?,?), ref: 00BC0070

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 65c03519d2b984e7fad8bb4b6e078180deed23bfd653066e96fed2e15385818f
Instruction ID: 63ee7f907a7a3f93215cd4d3223324cf917b230b33f2c9d600a8162422ca895f
Opcode Fuzzy Hash: 65c03519d2b984e7fad8bb4b6e078180deed23bfd653066e96fed2e15385818f
Instruction Fuzzy Hash: EB017872610208EBDB116F68ED44FBA7EEDEB44792F154168F905D3210EB71DD808BA0

Function 00BCE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00BCE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00BCE9A5
Sleep.KERNEL32(00000000), ref: 00BCE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00BCE9B7
Sleep.KERNEL32 ref: 00BCE9F3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: abe3a935ddab4894fb2abfc23cb6262445d387017f124a2f4ff8374c7710bf31
Instruction ID: b3b31a8491767dc1ddb20fda7542b2439dc9ce6f7cbebd4a77bc9453cf381466
Opcode Fuzzy Hash: abe3a935ddab4894fb2abfc23cb6262445d387017f124a2f4ff8374c7710bf31
Instruction Fuzzy Hash: 5F015B31C0152DDBCF009BE4D949BEDBBB8FF09700F00458AE512B3140CB709691C761

Function 00BC10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BC0B9B,?,?,?), ref: 00BC1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC114D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 99900af56b0b4e855f4421ba562fa7dbebba298f2fa4ccfbac145f7c61b7eac8
Instruction ID: 4397722efd2e0f99e69dcd69761ff486307b5d5e008e5e242cff739933c14546
Opcode Fuzzy Hash: 99900af56b0b4e855f4421ba562fa7dbebba298f2fa4ccfbac145f7c61b7eac8
Instruction Fuzzy Hash: DC016975200209BFDB115FA8DD49E6A3FAEEF8A3A0B240458FA41E3360DF31DD50CA60

Function 00BC0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BC0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BC0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BC0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BC0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BC1002

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 936ad223598d764f8570a9ea3764de7504efa193dcf759752b0dacfdce58db1f
Instruction ID: fbad009cf51d697a4753cc4703fa8df460f11a25b617b02d68066083942ce72b
Opcode Fuzzy Hash: 936ad223598d764f8570a9ea3764de7504efa193dcf759752b0dacfdce58db1f
Instruction Fuzzy Hash: 04F04F35100305ABD7214FA89D49F663FADEF8A761F114455FA45D7251CE70DC90CA60

Function 00BC1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BC102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1062

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ad757b49923f5aeef3b1bd0bfe3e44efd95c5b9e39a064aee57795e43ca3d403
Instruction ID: ec296a61ed3218a6803b28c5a8e9a23e32b77eb7c7780ee85f0e715d8cbd06b9
Opcode Fuzzy Hash: ad757b49923f5aeef3b1bd0bfe3e44efd95c5b9e39a064aee57795e43ca3d403
Instruction Fuzzy Hash: 3FF06D35240309EBDB215FA8ED49F663FADEF8A761F210818FE45E7251CE70D990CA60

Function 00BD030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0324
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0331
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD033E
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD034B
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0358
CloseHandle.KERNEL32(?,?,?,?,00BD017D,?,00BD32FC,?,00000001,00BA2592,?), ref: 00BD0365

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 83703273b3e065cc907a27b8d34bbfe75b7c692ce09b8e700c2161ae9dec6e77
Instruction ID: 483bcf64eedabcf0c3e701d156d4fee600ff7b3044dd7c6f80d224fc220773a2
Opcode Fuzzy Hash: 83703273b3e065cc907a27b8d34bbfe75b7c692ce09b8e700c2161ae9dec6e77
Instruction Fuzzy Hash: BB01EE72800B058FCB30AF66D880812FBF9FF603253058A3FD19252A30C3B0A998CF84

Function 00B9D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B9D752

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B9D764
_free.LIBCMT ref: 00B9D776
_free.LIBCMT ref: 00B9D788
_free.LIBCMT ref: 00B9D79A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2a958a70170cfddb5bdf42502541db6a1297df8dcbbf72aa6a80f756127bd71e
Instruction ID: 02fcbf584666ef8764ed7c4bb6734f25ba44e78799aaaa8cd4b7f1f349f051ae
Opcode Fuzzy Hash: 2a958a70170cfddb5bdf42502541db6a1297df8dcbbf72aa6a80f756127bd71e
Instruction Fuzzy Hash: B3F0FF32954204ABCA21EBA5F9C5E1E77DDFB447107A508A5F04CE7A51CB24FC8086A4

Function 00BC5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00BC5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00BC5C6F
MessageBeep.USER32(00000000), ref: 00BC5C87
KillTimer.USER32(?,0000040A), ref: 00BC5CA3
EndDialog.USER32(?,00000001), ref: 00BC5CBD

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 23e48524f3dadbcbeb7428d135896715bc3dd975064b2c48f535f9b07b951e80
Instruction ID: 81c10f070d55f98790de775bc8cd5e52053cd4b74897acf5278700de4de9f7d5
Opcode Fuzzy Hash: 23e48524f3dadbcbeb7428d135896715bc3dd975064b2c48f535f9b07b951e80
Instruction Fuzzy Hash: 85011230504B08ABEB315B10DE4EFA67BF8FB04B05F04159DA592A34E1DBF4B9C8CA90

Function 00B922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B922BE

Part of subcall function 00B929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000), ref: 00B929DE
Part of subcall function 00B929C8: GetLastError.KERNEL32(00000000,?,00B9D7D1,00000000,00000000,00000000,00000000,?,00B9D7F8,00000000,00000007,00000000,?,00B9DBF5,00000000,00000000), ref: 00B929F0

_free.LIBCMT ref: 00B922D0
_free.LIBCMT ref: 00B922E3
_free.LIBCMT ref: 00B922F4
_free.LIBCMT ref: 00B92305

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ce54eaaff56d3c3f9ba28989fff83e6acd73b358ff7eebd1c4a9428bad82b8d2
Instruction ID: 317de6f3d4c37173c311067874a6247ed5f55cdce27eac43df33d7510f50fa2e
Opcode Fuzzy Hash: ce54eaaff56d3c3f9ba28989fff83e6acd73b358ff7eebd1c4a9428bad82b8d2
Instruction Fuzzy Hash: 53F05E71C20620AF8E22EF94BC41B0D3BE4F71876071405AAF814D63B1C7310912EFE4

Function 00B795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B795D4
StrokeAndFillPath.GDI32(?,?,00BB71F7,00000000,?,?,?), ref: 00B795F0
SelectObject.GDI32(?,00000000), ref: 00B79603
DeleteObject.GDI32 ref: 00B79616
StrokePath.GDI32(?), ref: 00B79631

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 566690ac6dd55763d6495676b6ba935614e7c2373e4c45a404025a2e0bd9cc76
Instruction ID: c30a26b86a19ecde1cba983a1aa1974cf889c94462fb587e58e21431da063e2b
Opcode Fuzzy Hash: 566690ac6dd55763d6495676b6ba935614e7c2373e4c45a404025a2e0bd9cc76
Instruction Fuzzy Hash: 49F0C935015708EFDB169F65EE18B683FA5EB11332F088354F869560F1CB308AA5DF20

Function 00B90F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B910F9
__freea.LIBCMT ref: 00B91117

Part of subcall function 00B91537: _free.LIBCMT ref: 00B9154F

Strings

a/p, xrefs: 00B911DE
am/pm, xrefs: 00B9117A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4c14d949fcccbc6103ba7bfc2d8db7c5cb285a8f16a603bc6266113ff1e09033
Instruction ID: e621cf13604ea87f267c507a219d1a9e3afafe4d041b97439285087cb1685e2b
Opcode Fuzzy Hash: 4c14d949fcccbc6103ba7bfc2d8db7c5cb285a8f16a603bc6266113ff1e09033
Instruction Fuzzy Hash: 9BD1D031904207EADF299F6CC895BBAB7F0EF05700F2449F9E901AB651D3359D80EB65

Function 00BE7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00B80242: EnterCriticalSection.KERNEL32(00C3070C,00C31884,?,?,00B7198B,00C32518,?,?,?,00B612F9,00000000), ref: 00B8024D
Part of subcall function 00B80242: LeaveCriticalSection.KERNEL32(00C3070C,?,00B7198B,00C32518,?,?,?,00B612F9,00000000), ref: 00B8028A

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00B800A3: __onexit.LIBCMT ref: 00B800A9

__Init_thread_footer.LIBCMT ref: 00BE7BFB

Part of subcall function 00B801F8: EnterCriticalSection.KERNEL32(00C3070C,?,?,00B78747,00C32514), ref: 00B80202
Part of subcall function 00B801F8: LeaveCriticalSection.KERNEL32(00C3070C,?,00B78747,00C32514), ref: 00B80235

Strings

5, xrefs: 00BE7C78
Variable must be of type 'Object'., xrefs: 00BE7C3A
G, xrefs: 00BE7C7F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: a4ed2b81222c2c1b20b38ca63c82ffdbda3b0d323fa2d5e24894bc5072d20379
Instruction ID: bdabea0b558265132df91db7b114c34068b34645d05dbefce4518474bc727e14
Opcode Fuzzy Hash: a4ed2b81222c2c1b20b38ca63c82ffdbda3b0d323fa2d5e24894bc5072d20379
Instruction Fuzzy Hash: 6D91AA70A44289EFCB04EF55D8809BDB7F5FF48300F108099F806AB292DB71AE45CB91

Function 00BC2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BC21D0,?,?,00000034,00000800,?,00000034), ref: 00BCB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BC2760

Part of subcall function 00BCB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BC21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00BCB3F8

Part of subcall function 00BCB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00BCB355
Part of subcall function 00BCB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BC2194,00000034,?,?,00001004,00000000,00000000), ref: 00BCB365
Part of subcall function 00BCB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BC2194,00000034,?,?,00001004,00000000,00000000), ref: 00BCB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BC27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BC281A

Strings

@, xrefs: 00BC2832

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b62b5bb811b864d6ec3d95926e0ac4eb382111e481a24a49fc8e78e08c42f5de
Instruction ID: 8962a3f6435fc98c9bad39578ac5631eee464436e54b8bb69b90cc8584861367
Opcode Fuzzy Hash: b62b5bb811b864d6ec3d95926e0ac4eb382111e481a24a49fc8e78e08c42f5de
Instruction Fuzzy Hash: 8341FB76900218AFDB10DBA4CD86FEEBBB8EF49700F104099FA55B7181DB706E45CBA1

Function 00B9172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00B91769
_free.LIBCMT ref: 00B91834
_free.LIBCMT ref: 00B9183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00B91760, 00B91767, 00B91796, 00B917CE

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 0a33d9840e2e57d967f4eec1febb7e87bbc9fb91141d5063d57d629e581b64b0
Instruction ID: 78155bc22b4b6eab409285b3bf6f03eceb0528bb4992866e43d6f8c93f6f0ba9
Opcode Fuzzy Hash: 0a33d9840e2e57d967f4eec1febb7e87bbc9fb91141d5063d57d629e581b64b0
Instruction Fuzzy Hash: 0F3150B5A0021AAFDF21DF999885E9EBBFCEB85350B1445F6F80497211D6708E41EBA0

Function 00BCC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BCC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00BCC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C31990,00DF7238), ref: 00BCC395

Strings

0, xrefs: 00BCC2DF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 167f8a68094778a338a67ad8ba595eef1763b55222adeb42537541a36c80f632
Instruction ID: 0b865291ee27b18092d269f193cf7965c8cb721a5180d7752fc91686c8220604
Opcode Fuzzy Hash: 167f8a68094778a338a67ad8ba595eef1763b55222adeb42537541a36c80f632
Instruction Fuzzy Hash: E94191712043419FD720DF24E885F1ABFE4EBE5310F10869DF8A9D7292D730A904CB66

Function 00BF4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BFCC08,00000000,?,?,?,?), ref: 00BF44AA
GetWindowLongW.USER32 ref: 00BF44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF44D7

Strings

SysTreeView32, xrefs: 00BF447C

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: cf52e181eef25015396354d2e5a592b79bd42ecd7e463f17ad2ade683551d730
Instruction ID: 5cb16f8f46c467e845109bf158ca25fd3d579c38e247afcbce9d7594970fbf58
Opcode Fuzzy Hash: cf52e181eef25015396354d2e5a592b79bd42ecd7e463f17ad2ade683551d730
Instruction Fuzzy Hash: 13316D31214209AFDB209E78DC45BEB7BE9EB08324F204755FA75A32E0DB74EC549B50

Function 00BE304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00BE3077,?,?), ref: 00BE3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BE307A
_wcslen.LIBCMT ref: 00BE309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00BE3106

Strings

255.255.255.255, xrefs: 00BE3095, 00BE309A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ce3382875029262488bea9f66f0619f13382eba5fbdeecc2bd51081f8501f7d9
Instruction ID: 83574f8d0f22482da9f42e050e0269e6a24cecbd1e0ac41e9bfe2cedc614db23
Opcode Fuzzy Hash: ce3382875029262488bea9f66f0619f13382eba5fbdeecc2bd51081f8501f7d9
Instruction Fuzzy Hash: 7331F3352002859FCB20CF6AC589FAA77E0EF54718F2480D9E8159B393CB36EE41C761

Function 00BF3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BF3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BF3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF3F78

Strings

SysMonthCal32, xrefs: 00BF3F0B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9af99fa777bbc112435367f00ddf7025000807ae7cfc3f847fae6d6d6ef32583
Instruction ID: e76235a1c1c6c3caa0888af6915e67c769a28bd168a993816779ac9257d1593f
Opcode Fuzzy Hash: 9af99fa777bbc112435367f00ddf7025000807ae7cfc3f847fae6d6d6ef32583
Instruction Fuzzy Hash: 2D219F32610219BFDF118F50DC86FEA3BB5EF48724F110254FA15AB1D0D6B5AD94CBA0

Function 00BF4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BF4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BF4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BF471A

Strings

msctls_updown32, xrefs: 00BF4684

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c97e0ce3644450e04dea76565fa59ea56d44e03adbd7bde72bc460aadb2a015b
Instruction ID: 3870e6325ff1b4ec5e7a008462262772166c8dc45a45c7876afa7384309f71fb
Opcode Fuzzy Hash: c97e0ce3644450e04dea76565fa59ea56d44e03adbd7bde72bc460aadb2a015b
Instruction Fuzzy Hash: 11213EB5604209AFDB10DF64DCD1EBB37EDEB9A3A8B040199FA009B251CB71EC55CB60

Function 00BC95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BC961D

Strings

#OnAutoItStartRegister, xrefs: 00BC95F3
#requireadmin, xrefs: 00BC95D9
#notrayicon, xrefs: 00BC95B7

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: ebdb9c8c8ae12bcf4d9f15dcf44f2729979447ec858b490dbdf98870fa212986
Instruction ID: 95d6f08b247bb3647ef477e5d99e20cb0bed692c822f33155f9c4baef3f37b3f
Opcode Fuzzy Hash: ebdb9c8c8ae12bcf4d9f15dcf44f2729979447ec858b490dbdf98870fa212986
Instruction Fuzzy Hash: DC21573220421167E331BB28DC4AFBB73D8EFA5714F5040BEFA8A97091EB65AD45C395

Function 00BF37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BF3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BF3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BF3876

Strings

Listbox, xrefs: 00BF380F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 816221c31188a2303ec3aa443db08c39593247fbb74adeec011db203d006f06e
Instruction ID: d51a26672cef85de5195f24a7b89dd43d743970454140857f0199e82d27722b4
Opcode Fuzzy Hash: 816221c31188a2303ec3aa443db08c39593247fbb74adeec011db203d006f06e
Instruction Fuzzy Hash: 5D21B072610118BBEB119F54CC81FBB37EAEF89B90F118164FA009B190CA75DC55C7A0

Function 00BD49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BD4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BD4A5C
SetErrorMode.KERNEL32(00000000,?,?,00BFCC08), ref: 00BD4AD0

Strings

%lu, xrefs: 00BD4A6F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7f2e020fa87a6b9bc42425b04d8961173d716ef45e52815863f646e92efd4dc9
Instruction ID: 3d76d8fa192781e058542c3723248ef8b6d144513ed5f25faa23ab7d5bd9f8d0
Opcode Fuzzy Hash: 7f2e020fa87a6b9bc42425b04d8961173d716ef45e52815863f646e92efd4dc9
Instruction Fuzzy Hash: A3314175A00109AFDB10DF54C985EAABBF8EF04318F1480A5F509DB362DB75EE45CB61

Function 00BF41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BF424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BF4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BF4271

Strings

msctls_trackbar32, xrefs: 00BF4226

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7ba4d1719d45411638d6c2b74fac829815c501dc5790f99736169631f041cef5
Instruction ID: 9c6f0b6246125e4a8144bb1d1afa5602c56e8c378fe410bedd900defdd018c91
Opcode Fuzzy Hash: 7ba4d1719d45411638d6c2b74fac829815c501dc5790f99736169631f041cef5
Instruction Fuzzy Hash: 4B11CE31250248BEEF205E28CC46FBB3BE8EB85B64F010624FA55E70A0D671D851DB20

Function 00BC2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Part of subcall function 00BC2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BC2DC5
Part of subcall function 00BC2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC2DD6
Part of subcall function 00BC2DA7: GetCurrentThreadId.KERNEL32 ref: 00BC2DDD
Part of subcall function 00BC2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BC2DE4

GetFocus.USER32 ref: 00BC2F78

Part of subcall function 00BC2DEE: GetParent.USER32(00000000), ref: 00BC2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00BC2FC3
EnumChildWindows.USER32(?,00BC303B), ref: 00BC2FEB

Strings

%s%d, xrefs: 00BC2FFF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 9a174489aad9e68919c3ae08db5b93bd919204ad90d5bb1f0739e7c823894539
Instruction ID: e5ae622abd35578b20979adb0f9cd0752049045824f789e7c83ffbd080b59c67
Opcode Fuzzy Hash: 9a174489aad9e68919c3ae08db5b93bd919204ad90d5bb1f0739e7c823894539
Instruction Fuzzy Hash: C6119071600209ABDF556F649C86FFE37EAAF94304F0480B9B9099B292DE7099498B60

Function 00BF5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BF58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BF58EE
DrawMenuBar.USER32(?), ref: 00BF58FD

Strings

0, xrefs: 00BF588F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 40a86c89a834c791eeab873b2401aec86d64a54f2cff42f649d2142d5d552690
Instruction ID: f5f609239115ff110c10f86b3622ac1d6e61d76cb137bc555d55f5e6ef66180b
Opcode Fuzzy Hash: 40a86c89a834c791eeab873b2401aec86d64a54f2cff42f649d2142d5d552690
Instruction Fuzzy Hash: 4E012731500218AEDB219F25DC85BBABBB4FB45360F10C0D9EA49D7251DB708A88EF21

Function 00BBD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00BBD3BF
FreeLibrary.KERNEL32 ref: 00BBD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00BBD3B9
X64, xrefs: 00BBD2A8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: b0a0793fb91d1167d6f0c9c959d536835a781fc1a1b8d9524dd4ef3455b9c222
Instruction ID: d97bf8592bba89dbf1b8e6f3ea95abcba488701fdd0dfcb0f4515f14b8eeeed3
Opcode Fuzzy Hash: b0a0793fb91d1167d6f0c9c959d536835a781fc1a1b8d9524dd4ef3455b9c222
Instruction Fuzzy Hash: F2F0552240075A8BC7741210CC98AFD77E4EF10741BA982E9F016F30A5FBF8CD88C64A

Function 00BC007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028cd8b6d1a30935a210dca48b8b5abd7c44564005934521eeead680cf553835
Instruction ID: f580e428b0b6067efb05a41bc7cb55a1ebe36304a47dd372b0a80815e652f51e
Opcode Fuzzy Hash: 028cd8b6d1a30935a210dca48b8b5abd7c44564005934521eeead680cf553835
Instruction Fuzzy Hash: 8BC14775A1021AEFDB14DFA8C894FAAB7B5FF88304F248598E505EB251D731EE41CB90

Function 00B93E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B93F0B
__alldvrm.LIBCMT ref: 00B9410C
__alldvrm.LIBCMT ref: 00B9412E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 561f21f11133bf88cdbaf92e6c43b666358b6c9c4dcc8d088982a42de72fce8a
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 0DA12476A042969FDF25CF28C891BAABFE5EF62350F1841FDE5859B281C3348982C750

Function 00BE342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BE3459
CoUninitialize.OLE32 ref: 00BE3463
VariantInit.OLEAUT32(?), ref: 00BE346E
VariantClear.OLEAUT32(?), ref: 00BE371B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 428d7c567e8b306f117c6af049472d920b062f65ff411a2915027b9a19bf830f
Instruction ID: b811ed85736baa0abff8271cea535327a93426f432dcca25f37aafeba0f6d0f4
Opcode Fuzzy Hash: 428d7c567e8b306f117c6af049472d920b062f65ff411a2915027b9a19bf830f
Instruction Fuzzy Hash: F2A15C752183009FC710DF29C595A2AB7E5FF88714F04889DF98A9B362DB34EE45CB91

Function 00BC0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC0608
CLSIDFromProgID.OLE32(?,?,00000000,00BFCC40,000000FF,?,00000000,00000800,00000000,?,00BFFC08,?), ref: 00BC062D
_memcmp.LIBVCRUNTIME ref: 00BC064E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 46d974dabc746846f938c24171a2334639eac11df185078e67e5f78b4568c2c7
Instruction ID: 7095cafc3edb9e0b33b39002795b7937c08592006e05b322acd508cbd6cf1916
Opcode Fuzzy Hash: 46d974dabc746846f938c24171a2334639eac11df185078e67e5f78b4568c2c7
Instruction Fuzzy Hash: 0981F771A10109EFCB04DF94C984EEEB7F9FF89315F204598E516AB250DB71AE46CB60

Function 00BEA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BEA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00BEA6BA

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Process32NextW.KERNEL32(00000000,?), ref: 00BEA79C
CloseHandle.KERNEL32(00000000), ref: 00BEA7AB

Part of subcall function 00B7CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BA3303,?), ref: 00B7CE8A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: f318a3c08fbe61e502f92f27c839d53b34f26ff2f6bc351cbd86ac91c5f0412c
Instruction ID: 9e379616a46b1a419e7cdd80ea176a512aabf9c3996e3695fdc0da981411221c
Opcode Fuzzy Hash: f318a3c08fbe61e502f92f27c839d53b34f26ff2f6bc351cbd86ac91c5f0412c
Instruction Fuzzy Hash: 94514D715083409FD710EF25C886E6BBBE8FF89754F00895DF599972A1EB34E904CB92

Function 00BA1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BA14C0

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 855bcfdcfce095ff45d0f1c970aedc5fb0e53a3c604475ff2ed0e8c0b2a50807
Instruction ID: f72489724c00b113058df7fea9db04c7339c3ab74d48cb35d38a9c71c94e7807
Opcode Fuzzy Hash: 855bcfdcfce095ff45d0f1c970aedc5fb0e53a3c604475ff2ed0e8c0b2a50807
Instruction Fuzzy Hash: F5414931A08115ABDF617FBD8C85ABE3AE4EF4B370F144AE5F418D6391EA3448419BA1

Function 00BF6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BF62E2
ScreenToClient.USER32(?,?), ref: 00BF6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00BF6382

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4e2008a2c03fe1035ae9ea9989e52b677b06dd251b4a06fa8664ca988b95311f
Instruction ID: 765628753a7a7b3cbabf58d20488951b4873fed8469f3c50262d6a4e54cf09a7
Opcode Fuzzy Hash: 4e2008a2c03fe1035ae9ea9989e52b677b06dd251b4a06fa8664ca988b95311f
Instruction Fuzzy Hash: 78511874A00209EFCB14DF68D980ABE7BF5EB55360F1481A9FE159B2A1D730ED85CB90

Function 00BE1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00BE1AFD
WSAGetLastError.WSOCK32 ref: 00BE1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BE1B8A
WSAGetLastError.WSOCK32 ref: 00BE1B94

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 2c34bf9661adbf8c64097e679a0d79dc390035caf36a233e706316a5aec383ea
Instruction ID: 60728a79e6192a405f8e5a2f01e85dd5f238c6500f6546cb80c9c617b0de4ed2
Opcode Fuzzy Hash: 2c34bf9661adbf8c64097e679a0d79dc390035caf36a233e706316a5aec383ea
Instruction Fuzzy Hash: 9441A034600200AFE720AF24C886F2A77E5EB44718F54C498F95A9F3D2D776ED41CB90

Function 00B9B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25a880021febd963755f2bf97e600434a61381399c9dc9229d71ea3b425b8b3
Instruction ID: c8f8dba693bb113e66d86ff29b24461e22aa0cca9f75fd0278024c48752e389c
Opcode Fuzzy Hash: b25a880021febd963755f2bf97e600434a61381399c9dc9229d71ea3b425b8b3
Instruction Fuzzy Hash: C441E275A00304AFDB24AF78D941FAABBE9EB88710F1045BEF151DB392D77199018780

Function 00BD56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BD5783
GetLastError.KERNEL32(?,00000000), ref: 00BD57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BD57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BD57FA

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b80457177f267fc60a7c2cdba9e05d11e262f653e63a16692b7c8843e8e63e6e
Instruction ID: 0337e65802d103bdcae73b2525830202a7319d0b874840b0a235dccc439e3b31
Opcode Fuzzy Hash: b80457177f267fc60a7c2cdba9e05d11e262f653e63a16692b7c8843e8e63e6e
Instruction Fuzzy Hash: 89415B39210610DFCB20EF15C554A5EBBF2EF99324B1884D9E84AAB362DB34FD40CB91

Function 00B9D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00B86D71,00000000,00000000,00B882D9,?,00B882D9,?,00000001,00B86D71,8BE85006,00000001,00B882D9,00B882D9), ref: 00B9D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B9D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B9D9AB
__freea.LIBCMT ref: 00B9D9B4

Part of subcall function 00B93820: RtlAllocateHeap.NTDLL(00000000,?,00C31444,?,00B7FDF5,?,?,00B6A976,00000010,00C31440,00B613FC,?,00B613C6,?,00B61129), ref: 00B93852

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9e3da7b0e4ec6ab20deab0d400397c9535516d84edf37349c2325dd28ff8bc2f
Instruction ID: e9c4d980eb7775e76f7cddd91b3d99ec9cd6603866592fe1c35b26fe4d02fb24
Opcode Fuzzy Hash: 9e3da7b0e4ec6ab20deab0d400397c9535516d84edf37349c2325dd28ff8bc2f
Instruction Fuzzy Hash: 6831AE72A0020AABDF24AF65DC85EAE7BE5EB40710B1542A9FC05D7160EB35CD54CB90

Function 00BF52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00BF5352
GetWindowLongW.USER32(?,000000F0), ref: 00BF5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BF53A8

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e76e2708ea77752b8d7d804448f2e4093cbd2fcf1d8838ed5ec1c383a90febbc
Instruction ID: 4554e05cd0cf2d08c77635921554c616d228d67370c8030a48c19da50832cd20
Opcode Fuzzy Hash: e76e2708ea77752b8d7d804448f2e4093cbd2fcf1d8838ed5ec1c383a90febbc
Instruction Fuzzy Hash: 57319234A55A0CEFEB309A1CCC45BF877E5EB05390F584181FB12971E1C7B09988DB4A

Function 00BCAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00BCABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00BCAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00BCAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00BCACC6

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2b4e21755bce2cc00b8169e8dd6318e35796f503e5667dc6c8b0cf1c13caae8f
Instruction ID: ea022528e725d910f21317ea607730794c12a4a55afc3833e9bce53acfae9a6a
Opcode Fuzzy Hash: 2b4e21755bce2cc00b8169e8dd6318e35796f503e5667dc6c8b0cf1c13caae8f
Instruction Fuzzy Hash: A3311230A4421CAFFB248B688C09FFB7BE5EB89318F04429EE491971D1C374998587A2

Function 00BF7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00BF769A
GetWindowRect.USER32(?,?), ref: 00BF7710
PtInRect.USER32(?,?,00BF8B89), ref: 00BF7720
MessageBeep.USER32(00000000), ref: 00BF778C

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 805077369599b63997f5a55ec05ca79fd4b9c6f087140e5ef116aa20670970f7
Instruction ID: 751fe95a1aa11c3ba3eb1a87295b655ab3bf42d4a680cec02e3d3518cb35e95b
Opcode Fuzzy Hash: 805077369599b63997f5a55ec05ca79fd4b9c6f087140e5ef116aa20670970f7
Instruction Fuzzy Hash: 97416D34655218EFCB01EF58C894FB97BF5FB49314F1940E8EA249B261CB30AD49CB90

Function 00BF16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00BF16EB

Part of subcall function 00BC3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC3A57
Part of subcall function 00BC3A3D: GetCurrentThreadId.KERNEL32 ref: 00BC3A5E
Part of subcall function 00BC3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BC25B3), ref: 00BC3A65

GetCaretPos.USER32(?), ref: 00BF16FF
ClientToScreen.USER32(00000000,?), ref: 00BF174C
GetForegroundWindow.USER32 ref: 00BF1752

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 81cfb653c61773f2927d37a0483970b6f51eb780492493a244588dc21a242b13
Instruction ID: a04757acb5833d8986e783c4a8a718bfaa5ac6e04069c1f647861e91df6204b4
Opcode Fuzzy Hash: 81cfb653c61773f2927d37a0483970b6f51eb780492493a244588dc21a242b13
Instruction Fuzzy Hash: D6313E75D00249AFC704EFA9C981DBEBBF9EF48304B5084AAE415E7211EA35DE45CFA0

Function 00BCDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

_wcslen.LIBCMT ref: 00BCDFCB
_wcslen.LIBCMT ref: 00BCDFE2
_wcslen.LIBCMT ref: 00BCE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00BCE018

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: ef2eb5eec78cdd59844e463945eeb91c933fcf60cf8985b626d66ee00e62ab73
Instruction ID: d8ad960a29efe2564fd7dd1cec91f82baefc05a191409d056549d34873006250
Opcode Fuzzy Hash: ef2eb5eec78cdd59844e463945eeb91c933fcf60cf8985b626d66ee00e62ab73
Instruction Fuzzy Hash: 3F21A375900215EFCB20EFA8D982B6EB7F8EF45760F1440A9E805BB281D7709E41CBA1

Function 00BF8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

GetCursorPos.USER32(?), ref: 00BF9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BB7711,?,?,?,?,?), ref: 00BF9016
GetCursorPos.USER32(?), ref: 00BF905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BB7711,?,?,?), ref: 00BF9094

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 7f2549eebf61840f4b2180d73f39c4eade524d36134dd750496beae7ac59fafb
Instruction ID: 03a83a3dc1ccc4c84b487391c4085837187644bacb100a397dd251e35d4c09aa
Opcode Fuzzy Hash: 7f2549eebf61840f4b2180d73f39c4eade524d36134dd750496beae7ac59fafb
Instruction Fuzzy Hash: 04216D3560011CEFDB258FA4C859FFA7BF9EB89360F1440A5FA058B2A1CB319994DF60

Function 00BCD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00BFCB68), ref: 00BCD2FB
GetLastError.KERNEL32 ref: 00BCD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BCD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00BFCB68), ref: 00BCD376

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 57a0d45449f13cfec7400fe4b22161d053a971d2905a1de3b2722cd8ff29de31
Instruction ID: 429f27679db1e851dcb4dd88c04f0065c9cb4267cc176da0072d550b38f1e145
Opcode Fuzzy Hash: 57a0d45449f13cfec7400fe4b22161d053a971d2905a1de3b2722cd8ff29de31
Instruction Fuzzy Hash: AA21B7745043059F8300DF24C98196E7BE8EF95364F104AADF495C72A1DB30D949CB97

Function 00BC1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BC102A
Part of subcall function 00BC1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1036
Part of subcall function 00BC1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1045
Part of subcall function 00BC1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC104C
Part of subcall function 00BC1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BC15BE
_memcmp.LIBVCRUNTIME ref: 00BC15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC1617
HeapFree.KERNEL32(00000000), ref: 00BC161E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6d832aa329d1d5ddae5e2d7cdef985bb63e115262e3121858b54b2001c375a77
Instruction ID: 9b0734dac24b7d1db9a3f4ec637d7d43512fe679e36a60c989faf155aed8817f
Opcode Fuzzy Hash: 6d832aa329d1d5ddae5e2d7cdef985bb63e115262e3121858b54b2001c375a77
Instruction Fuzzy Hash: 4F217C71E00108AFDB00DFA8C945FEEB7F8EF45344F184899E441B7242D730AA45DB50

Function 00BF2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00BF280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BF2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BF2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BF2840

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 54e6f6949b5a1a2316d7c148d53a03e109e107546e3676dc1194c2c4055068a8
Instruction ID: fea500f652b9f9678b64519088c43727e050c8d103c1ef044aad224a2c78a6bd
Opcode Fuzzy Hash: 54e6f6949b5a1a2316d7c148d53a03e109e107546e3676dc1194c2c4055068a8
Instruction Fuzzy Hash: A4212131204119AFD7109B24C841FBA7BE5EF45324F148198F526CB6E2CB71FC86C790

Function 00BC78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?), ref: 00BC8D8C
Part of subcall function 00BC8D7D: lstrcpyW.KERNEL32(00000000,?,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC8DB2
Part of subcall function 00BC8D7D: lstrcmpiW.KERNEL32(00000000,?,00BC790A,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?), ref: 00BC8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7923
lstrcpyW.KERNEL32(00000000,?,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00BC8754,00000000,?,0000001C,?,?,00000000), ref: 00BC7984

Strings

cdecl, xrefs: 00BC797B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 594d329143875db7fc30bb8263f7ba620091dcf751b073d986c8b306d38a3742
Instruction ID: aacb7449364b5f39c120b8b5af30f3566a860313e1c7820b71ae9a2e7ec01abb
Opcode Fuzzy Hash: 594d329143875db7fc30bb8263f7ba620091dcf751b073d986c8b306d38a3742
Instruction Fuzzy Hash: ED11263A200302BBCB159F38D844E7A77E9FF85390B50806EF846C72A4EF719811CBA1

Function 00BF7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00BF7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00BF7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BF7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00BDB7AD,00000000), ref: 00BF7D6B

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 679ad0b3203e983e2872edb385764ceb974dc87c4166ee63132e43bdf28da443
Instruction ID: c0325f569df874c250cd9ebdd2c6188e0f8fbda47bcacbe049f402466ecbd58e
Opcode Fuzzy Hash: 679ad0b3203e983e2872edb385764ceb974dc87c4166ee63132e43bdf28da443
Instruction Fuzzy Hash: 8411AC75258619AFCB108F28CC04ABA3BE5EF45360B5583B4F939CB2E0DB308965CB80

Function 00BF5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00BF56BB
_wcslen.LIBCMT ref: 00BF56CD
_wcslen.LIBCMT ref: 00BF56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF5816

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e8d32471beb16865159df164003ad44c0ea685a4e47ede5c99f5fe0eb524ce85
Instruction ID: 075230d18467b01c07654758266691476637bd3b94771390f8fcca7a64f49856
Opcode Fuzzy Hash: e8d32471beb16865159df164003ad44c0ea685a4e47ede5c99f5fe0eb524ce85
Instruction Fuzzy Hash: 3811B47160060CAADB30AF61CCC5AFE77ECEF11760B1080A6FB15D7181EB709988CB64

Function 00B91D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd799ae76b2cafa8226262581b25a340d7276589fbd7052a0e5b43e4afc50aa4
Instruction ID: 5dacd50412efb4e713db70e28fdf487ac910c64d2faff7aa81f89e03c2264658
Opcode Fuzzy Hash: cd799ae76b2cafa8226262581b25a340d7276589fbd7052a0e5b43e4afc50aa4
Instruction Fuzzy Hash: 90014FB260561B7EFE11167C6CC1F67669DDF413B8B340BB5F535621E2DB608D40A170

Function 00BC1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00BC1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC1A8A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 224c7db61abe98b8a2e2f7ebcc48eae10a24978635597dbc7f62f59e9eb2f7ce
Instruction ID: 3c834d8ad43b551803091f5c07fa7f8c6c3d1de160a23c4de16094ac92d127ee
Opcode Fuzzy Hash: 224c7db61abe98b8a2e2f7ebcc48eae10a24978635597dbc7f62f59e9eb2f7ce
Instruction Fuzzy Hash: A411393AD01219FFEB10DFA8CD85FADBBB8EB08750F200495EA10B7290D6716E50DB94

Function 00BCE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BCE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00BCE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BCE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BCE24D

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f394bbe7c9a9580682eb31f81ea143ce4f0c8d3a6ac6e298fb5926cbbc6269ab
Instruction ID: cca0b31f656596c6f317b54d692f4b29b65011d504012177a5a236af32b7b29a
Opcode Fuzzy Hash: f394bbe7c9a9580682eb31f81ea143ce4f0c8d3a6ac6e298fb5926cbbc6269ab
Instruction Fuzzy Hash: 0511C876904258BFC7019FA89C05FAE7FECDB45320F044259F924E72A1D770CD048BA0

Function 00B8D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00B8CFF9,00000000,00000004,00000000), ref: 00B8D218
GetLastError.KERNEL32 ref: 00B8D224
__dosmaperr.LIBCMT ref: 00B8D22B
ResumeThread.KERNEL32(00000000), ref: 00B8D249

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f6aaabda64df2a4371873000517ff76b03ef44804e3230a93f537ed54017b087
Instruction ID: 82a56bf7cc15440a1299f11aa3570778857447ec703b21c1cbfafb7885cd3859
Opcode Fuzzy Hash: f6aaabda64df2a4371873000517ff76b03ef44804e3230a93f537ed54017b087
Instruction Fuzzy Hash: A601C036805209BBDB117FA5DC09AAA7FA9EF81330F10029AF925A21F0CF708945C7A0

Function 00B7990E Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,?), ref: 00B798D6
SetBkMode.GDI32(?,00000001), ref: 00B798E9
GetStockObject.GDI32(00000005), ref: 00B798F1
GetWindowLongW.USER32(?,000000EB), ref: 00B79952

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ColorLongModeObjectStockTextWindow
String ID:
API String ID: 2960364272-0
Opcode ID: 6be271b19b862f6de262eac5863584d4f168ced4788585535d91b1a01078149c
Instruction ID: 75f426b9f063dabeb1d87c5c2020b74e73eab64a4ab40a81b26fbc975cb9e242
Opcode Fuzzy Hash: 6be271b19b862f6de262eac5863584d4f168ced4788585535d91b1a01078149c
Instruction Fuzzy Hash: 2A118C322462109FD7118F20EC94FFA7FA5DF6B365B08419DFA468B2A2DB314891C751

Function 00BF9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B79BB2

GetClientRect.USER32(?,?), ref: 00BF9F31
GetCursorPos.USER32(?), ref: 00BF9F3B
ScreenToClient.USER32(?,?), ref: 00BF9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00BF9F7A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: e1b58f1d1dfdfd2b78a19f9ae5592af6f40c0ffc8be64e58120c6240eee88ff6
Instruction ID: 1b30be844fde807f8375787aba0b9982dd2df9f9fa47fc2d87e075bf7167a273
Opcode Fuzzy Hash: e1b58f1d1dfdfd2b78a19f9ae5592af6f40c0ffc8be64e58120c6240eee88ff6
Instruction Fuzzy Hash: 00112A3290011EABDB10DF68D985AFE7BB9FF45311F104495FA11E7151D730BA89CBA1

Function 00B6600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
GetStockObject.GDI32(00000011), ref: 00B66060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 71a181c6d31c548e56afd592932fd50b540c94512300edeb168d6f2a184645c9
Instruction ID: cf2e1819eeecd88704105b277c745d4eb202ba50d33c3471e69064121d08d563
Opcode Fuzzy Hash: 71a181c6d31c548e56afd592932fd50b540c94512300edeb168d6f2a184645c9
Instruction Fuzzy Hash: 5B116D72501508BFEF165FA49C84EEABFADFF093A4F040265FA1553110DB369CA0DBA0

Function 00B83B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00B83B56

Part of subcall function 00B83AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00B83AD2
Part of subcall function 00B83AA3: ___AdjustPointer.LIBCMT ref: 00B83AED

_UnwindNestedFrames.LIBCMT ref: 00B83B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00B83B7C
CallCatchBlock.LIBVCRUNTIME ref: 00B83BA4

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 28d4f055bf347d8418a261e86557f490ff8caff64c1e664f5fab9bc221c58108
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: AB012972100149BBDF126E95CC42EEB7FE9EF48B54F044094FE4856131D732E961DBA0

Function 00B93073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B613C6,00000000,00000000,?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue), ref: 00B930A5
GetLastError.KERNEL32(?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue,00C02290,FlsSetValue,00000000,00000364,?,00B92E46), ref: 00B930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B9301A,00B613C6,00000000,00000000,00000000,?,00B9328B,00000006,FlsSetValue,00C02290,FlsSetValue,00000000), ref: 00B930BF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 226ceee353212825a90963020ce4b25b2bf8922c8c95c33d08c849b00180649b
Instruction ID: 092c838fbbe09517e1aa4e2ed5c3d994e2f2156bb86c7487a00a97e8673457f0
Opcode Fuzzy Hash: 226ceee353212825a90963020ce4b25b2bf8922c8c95c33d08c849b00180649b
Instruction Fuzzy Hash: B501D432301226ABCF314A789C84B6B7FD8EF05FA1B250670F915E3140CB21D945C6E0

Function 00BC7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00BC747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00BC7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00BC74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00BC74CA

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 9453c453874a4b7d1f66b3221157bc242fcc335c1c78627fec2715a5baa17f86
Instruction ID: d28d37e36325cca6f2b1406bcea936a10f77db2eee3d62bd5861fe39db8070e7
Opcode Fuzzy Hash: 9453c453874a4b7d1f66b3221157bc242fcc335c1c78627fec2715a5baa17f86
Instruction Fuzzy Hash: B711A1B12453149BE7208F14ED49FA2BFFCEB00B00F1085ADA626D7251DB70E944DF90

Function 00BCB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BCACD3,?,00008000), ref: 00BCB126

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 58dc9af120a001922c7d8dece8dc97978ce0d55b9a117481e3f49288759254ad
Instruction ID: 202f7b70c55e9eb5cdd6b0780652616dfb2da5204232c71c5edc9af7096f9c3d
Opcode Fuzzy Hash: 58dc9af120a001922c7d8dece8dc97978ce0d55b9a117481e3f49288759254ad
Instruction Fuzzy Hash: 48111831C1151CD7CF009FA4E99AFEEBBB8FF09711F114089D951B3181CB3056508B52

Function 00BF7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BF7E33
ScreenToClient.USER32(?,?), ref: 00BF7E4B
ScreenToClient.USER32(?,?), ref: 00BF7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BF7E8A

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 3d5b1168b58b9474107cc73b6bef7c6105f4f50f215ad33554999747d1c9dc7d
Instruction ID: 772fbc8cbcdf69dfe5792c10fd8e741c51daaaec392fcd05c1381399fd1bb0e8
Opcode Fuzzy Hash: 3d5b1168b58b9474107cc73b6bef7c6105f4f50f215ad33554999747d1c9dc7d
Instruction Fuzzy Hash: EA1113B9D0424EAFDB41DF98C9849EEBBF9FB08310F505096E915E3210D735AA95CF50

Function 00BC2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BC2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC2DD6
GetCurrentThreadId.KERNEL32 ref: 00BC2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BC2DE4

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d75dd678d91386612f604db688dd4da2587f233dd614aba4b007168308b1088d
Instruction ID: b46d639db9bdb30ff03508325bf41004801d04b19ea168ce224f033ef3397712
Opcode Fuzzy Hash: d75dd678d91386612f604db688dd4da2587f233dd614aba4b007168308b1088d
Instruction Fuzzy Hash: 00E092711052287BD7201B729D0DFFB3EACEF53BA1F100069F506D30809EA0C980C6B0

Function 00BF8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B79639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B79693
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796A2
Part of subcall function 00B79639: BeginPath.GDI32(?), ref: 00B796B9
Part of subcall function 00B79639: SelectObject.GDI32(?,00000000), ref: 00B796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00BF8887
LineTo.GDI32(?,?,?), ref: 00BF8894
EndPath.GDI32(?), ref: 00BF88A4
StrokePath.GDI32(?), ref: 00BF88B2

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6ac02bf02c1cd76765752751979273671fccf8871d00a694c12d021ed3f0a334
Instruction ID: b5a19d7b014a8bd265c5efd4bfc6112729222909e9bbec36a0839f1bc3b5b43e
Opcode Fuzzy Hash: 6ac02bf02c1cd76765752751979273671fccf8871d00a694c12d021ed3f0a334
Instruction Fuzzy Hash: 24F03A36041259BADB125FA4AD09FEE3E59AF06310F048141FA11670E2CB755561CBA5

Function 00B798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B798CC
SetTextColor.GDI32(?,?), ref: 00B798D6
SetBkMode.GDI32(?,00000001), ref: 00B798E9
GetStockObject.GDI32(00000005), ref: 00B798F1

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 07a2f1f81cb02c50a78ce0292fed580d73a7366e16d4a9be421056ff0bf402fb
Instruction ID: 397bca79d9d55b38aeb446828ac028df905800b86157697f4d9ade65da4f4f6c
Opcode Fuzzy Hash: 07a2f1f81cb02c50a78ce0292fed580d73a7366e16d4a9be421056ff0bf402fb
Instruction Fuzzy Hash: 12E06531244244ABEB215F74AD09BF83F50EB51336F148259F6F95A1E1CB714790DB10

Function 00BC162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00BC1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00BC11D9), ref: 00BC163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BC11D9), ref: 00BC1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00BC11D9), ref: 00BC164F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 995914fe9d5997ee557650e68099fbb02cc69740f7176d33f87bfd19b7e263b1
Instruction ID: d41d7299af9e0297e9e16c929adc7090c8697176364b604a0a604368be93a95b
Opcode Fuzzy Hash: 995914fe9d5997ee557650e68099fbb02cc69740f7176d33f87bfd19b7e263b1
Instruction Fuzzy Hash: 4FE04632602215ABD7201BB4AE0DFA63FA8EF45792F148858F245DB080EE348485CB68

Function 00BBD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BBD858
GetDC.USER32(00000000), ref: 00BBD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BBD882
ReleaseDC.USER32(?), ref: 00BBD8A3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c4ba6e95fddb2572aedc1a979ac1e66024e24a85a74c9e73d3354a8459ffd3fb
Instruction ID: 4fdb7d93eeb330ee62f8c24a7bcf288ddcc667466670ea810dad60f9820443af
Opcode Fuzzy Hash: c4ba6e95fddb2572aedc1a979ac1e66024e24a85a74c9e73d3354a8459ffd3fb
Instruction Fuzzy Hash: 6FE0E5B0804208EFCB419FA09A48A7DBFF1AB08311F109449E84AE7350CB784995EF40

Function 00BBD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BBD86C
GetDC.USER32(00000000), ref: 00BBD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BBD882
ReleaseDC.USER32(?), ref: 00BBD8A3

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 393f537c9ff17693ee54c8a1f7bd1416c674d24682d073ac03cc399bef790f3f
Instruction ID: 7f5d248e336cc2e8e751f070c45dd191f060c8d8ef76343e2e91123b2e10e548
Opcode Fuzzy Hash: 393f537c9ff17693ee54c8a1f7bd1416c674d24682d073ac03cc399bef790f3f
Instruction Fuzzy Hash: FDE012B0804208EFCB40AFA0DA08A7DBFF1BB08310F109448E84AE7350CF385996EF40

Function 00BD4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B67620: _wcslen.LIBCMT ref: 00B67625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00BD4ED4

Strings

*, xrefs: 00BD4E10
LPT, xrefs: 00BD4DFB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: eb69f61c67ec47a377a105fd7bc13645c07beb1c398aea5de6109ef677141805
Instruction ID: 0d75ff6f0c613a30bf390f612582a18fcea57d63d14ab2b1917975ac62ebb14c
Opcode Fuzzy Hash: eb69f61c67ec47a377a105fd7bc13645c07beb1c398aea5de6109ef677141805
Instruction Fuzzy Hash: 39913D75A002449FCB14DF58C494EAABBF5EF44308F1980DAE80A9F362E775ED85CB91

Function 00B8E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B8E30D

Strings

pow, xrefs: 00B8E2E5, 00B8E302

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7e1e9291ed64bf2e1ce2107c1c4add28042d6be81da241a4877d9a012c7d9ef3
Instruction ID: cef3df1ccf47fcaa2cdae1d0210e4777749c11f7a2d0a73bd7365cc36d9929d2
Opcode Fuzzy Hash: 7e1e9291ed64bf2e1ce2107c1c4add28042d6be81da241a4877d9a012c7d9ef3
Instruction Fuzzy Hash: F0514AA1A6C60296CF167B18C9417BD3BE8EF40740F3449F8E4A5422B9DF34CC91DB4A

Function 00B7E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00B7E1B1

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e9067d61f3d12bea72a4a0367f778e5ea24dc12128b8dc3114ce3e86d695a253
Instruction ID: db2d04e5a78e158b7daee6816cb15fbcb27aa9eb71eb7388feb66c7b33e38512
Opcode Fuzzy Hash: e9067d61f3d12bea72a4a0367f778e5ea24dc12128b8dc3114ce3e86d695a253
Instruction Fuzzy Hash: 40510035504246EFDB15DF68C4816FA7BE8EF19310F2480D9E8B1AB2A1DB74DD42CBA0

Function 00B7F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B7F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B7F2BB

Strings

@, xrefs: 00B7F2AF

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c9e9e902ab5f4783233ea7738ab2a53b626e889a86a3f21414606fc7ad5d64ef
Instruction ID: 05a200053483bc5b51e425af46cabc34e43b2e80af18f0d322edc2aa44f65c2b
Opcode Fuzzy Hash: c9e9e902ab5f4783233ea7738ab2a53b626e889a86a3f21414606fc7ad5d64ef
Instruction Fuzzy Hash: AC5155714187459BD320AF50D886BAFBBF8FB84304F81888DF2D9411A5EB758529CB66

Function 00BE5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00BE57E0
_wcslen.LIBCMT ref: 00BE57EC

Strings

CALLARGARRAY, xrefs: 00BE57E6, 00BE57EB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6c90bd8cf0e69fc2beb338ee89df18311de016791bea0e8f4eb8ed11cfca6e09
Instruction ID: d5d9f4b7862b9f13f8ad491b9047d6d327ec9a33ab6c04df86fc86ba557325c8
Opcode Fuzzy Hash: 6c90bd8cf0e69fc2beb338ee89df18311de016791bea0e8f4eb8ed11cfca6e09
Instruction Fuzzy Hash: F041B231E00109DFCB24DFA9C8819BEBBF9FF59318F1441A9E515A7251EB349D81CB90

Function 00BDD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BDD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BDD13A

Strings

|, xrefs: 00BDD10B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a1809a2930ed09f66dd920ac6aa5fd8beb634fab4db4cd3887e870a560b8c27f
Instruction ID: 8e3851e289471ca7bfba4ab6de5d53430d14defa0f9147fa3088c5fda3241e9d
Opcode Fuzzy Hash: a1809a2930ed09f66dd920ac6aa5fd8beb634fab4db4cd3887e870a560b8c27f
Instruction Fuzzy Hash: 99311A71D00209ABCF15EFA4CC85AEEBFF9FF04300F000199F915A6261E735AA46DB90

Function 00BF356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00BF3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BF365C

Strings

static, xrefs: 00BF35BC

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5eecb046fff4239b99bdca5f56ebbcde4a6e32f8ba393c51db38530a873ad762
Instruction ID: 9e6aa7a70188d289f28eaa15894817d7cc6a4454b2791da5eb9a4c693acb2e15
Opcode Fuzzy Hash: 5eecb046fff4239b99bdca5f56ebbcde4a6e32f8ba393c51db38530a873ad762
Instruction Fuzzy Hash: F0318D71110208AEDB109F68DC80EBB77E9FF98B24F008659FAA5D7290DA30ED95D760

Function 00BF4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00BF461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BF4634

Strings

', xrefs: 00BF458E

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4a5d30b3083b35ebb5624011e3c8b17dd14e958dbc25f9f91f70de1bfac47a99
Instruction ID: f81806e267f1acbf5d932555ffbc80353ac4a561680f7389bec3d976c968f827
Opcode Fuzzy Hash: 4a5d30b3083b35ebb5624011e3c8b17dd14e958dbc25f9f91f70de1bfac47a99
Instruction Fuzzy Hash: 1131F574A01209AFDF14DFA9C990BEABBF5FB59300F1440AAEA05AB351D770A945CF90

Function 00BF31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BF327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF3287

Strings

Combobox, xrefs: 00BF3249

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 91db9745cbcd6e36b76e18038df17bd4a7026103a9fc58c3c959c891b5ff8cb2
Instruction ID: 1b5bc8cf1faaa9438df18e3dcd65959829ffb4d90d416a79ae7336dba3e05076
Opcode Fuzzy Hash: 91db9745cbcd6e36b76e18038df17bd4a7026103a9fc58c3c959c891b5ff8cb2
Instruction Fuzzy Hash: B311B27130020C7FFF219E54DC80EBB3BEAEB98764F104265FA1897290D631DD559760

Function 00BCEF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BCEF1D

Strings

HANDLE, xrefs: 00BCEF16
hn, xrefs: 00BCEF1B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: HANDLE$hn
API String ID: 176396367-2881828973
Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction ID: 387b977a0048955d764153789ee3747967cbfcca48f536b71ba80782a23b4582
Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction Fuzzy Hash: D811BE71620215DAFB289A54D889FADB3E9EB81766F6044EEE460CE0C4E770DE81C614

Function 00BF3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B6600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B6604C
Part of subcall function 00B6600E: GetStockObject.GDI32(00000011), ref: 00B66060
Part of subcall function 00B6600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B6606A

GetWindowRect.USER32(00000000,?), ref: 00BF377A
GetSysColor.USER32(00000012), ref: 00BF3794

Strings

static, xrefs: 00BF3757

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: bd34ef6514d44be0a301e09b38554096361e9b0bafceb91c7b5e890b96ad3ccd
Instruction ID: e515e2949e018783128516f4419cd790ee59ba8d8072be2c04027862ed9f99ca
Opcode Fuzzy Hash: bd34ef6514d44be0a301e09b38554096361e9b0bafceb91c7b5e890b96ad3ccd
Instruction Fuzzy Hash: 601106B2610209AFDB00EFA8C846EBA7BE8EB08714F004954FA55E3250DB35E955DB50

Function 00BDCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BDCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BDCDA6

Strings

<local>, xrefs: 00BDCD66

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8b6200835cd926703463c3a8eae30a2a7c0745b09cef9fc3ddddb39763b0f562
Instruction ID: 12d047f736f68bf2506bbb1d7eb98331c7696e9f380adf1cadbba8db4efd6f71
Opcode Fuzzy Hash: 8b6200835cd926703463c3a8eae30a2a7c0745b09cef9fc3ddddb39763b0f562
Instruction Fuzzy Hash: 0611A3712056367AD7284A668C85EF7FEAAEF127A4F104277B11A83290E6609840D6F0

Function 00BF3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00BF34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BF34BA

Strings

edit, xrefs: 00BF348F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f18174672af4df32cc201ebb93a6ef144630e030ed1ec4ea7fe3a9d2b99cd8da
Instruction ID: 9bf704fb37aa702a2897cb02ede15fc7e2d396f3ce390f0d4c53d8a65e6f6c74
Opcode Fuzzy Hash: f18174672af4df32cc201ebb93a6ef144630e030ed1ec4ea7fe3a9d2b99cd8da
Instruction Fuzzy Hash: 5311BC7110020CAFEB128E64DC80ABB3BEAEB04B74F504364FA60932E0C771DD999B60

Function 00BC6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

CharUpperBuffW.USER32(?,?,?), ref: 00BC6CB6
_wcslen.LIBCMT ref: 00BC6CC2

Strings

STOP, xrefs: 00BC6CBC, 00BC6CC1

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: b6c94653cb922d4c22f3190372f41438dfd58d7ab995298816d7e108d28a4d9b
Instruction ID: 440ccae411bc6831978dde2c9ee29e3f70e4ff9bbf23b64c08662de7313e8e62
Opcode Fuzzy Hash: b6c94653cb922d4c22f3190372f41438dfd58d7ab995298816d7e108d28a4d9b
Instruction Fuzzy Hash: 5801C032A1052A8BCB20AFFDDC80EBF77E9EB61720B1005BCE86297194EB35D940C650

Function 00BC1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BC1D4C

Strings

ListBox, xrefs: 00BC1D16
ComboBox, xrefs: 00BC1CEB

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: be1f406c1ed3832dbc5f829a40d0cd14b8f39019a9fbc6fd823a636775da47af
Instruction ID: 2f51347b4b1936385fac12de1e773d6871b811221fb8c0407bf2f417c44ba22c
Opcode Fuzzy Hash: be1f406c1ed3832dbc5f829a40d0cd14b8f39019a9fbc6fd823a636775da47af
Instruction Fuzzy Hash: EF01D871601218ABCB04EBA4CD51EFF77E8EB57350B140DADF823672C2EA349908C660

Function 00B61CD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B62B12,00C31418,?,?,?,?,?,?,?,00B61CAD,?), ref: 00B61D11

Part of subcall function 00B66B57: _wcslen.LIBCMT ref: 00B66B6A

Strings

h7, xrefs: 00B61D2B
(1, xrefs: 00B61D51

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID: (1$h7
API String ID: 4019309064-1470284614
Opcode ID: 2b9d60cf408423ae97cb8ac3b5b4b0304c37d13f22e77078af685e962b667969
Instruction ID: f96e716a55b8871bd966f6b95f86ad657233d1a91acedd4d31a0ffe1a6ab3d7d
Opcode Fuzzy Hash: 2b9d60cf408423ae97cb8ac3b5b4b0304c37d13f22e77078af685e962b667969
Instruction Fuzzy Hash: AF118875A042199ECF11EBA4D942EDD77F8EF08350F0484F1B985D7161DA74EB889760

Function 00BC1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00BC1C46

Strings

ListBox, xrefs: 00BC1C10
ComboBox, xrefs: 00BC1BE5

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c1fb60aee2098d8ffecac0dbba04d1874dd494d1051296499d4a20039f19a992
Instruction ID: 12b6f48af06cec1687725d1c05c500c598c7bd211ffb21393db5aa4f7d7035c5
Opcode Fuzzy Hash: c1fb60aee2098d8ffecac0dbba04d1874dd494d1051296499d4a20039f19a992
Instruction Fuzzy Hash: 0B01A77578110867CB04EB94CA51FFF77ECDB12340F14049DB40677282EA349E18E6B1

Function 00BC1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00BC1CC8

Strings

ListBox, xrefs: 00BC1C94
ComboBox, xrefs: 00BC1C69

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1bac771f184acf773829f4e0bebd191a1a6cd7c0407f25d4ca9d90cb400545f3
Instruction ID: fb8ed551bb2dd66ca77e6f851cc4fc5ea068b5ad95f7128020109fda7cfb8ce2
Opcode Fuzzy Hash: 1bac771f184acf773829f4e0bebd191a1a6cd7c0407f25d4ca9d90cb400545f3
Instruction Fuzzy Hash: EB018F7168021867CB04EBA4CA51FFF77ECDB12380F540499B802B7282EA349E18D671

Function 00BC1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B69CB3: _wcslen.LIBCMT ref: 00B69CBD

Part of subcall function 00BC3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BC3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00BC1DD3

Strings

ListBox, xrefs: 00BC1DA0
ComboBox, xrefs: 00BC1D75

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ab76c764f2af69d57401cdd12dd52cd807a7ca6cfd172498d0d2025b68402473
Instruction ID: de1b0562150d1d98f03f9cd5dc258b149098e8acc577c653bdcb614202f9139e
Opcode Fuzzy Hash: ab76c764f2af69d57401cdd12dd52cd807a7ca6cfd172498d0d2025b68402473
Instruction Fuzzy Hash: 36F0A471B5121867DB04F7A8DD92FFF77ECEB12750F440DA9B822B32C2DA7459088660

Function 00BE747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BE7493
_wcslen.LIBCMT ref: 00BE74B9

Strings

3, 3, 16, 1, xrefs: 00BE7483

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: da760fe68ea81731eb82ffbda04c4acb24a22dc91b2956f7bd2745e0690aa379
Instruction ID: 4ecba43e7b40aa2a556c173ecdedc5952c1f236109186aeee7978457c84247d3
Opcode Fuzzy Hash: da760fe68ea81731eb82ffbda04c4acb24a22dc91b2956f7bd2745e0690aa379
Instruction Fuzzy Hash: 1EE02B02245261149231227BECC197F56D9CFC975071018ABF985C23B6EF94CD91D3A0

Function 00BC0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BC0B23

Strings

AutoIt, xrefs: 00BC0B17
Error allocating memory., xrefs: 00BC0B1C

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 0061803b50ab06b480f5c4d1345432ffd3ca9dbd8c1858c51e7e1a5b04620a11
Instruction ID: d8e88e696489b7d943f4b96163b3f2ce9675cc8689080b899aa0c352d2ab43ae
Opcode Fuzzy Hash: 0061803b50ab06b480f5c4d1345432ffd3ca9dbd8c1858c51e7e1a5b04620a11
Instruction Fuzzy Hash: 45E0483228931D6AD21436557D03FA97FC4CF05B51F1044AAFB58965D38FE168D087ED

Function 00B80D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B7F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B80D71,?,?,?,00B6100A), ref: 00B7F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00B6100A), ref: 00B80D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B6100A), ref: 00B80D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B80D7F

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a4b20efc0cc0ec14c3d271ea3199d81aeda7b4c3e581db28635f863d9d476049
Instruction ID: be2abcea14b7e2849324af7e5059b9445af116dccd0ec66beff47760a54adc95
Opcode Fuzzy Hash: a4b20efc0cc0ec14c3d271ea3199d81aeda7b4c3e581db28635f863d9d476049
Instruction Fuzzy Hash: F2E06D702103028FD3A0BFB9E5043667BE4EF00780F0489BDE886C7661DBB4E488CB91

Function 00BD3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00BD302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00BD3044

Strings

aut, xrefs: 00BD3038

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 26b84ea9826e6f6d3955c82965cf4925c987e02f5aba6e164c6be25e7b063cef
Instruction ID: d71c12389162d9b464c834a3a3d117d09acf34809e73d49eee5ddf3694efc890
Opcode Fuzzy Hash: 26b84ea9826e6f6d3955c82965cf4925c987e02f5aba6e164c6be25e7b063cef
Instruction Fuzzy Hash: 50D05E72500328A7DA20A7A4AD0EFDB3E6CDB04750F0002A1B655E3092DEB09984CAE0

Function 00BBD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BBD220

Strings

X64, xrefs: 00BBD2A8
%.3d, xrefs: 00BBD22B

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a081c41b1cc86b247b9e3a619085f12db897235df51e5c2b8892b2d49c8cf397
Instruction ID: ddec2e7207602ad899893e688b6fe174c83e711a1680c50edf2ac22ee110061a
Opcode Fuzzy Hash: a081c41b1cc86b247b9e3a619085f12db897235df51e5c2b8892b2d49c8cf397
Instruction Fuzzy Hash: 47D01261C09159EBCB50D7D0DCC59F9B7FCEB08341F5084E2F91A92040F66CC948AB61

Function 00BF2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BF232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BF233F

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Strings

Shell_TrayWnd, xrefs: 00BF2325

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3904485b0501d268d7756f141df1c10b4dd100c935271b21150ceddaf3c3e876
Instruction ID: e985e1bcd37e2b6ae63eba7a7729a75c878b0c59e4073eee3eaae537e3261393
Opcode Fuzzy Hash: 3904485b0501d268d7756f141df1c10b4dd100c935271b21150ceddaf3c3e876
Instruction Fuzzy Hash: 8ED01276394314B7E664B770ED0FFD67E54AB10B10F0049267755EB1D0CDF0A881CA54

Function 00BF2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BF236C
PostMessageW.USER32(00000000), ref: 00BF2373

Part of subcall function 00BCE97B: Sleep.KERNEL32 ref: 00BCE9F3

Strings

Shell_TrayWnd, xrefs: 00BF2365

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a85a53ade4bd4abafd0825c10d5609479798fe214c055e985b4149e500448504
Instruction ID: fb97ad845171eb79dfad210004aed63f3588a220f35c25de6d56e7b9e29929d1
Opcode Fuzzy Hash: a85a53ade4bd4abafd0825c10d5609479798fe214c055e985b4149e500448504
Instruction Fuzzy Hash: 17D0C972385314BAE664A770AD0FFD66A54AB15B10F4049267655EB1D0C9F0A881CA54

Function 00B9BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00B9BE93
GetLastError.KERNEL32 ref: 00B9BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B9BEFC

Memory Dump Source

Source File: 00000000.00000002.1833140051.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.1832865428.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000BFC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833292826.0000000000C22000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833380452.0000000000C2C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1833428657.0000000000C34000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c71a7f3f5dbd128c6f1f225bb062ec7f7610e9942676fc625cd099182a1e1430
Instruction ID: c72df82b3246c9cd85e89eb56b331e5700b7a2513cf360ae79e47c44364e2594
Opcode Fuzzy Hash: c71a7f3f5dbd128c6f1f225bb062ec7f7610e9942676fc625cd099182a1e1430
Instruction Fuzzy Hash: 5941B13560060AABCF219F64EE84FBA7BE9EF41310F1441F9F959971A1DB308D01CB50

Analysis Process: firefox.exePID: 7320, Parent PID: 7700COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001FF82432377 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000001FF8243239C

Memory Dump Source

Source File: 00000010.00000002.3032651538.000001FF82430000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001FF82430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1ff82430000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: cd6c6038226c515049fa31170fe799de8694ad168ef17d3f99427f79fe462a64
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 99A3C231614A498BDB2EDF28DCC96E977E5FF95350F04423ED94BC7252DA30EA428A81

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1889878256.000001B0E53C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1861447379.000001B0DA9B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1983625216.000001B0E54EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889096692.000001B0E54EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1981219192.000001B0E136C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965812331.000001B0E13EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860412408.000001B0E16EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1965812331.000001B0E13EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860412408.000001B0E16EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981219192.000001B0E13EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1983625216.000001B0E54EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2004165084.000001B0DA96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003465927.000001B0DACB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1981219192.000001B0E136C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1965812331.000001B0E13EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860412408.000001B0E16EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1965812331.000001B0E13EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860412408.000001B0E16EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1981219192.000001B0E13EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3029317376.000001FF82303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028885319.00000237F750C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3029317376.000001FF82303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028885319.00000237F750C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.2010609380.000001B0DB349000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3029317376.000001FF82303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3028885319.00000237F750C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3028885319.00000237F750C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3028885319.00000237F750C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3028885319.00000237F750C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1983625216.000001B0E54EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2004165084.000001B0DA96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.2003465927.000001B0DACB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.2012927447.000001B0D9A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.2003465927.000001B0DACA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1979730691.000001B0E1ABC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1994758564.000001B0E1ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49825 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_45fcd96f-7d16-4a2c-b54a-73b2ba21a852.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_45fcd96f-7d16-4a2c-b54a-73b2ba21a852.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre