Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574222
MD5:	cfd9ab2985983b15f40a6f8ddda94ee0
SHA1:	1b3aa3ee12fb143281e3b704208bee2a0e045697
SHA256:	54fa403f5d329dd8060e67a18fc46ce1bd3d75a8d5e6c88820c59ede26f83e87
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6528 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CFD9AB2985983B15F40A6F8DDDA94EE0)

taskkill.exe (PID: 6568 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6888 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7064 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2800 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2736 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3912 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2344 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7016 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3272 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57a7d813-ab86-4a04-a462-8812601b1dad} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 23380e6df10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7488 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20230927232528 -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b57976d-da3a-4354-b0b3-d8c11ef1f763} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 23392f65510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8148 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5064 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5384 -prefMapHandle 5372 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e101298c-ffce-4ec1-91f5-1fa77204f0e6} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 233928b4710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6528	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00A7EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A7EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A7ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A7ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00A7EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00A6AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A99576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A99576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3f4f3ffb-4
Source: file.exe, 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_221c4425-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7d86bebd-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_70817090-d

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002732D0489B7 NtQuerySystemInformation,		16_2_000002732D0489B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002732D1672F2 NtQuerySystemInformation,		16_2_000002732D1672F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00A6D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A61201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A61201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A6E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A08060	0_2_00A08060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A72046	0_2_00A72046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A68298	0_2_00A68298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3E4FF	0_2_00A3E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3676B	0_2_00A3676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A94873	0_2_00A94873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2CAA0	0_2_00A2CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0CAF0	0_2_00A0CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1CC39	0_2_00A1CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A36DD9	0_2_00A36DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A091C0	0_2_00A091C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1B119	0_2_00A1B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21394	0_2_00A21394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21706	0_2_00A21706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2781B	0_2_00A2781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A219B0	0_2_00A219B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A07920	0_2_00A07920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1997D	0_2_00A1997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A27A4A	0_2_00A27A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A27CA7	0_2_00A27CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21C77	0_2_00A21C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A39EEE	0_2_00A39EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8BE44	0_2_00A8BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A21F32	0_2_00A21F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002732D0489B7	16_2_000002732D0489B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002732D1672F2	16_2_000002732D1672F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002732D167332	16_2_000002732D167332
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002732D167A1C	16_2_000002732D167A1C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A1F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A20A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/43@69/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A737B5 GetLastError,FormatMessageW,

0_2_00A737B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A610BF AdjustTokenPrivileges,CloseHandle,		0_2_00A610BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A616C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A751CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A6D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A7648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00A7648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A042A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1893104328.00000233928EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942450473.0000023394250000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844071592.00000233928EB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1833852960.000002339CBC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe	ReversingLabs: Detection: 28%
Source: file.exe	Virustotal: Detection: 19%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57a7d813-ab86-4a04-a462-8812601b1dad} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 23380e6df10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20230927232528 -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b57976d-da3a-4354-b0b3-d8c11ef1f763} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 23392f65510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5064 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5384 -prefMapHandle 5372 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e101298c-ffce-4ec1-91f5-1fa77204f0e6} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 233928b4710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57a7d813-ab86-4a04-a462-8812601b1dad} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 23380e6df10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20230927232528 -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b57976d-da3a-4354-b0b3-d8c11ef1f763} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 23392f65510 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5064 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5384 -prefMapHandle 5372 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e101298c-ffce-4ec1-91f5-1fa77204f0e6} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 233928b4710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 0000000D.00000003.1939199703.000002339C0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946866547.000002339C0AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 0000000D.00000003.1939199703.000002339C0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946866547.000002339C0AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 0000000D.00000003.1946251860.000002339C187000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C187000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000D.00000003.1942450473.0000023394250000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 0000000D.00000003.1946346987.000002339C111000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946251860.000002339C187000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C187000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdbh source: firefox.exe, 0000000D.00000003.1939199703.000002339C0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946866547.000002339C0AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000D.00000003.1945721705.000002339C1AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C1A5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 0000000D.00000003.1945721705.000002339C1AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C1A5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1942450473.0000023394250000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000D.00000003.1942450473.0000023394250000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: xul.pdb source: firefox.exe, 0000000D.00000003.1945721705.000002339C1AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C1A5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 0000000D.00000003.1946251860.000002339C187000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C187000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: firefox.exe, 0000000D.00000003.1947043756.000002339935A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939803896.0000023399353000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb` source: firefox.exe, 0000000D.00000003.1947043756.000002339935A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939803896.0000023399353000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: firefox.exe, 0000000D.00000003.1947043756.000002339935A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939803896.0000023399353000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 0000000D.00000003.1945721705.000002339C1AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C1A5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 0000000D.00000003.1946251860.000002339C187000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C187000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 0000000D.00000003.1946346987.000002339C111000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000D.00000003.1946591909.000002339C0C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939199703.000002339C0BF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: firefox.pdbbrowser-open-newtab-start source: firefox.exe, 0000000D.00000003.1940015754.0000023399175000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 0000000D.00000003.1946251860.000002339C187000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C187000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 0000000D.00000003.1939199703.000002339C0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946866547.000002339C0AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1934387620.00000233907A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 0000000D.00000003.1946251860.000002339C187000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C187000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1934387620.00000233907A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000D.00000003.1946251860.000002339C187000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C187000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: firefox.exe, 0000000D.00000003.1940015754.0000023399175000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000D.00000003.1939199703.000002339C0A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946866547.000002339C0AF000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A20A76 push ecx; ret

0_2_00A20A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A1F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A91C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A91C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96356

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002732D0489B7 rdtsc

16_2_000002732D0489B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A6DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A768EE FindFirstFileW,FindClose,	0_2_00A768EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00A7698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A6D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A6D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A79642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A79642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A7979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A79B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00A79B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A75C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00A75C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Source: firefox.exe, 0000000F.00000002.3559963161.000002E6390E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: firefox.exe, 0000000F.00000002.3559963161.000002E6390BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: firefox.exe, 00000011.00000002.3559621532.0000025CF7B0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp*
Source: firefox.exe, 0000000F.00000002.3559963161.000002E6390E5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3564447660.000002732CED0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3559690923.000002732C78A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3565166157.0000025CF7FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3566112342.000002E639708000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWg
Source: firefox.exe, 0000000F.00000002.3565280575.000002E639614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3566112342.000002E639708000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: firefox.exe, 0000000F.00000002.3566112342.000002E639708000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3564447660.000002732CEE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002732D0489B7 rdtsc

16_2_000002732D0489B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A7EAA2 BlockInput,

0_2_00A7EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A32622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A24CE8 mov eax, dword ptr fs:[00000030h]

0_2_00A24CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A60B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00A60B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A32622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A2083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A209D5 SetUnhandledExceptionFilter,	0_2_00A209D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A20C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A20C21

Source: C:\Users\user\Desktop\file.exe

0_2_00A61201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A42BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A42BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6B226 SendInput,keybd_event,

0_2_00A6B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00A822DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00A60B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A61663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A61663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A20698 cpuid

0_2_00A20698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A5D21C GetLocalTime,

0_2_00A5D21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A5D27A GetUserNameW,

0_2_00A5D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00A3BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A042DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6528, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6528, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00A81204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00A81806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	ReversingLabs	Win32.Ransomware.Generic
file.exe	19%	Virustotal		Browse
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.238	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.3561770678.0000025CF7EC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1893472155.000002339288F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1946251860.000002339C187000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938696319.000002339C187000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919635797.000002339C187000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3562650621.000002E6395C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3560930647.000002732C9E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3565387969.0000025CF8103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1801607777.0000023399247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1799805517.0000023399247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864553913.0000023399246000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3561770678.0000025CF7E8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1835000711.000002339AB2F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1846851623.000002339C05B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1753126128.0000023390B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752580662.0000023390B1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752419240.0000023390900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752931976.0000023390B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752746215.0000023390B3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1845076294.00000233923A8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1838018044.0000023399166000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1847086955.0000023399324000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837420613.0000023399324000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922790173.0000023399324000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1842378986.00000233930D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752931976.0000023390B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752746215.0000023390B3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000D.00000003.1942109807.000002339426F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839628640.000002339426F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1753126128.0000023390B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752580662.0000023390B1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752419240.0000023390900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752931976.0000023390B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752746215.0000023390B3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000D.00000003.1839628640.000002339426F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3562650621.000002E6395C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3560930647.000002732C9E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3565387969.0000025CF8103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1846225969.000002339C627000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1819747064.00000233925EA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1837082144.00000233993A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1844430442.000002339284B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1847086955.0000023399324000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837420613.0000023399324000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922790173.0000023399324000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3562650621.000002E6395C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3560930647.000002732C9E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3565387969.0000025CF8103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://www.youtube.com/	firefox.exe, 00000011.00000002.3561770678.0000025CF7E0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1824478237.0000023391C7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823322392.0000023391C7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823194498.0000023391C7B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1846225969.000002339C627000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.3561770678.0000025CF7EC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1838770569.0000023398BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923086689.0000023398BAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1823288040.0000023391C6A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1918062943.0000023392749000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906612297.0000023392749000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1843631842.0000023392D64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843631842.0000023392D5E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1845076294.00000233923A8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1835000711.000002339AB2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839424689.000002339475A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3560930647.000002732C912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561770678.0000025CF7E13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1838018044.0000023399166000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1761403960.0000023390EFB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842888788.0000023392F1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875462017.000002339455B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1822253331.00000233913CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851917385.0000023392693000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872891108.00000233913BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1856206856.000002339259A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907950396.00000233925E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920589848.000002339AB6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835000711.000002339AB6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864553913.0000023399218000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871908886.0000023391CC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926330621.0000023399227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916566166.00000233927C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906612297.0000023392758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1822253331.00000233913C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841511165.0000023393743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884627479.000002339229D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1801930614.000002339922E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837726092.000002339930E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928481468.00000233930D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1942109807.000002339426F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839628640.000002339426F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1949999640.0000023393717000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942109807.000002339426F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841657457.0000023393718000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839628640.000002339426F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1846919088.000002339934C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939803896.000002339934B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837420613.0000023399324000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1837907946.00000233991BC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1837907946.00000233991BC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1801607777.0000023399247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864553913.0000023399246000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1847086955.0000023399324000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837420613.0000023399324000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922790173.0000023399324000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1847086955.0000023399324000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837420613.0000023399324000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922790173.0000023399324000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1835000711.000002339ABC9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1756009266.000002338E433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757003304.000002338E430000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925213586.000002338E439000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932727146.000002338E434000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1891470470.0000023394292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941334410.0000023394292000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839628640.000002339426F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1824478237.0000023391C7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823322392.0000023391C7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823194498.0000023391C7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823194498.0000023391C6E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1756009266.000002338E433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757003304.000002338E430000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925213586.000002338E439000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932727146.000002338E434000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1846225969.000002339C627000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3562650621.000002E6395C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3560930647.000002732C9E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3565387969.0000025CF8103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1837082144.00000233993A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1834093496.000002339C989000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1752746215.0000023390B3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000D.00000003.1923472466.00000233947EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752931976.0000023390B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752746215.0000023390B3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1838018044.0000023399166000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3561894972.000002E6392C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3565010901.000002732CFC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3561043657.0000025CF7C00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/users	firefox.exe, 00000011.00000002.3561770678.0000025CF7EF8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://twitter.com/	firefox.exe, 0000000D.00000003.1837082144.00000233993A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1846919088.000002339934C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939803896.000002339934B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837420613.0000023399324000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1824478237.0000023391C7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823322392.0000023391C7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823194498.0000023391C7B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000D.00000003.1756009266.000002338E433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757003304.000002338E430000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925213586.000002338E439000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932727146.000002338E434000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 0000000D.00000003.1922790173.0000023399324000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/complete/search	firefox.exe, 0000000D.00000003.1839424689.00000233947E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1802954254.0000023399448000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574222
Start date and time:	2024-12-13 05:48:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/43@69/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 96% Number of executed functions: 46 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.228.225.150, 54.213.181.160, 35.85.93.176, 172.217.17.46, 88.221.134.209, 88.221.134.155, 142.250.181.106, 142.250.181.138, 23.218.208.109, 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7016 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.121.53
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	http://sourceforge.net/projects/nircmd/files/nircmd-x64.zip/download	Get hash	malicious	Unknown	Browse	34.117.77.79
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	185.199.111.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
ATGS-MMD-ASUS	arm7.nn-20241213-0355.elf	Get hash	malicious	Mirai, Okiru	Browse	56.211.75.194
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.2.87.119
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.64.214.188
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.51.229.161
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.106.195.4
ATGS-MMD-ASUS	arm7.nn-20241213-0355.elf	Get hash	malicious	Mirai, Okiru	Browse	56.211.75.194
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	57.2.87.119
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.64.214.188
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.51.229.161
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.106.195.4

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3e6453eb-fe91-4e4f-b261-d752867c9b5f.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.183471717649587
Encrypted:	false
SSDEEP:	192:9jMXHhH9HWcbhbVbTbfbRbObtbyEl7nFIrFJA6WnSrDtTUd/SkDrE:9YecNhnzFSJWrABnSrDhUd/C
MD5:	20A22B47C773502D41405C5E47DC5246
SHA1:	436F03C0157E63D1352B3F0E283A59340EBB7FDE
SHA-256:	DB63C1A470B6F0F6C2EE0FB68D5A0574E0443A16E79226746EA59B490D7E3B9B
SHA-512:	EFBFC98122FE5B9DFAD1DF7280E0509AC2BA35A7106DD15B0278109A63F2FC3E5E5C316C40A133696E36A8AD24BE4567F316FE6D1E44AB93B46C50F9551B0CEF
Malicious:	false
Preview:	{"type":"uninstall","id":"3e6453eb-fe91-4e4f-b261-d752867c9b5f","creationDate":"2024-12-13T06:01:53.808Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3e6453eb-fe91-4e4f-b261-d752867c9b5f.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.183471717649587
Encrypted:	false
SSDEEP:	192:9jMXHhH9HWcbhbVbTbfbRbObtbyEl7nFIrFJA6WnSrDtTUd/SkDrE:9YecNhnzFSJWrABnSrDhUd/C
MD5:	20A22B47C773502D41405C5E47DC5246
SHA1:	436F03C0157E63D1352B3F0E283A59340EBB7FDE
SHA-256:	DB63C1A470B6F0F6C2EE0FB68D5A0574E0443A16E79226746EA59B490D7E3B9B
SHA-512:	EFBFC98122FE5B9DFAD1DF7280E0509AC2BA35A7106DD15B0278109A63F2FC3E5E5C316C40A133696E36A8AD24BE4567F316FE6D1E44AB93B46C50F9551B0CEF
Malicious:	false
Preview:	{"type":"uninstall","id":"3e6453eb-fe91-4e4f-b261-d752867c9b5f","creationDate":"2024-12-13T06:01:53.808Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3113310207434856
Encrypted:	false
SSDEEP:	24:+dffb9AR+TIUx2dWoM15QLN8zmHdffb9AR+swM+bpoqdWoM15QLFX1Rgm5dffb9O:+dHqFUgdwdzkdHqb6Bdwb2dHqbadwJ1
MD5:	7EFF44F25D2ED296B5AABE2DF3510680
SHA1:	CBEDA3991F9CD72A45CDB46E7BC3AEDD28384E6B
SHA-256:	123C6DC98D47DF207600D2022D7B2F57F9BBB643063E2D385087700BC9C85DBC
SHA-512:	D1DA18463CE85107FD476F24A64F6E761B76B1721765BCD658F3091C0CF0BA60E796075A97F119F5ADD9A0803E6FB8F34099D04BF4D5EE3932A3DBE6F49FE94A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......$..k.M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Y0&....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y0&............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y0&..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............Un.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3113310207434856
Encrypted:	false
SSDEEP:	24:+dffb9AR+TIUx2dWoM15QLN8zmHdffb9AR+swM+bpoqdWoM15QLFX1Rgm5dffb9O:+dHqFUgdwdzkdHqb6Bdwb2dHqbadwJ1
MD5:	7EFF44F25D2ED296B5AABE2DF3510680
SHA1:	CBEDA3991F9CD72A45CDB46E7BC3AEDD28384E6B
SHA-256:	123C6DC98D47DF207600D2022D7B2F57F9BBB643063E2D385087700BC9C85DBC
SHA-512:	D1DA18463CE85107FD476F24A64F6E761B76B1721765BCD658F3091C0CF0BA60E796075A97F119F5ADD9A0803E6FB8F34099D04BF4D5EE3932A3DBE6F49FE94A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......$..k.M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Y0&....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y0&............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y0&..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............Un.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\87RHNY87CGJKH62829IA.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3113310207434856
Encrypted:	false
SSDEEP:	24:+dffb9AR+TIUx2dWoM15QLN8zmHdffb9AR+swM+bpoqdWoM15QLFX1Rgm5dffb9O:+dHqFUgdwdzkdHqb6Bdwb2dHqbadwJ1
MD5:	7EFF44F25D2ED296B5AABE2DF3510680
SHA1:	CBEDA3991F9CD72A45CDB46E7BC3AEDD28384E6B
SHA-256:	123C6DC98D47DF207600D2022D7B2F57F9BBB643063E2D385087700BC9C85DBC
SHA-512:	D1DA18463CE85107FD476F24A64F6E761B76B1721765BCD658F3091C0CF0BA60E796075A97F119F5ADD9A0803E6FB8F34099D04BF4D5EE3932A3DBE6F49FE94A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......$..k.M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Y0&....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y0&............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y0&..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............Un.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LHA9JGIFIOCWQA2TI73Y.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3113310207434856
Encrypted:	false
SSDEEP:	24:+dffb9AR+TIUx2dWoM15QLN8zmHdffb9AR+swM+bpoqdWoM15QLFX1Rgm5dffb9O:+dHqFUgdwdzkdHqb6Bdwb2dHqbadwJ1
MD5:	7EFF44F25D2ED296B5AABE2DF3510680
SHA1:	CBEDA3991F9CD72A45CDB46E7BC3AEDD28384E6B
SHA-256:	123C6DC98D47DF207600D2022D7B2F57F9BBB643063E2D385087700BC9C85DBC
SHA-512:	D1DA18463CE85107FD476F24A64F6E761B76B1721765BCD658F3091C0CF0BA60E796075A97F119F5ADD9A0803E6FB8F34099D04BF4D5EE3932A3DBE6F49FE94A
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......$..k.M..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I.Y0&....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y0&............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y0&..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z.............Un.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929145892120818
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNPQm:8S+OfJQPUFpOdwNIOdYVjvYcXaNLvZ8P
MD5:	604FADE8DB3A383FC1B8AC460826FCF5
SHA1:	47121FCFF88CD99232D8563BD4C0DC3AAFFE5302
SHA-256:	9414C1877279069DA8A3C749134E262C2CADD8DB97FF724C168B4F804BD0BD28
SHA-512:	6FF67999E14E7A4DD8AA0C282D9E2237B0439DD2B840C9DA275B1CA070A03FF2A3779AA323870AAAA90CEBE143DDD67B68B1F54638D943B9A709099298510BD8
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929145892120818
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNPQm:8S+OfJQPUFpOdwNIOdYVjvYcXaNLvZ8P
MD5:	604FADE8DB3A383FC1B8AC460826FCF5
SHA1:	47121FCFF88CD99232D8563BD4C0DC3AAFFE5302
SHA-256:	9414C1877279069DA8A3C749134E262C2CADD8DB97FF724C168B4F804BD0BD28
SHA-512:	6FF67999E14E7A4DD8AA0C282D9E2237B0439DD2B840C9DA275B1CA070A03FF2A3779AA323870AAAA90CEBE143DDD67B68B1F54638D943B9A709099298510BD8
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0733666067446506
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkij:DLhesh7Owd4+jij
MD5:	43B0A00E1ECD24A2B97786C02B246387
SHA1:	92C870C7B478FD64AAA7C29A363BD5D1E65E8958
SHA-256:	F40D0407F26A203DAE6EBC81BDEA643A58DDBBFDA7CBB9637E615A231263E1B2
SHA-512:	6E87D93B1FC00226346B749DB9972EFE89D2832447FA5BFE4E7988F763C015EBEC9FED602A0C815F10369CC646E2AA9F0E64522A1D6335BFB55025963E963235
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039751381258926154
Encrypted:	false
SSDEEP:	3:GHlhVD5YZV6m8jFAlhVD5YZV6m8jFAl8a9//Ylll4llqlyllel4lt:G7VCZVr8jFUVCZVr8jFAL9XIwlio
MD5:	004363A747BC1FD4F1B9A7A5F5303E35
SHA1:	E51E5A7797A0A7C946609DA346F1ED6E1C7BBAB9
SHA-256:	1B9AEF9A2F0758D01E656183913F1A5E4536DE95B9E98371D630200DE30B688D
SHA-512:	611284C4B76CFEF39A65E7CF5141EF217F0541E276FADE09FD6264ABEA33879BADFB0958CE17765230953BE4A77365E398E5A96EC4608706519AE56B2DE911CE
Malicious:	false
Preview:	..-.....................n\...c.Q.s.2.WD...a^nS ..-.....................n\...c.Q.s.2.WD...a^nS ........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11797190804878492
Encrypted:	false
SSDEEP:	24:KjSgfkAzLxsZ+JUjxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxx4wlSLqVZ2i7+:MSgMARQ6CJtUnWdU+RVxxp8LAZk
MD5:	0D3875C0954EDBAECA1E36CC33E242DE
SHA1:	09D6678F2A26D196BD79168D0376E30A225F3824
SHA-256:	E720AE4CA7290D6D0814B1286BBAD3DD42468FF193F21127DBA2D3A62A8DCCE8
SHA-512:	62218B145981B510100B4BC06E3B3243C31ACCDA610B40646F7D008222ECE2E9E978EDC8C294F7785F9B58C5E935B7EF236C89FB6F00FAE4BABCEBF3ABD08D2B
Malicious:	false
Preview:	7....-...........s.2.WD..v..=..........s.2.WD..Z48.X#................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.49678723139559
Encrypted:	false
SSDEEP:	192:UnaRtLYbBp6ahj4qyaaXz6KZhNnE5RfGNBw8dGSl:pe0qlirMcw90
MD5:	1193B9A269BF66BBCCEA3384A754BB84
SHA1:	0ACF86A75E059F083A8DA338913A95A5A368A7E0
SHA-256:	DDEDD60673E96DA8B19BFB9B72AC9C236B97D5E634979E630181EA94B2F5DA0A
SHA-512:	9809D9B96966E3A21BB7C1BF40379A13C266D206143A4D6618F65C6A5B92CA641164EC75E01B9522A70FCF0A9F909B7428076A163BBE0ABE66F6876B8A07228E
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734069684);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734069684);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734069684);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173406

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.49678723139559
Encrypted:	false
SSDEEP:	192:UnaRtLYbBp6ahj4qyaaXz6KZhNnE5RfGNBw8dGSl:pe0qlirMcw90
MD5:	1193B9A269BF66BBCCEA3384A754BB84
SHA1:	0ACF86A75E059F083A8DA338913A95A5A368A7E0
SHA-256:	DDEDD60673E96DA8B19BFB9B72AC9C236B97D5E634979E630181EA94B2F5DA0A
SHA-512:	9809D9B96966E3A21BB7C1BF40379A13C266D206143A4D6618F65C6A5B92CA641164EC75E01B9522A70FCF0A9F909B7428076A163BBE0ABE66F6876B8A07228E
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734069684);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734069684);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734069684);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173406

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\8aa18083-0aea-42e0-9d05-96e0c4850760 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.9353228964603515
Encrypted:	false
SSDEEP:	12:YZFg/aDgDEbIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YYaDyEbSlCOlZGV1AQIWZcy6Z2d
MD5:	E357DAA65A307C76EDD0493A75835562
SHA1:	1B0E632B17525AC8B4A12D0710F3ECCCB1047AE1
SHA-256:	7C835164025C29B91186C6E48086A830B672FD2F92ACFB550EA886AE72B45891
SHA-512:	DC2AA325FDBC159C93F96A3DF4E1A4AD1FEA2FDCDE1F722E68A97A2D74050268D81C71B40A43E4262E6661CBAB7161FC8AAAA22EDD8BE5E6AD143B3C31BA09E1
Malicious:	false
Preview:	{"type":"health","id":"8aa18083-0aea-42e0-9d05-96e0c4850760","creationDate":"2024-12-13T06:01:55.168Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\8aa18083-0aea-42e0-9d05-96e0c4850760.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.9353228964603515
Encrypted:	false
SSDEEP:	12:YZFg/aDgDEbIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YYaDyEbSlCOlZGV1AQIWZcy6Z2d
MD5:	E357DAA65A307C76EDD0493A75835562
SHA1:	1B0E632B17525AC8B4A12D0710F3ECCCB1047AE1
SHA-256:	7C835164025C29B91186C6E48086A830B672FD2F92ACFB550EA886AE72B45891
SHA-512:	DC2AA325FDBC159C93F96A3DF4E1A4AD1FEA2FDCDE1F722E68A97A2D74050268D81C71B40A43E4262E6661CBAB7161FC8AAAA22EDD8BE5E6AD143B3C31BA09E1
Malicious:	false
Preview:	{"type":"health","id":"8aa18083-0aea-42e0-9d05-96e0c4850760","creationDate":"2024-12-13T06:01:55.168Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	6.358566666730642
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSMxNSLXnIg9AI/pnxQwRls6ZspHVLdGH3j6xiM4tdLgA5QH2oXpTur/:cpOxbS3nRTZYxoGxH44gkpTgw6w4
MD5:	BA0925AED5F58B92C8DCA93B39B7DDF6
SHA1:	06AF93D759A64E440D9FA95877B6C43DFFA4A9CF
SHA-256:	B9C1F9C9187D7EF64386A4F2F139AB94AFD2E91D68AB36C313700CBB425A0963
SHA-512:	FFD75524C769EBAC31EB359813D2B6E73C33ADACC253EE71921FEBE7843A3ECC5324B1A69DBA6C94EBD904A3D5FF7E2E274B1BE7E47CEB756EAA69FA5F8057A6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{45cf75ee-ca4b-4f0a-af87-7c7f922548f1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734069688662,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...3,"startTim..P53413...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...60540,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	6.358566666730642
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSMxNSLXnIg9AI/pnxQwRls6ZspHVLdGH3j6xiM4tdLgA5QH2oXpTur/:cpOxbS3nRTZYxoGxH44gkpTgw6w4
MD5:	BA0925AED5F58B92C8DCA93B39B7DDF6
SHA1:	06AF93D759A64E440D9FA95877B6C43DFFA4A9CF
SHA-256:	B9C1F9C9187D7EF64386A4F2F139AB94AFD2E91D68AB36C313700CBB425A0963
SHA-512:	FFD75524C769EBAC31EB359813D2B6E73C33ADACC253EE71921FEBE7843A3ECC5324B1A69DBA6C94EBD904A3D5FF7E2E274B1BE7E47CEB756EAA69FA5F8057A6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{45cf75ee-ca4b-4f0a-af87-7c7f922548f1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734069688662,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...3,"startTim..P53413...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...60540,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	6.358566666730642
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSMxNSLXnIg9AI/pnxQwRls6ZspHVLdGH3j6xiM4tdLgA5QH2oXpTur/:cpOxbS3nRTZYxoGxH44gkpTgw6w4
MD5:	BA0925AED5F58B92C8DCA93B39B7DDF6
SHA1:	06AF93D759A64E440D9FA95877B6C43DFFA4A9CF
SHA-256:	B9C1F9C9187D7EF64386A4F2F139AB94AFD2E91D68AB36C313700CBB425A0963
SHA-512:	FFD75524C769EBAC31EB359813D2B6E73C33ADACC253EE71921FEBE7843A3ECC5324B1A69DBA6C94EBD904A3D5FF7E2E274B1BE7E47CEB756EAA69FA5F8057A6
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{45cf75ee-ca4b-4f0a-af87-7c7f922548f1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734069688662,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...3,"startTim..P53413...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...60540,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032638798121052
Encrypted:	false
SSDEEP:	48:YrSAYO76UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycyyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	548E1265F6C8F3D7255DDD4779D46BF0
SHA1:	52D7545B0B078AF89F8684932E92472366BCA9F9
SHA-256:	ED6381523A7389BFCD787D68A8314F84181D33FAE36A3AEAA70FA0E62D20910F
SHA-512:	FAAC7DAD1F7A166D1BC4AD3FA157B61401CBC909EA9E58742B6A881EC07642285C4F38CF318C5F0BE22D37E84B68CDE41A765CBF61805826470DD14000FBAF39
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T06:01:11.292Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032638798121052
Encrypted:	false
SSDEEP:	48:YrSAYO76UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycyyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	548E1265F6C8F3D7255DDD4779D46BF0
SHA1:	52D7545B0B078AF89F8684932E92472366BCA9F9
SHA-256:	ED6381523A7389BFCD787D68A8314F84181D33FAE36A3AEAA70FA0E62D20910F
SHA-512:	FAAC7DAD1F7A166D1BC4AD3FA157B61401CBC909EA9E58742B6A881EC07642285C4F38CF318C5F0BE22D37E84B68CDE41A765CBF61805826470DD14000FBAF39
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T06:01:11.292Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.700093786879539
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	969'216 bytes
MD5:	cfd9ab2985983b15f40a6f8ddda94ee0
SHA1:	1b3aa3ee12fb143281e3b704208bee2a0e045697
SHA256:	54fa403f5d329dd8060e67a18fc46ce1bd3d75a8d5e6c88820c59ede26f83e87
SHA512:	665dcff2d024376db57ef5c3a4f7788aab3ad04ae8f830426b6f95e8d2ec888a8bddd78a87ae464f7277b3c04875ce78f0a70e57c675b0aa34bf75b24af9e21f
SSDEEP:	24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8a87GAsa:rTvC/MTQYxsWR7a87GAs
TLSH:	A5259E027391C062FFAB92334F5AF6515BBC69260123E62F13981D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675BB5F6 [Fri Dec 13 04:20:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FA09454F733h
jmp 00007FA09454F03Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA09454F21Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA09454F1EAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FA094551DDDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FA094551E28h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FA094551E11h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x15f08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x15f08	0x16000	aeea5c0c3ad919aee950866bd8187ee5	False	0.6982754794034091	data	7.155141989080583	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xd08c	data			1.0004870008241553
RT_GROUP_ICON	0xe9988	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe9a00	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe9a14	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe9a28	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe9a3c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe9b18	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 05:49:34.622423887 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:49:34.622520924 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 05:49:34.628920078 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:49:34.634181976 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:49:34.634206057 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 05:49:35.862566948 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 05:49:35.863039970 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:49:35.883254051 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:49:35.883285046 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 05:49:35.883455038 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:49:35.883862972 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 05:49:35.886945009 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:49:37.448277950 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:37.448322058 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:37.449157000 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:37.450644016 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:37.450659990 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:38.062638998 CET	49739	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:38.069017887 CET	49740	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:38.069081068 CET	443	49740	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:38.074398041 CET	49740	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:38.077507973 CET	49740	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:38.077524900 CET	443	49740	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:38.183072090 CET	80	49739	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:38.183180094 CET	49739	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:38.183335066 CET	49739	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:38.303479910 CET	80	49739	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:38.741380930 CET	49742	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:38.741430044 CET	443	49742	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:38.751168013 CET	49742	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:38.752496958 CET	49742	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:38.752513885 CET	443	49742	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:38.891832113 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:38.891921997 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:38.892057896 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:38.893392086 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:38.893429995 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:38.906614065 CET	49744	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:38.906698942 CET	443	49744	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:38.906815052 CET	49744	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:38.906899929 CET	49744	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:38.906922102 CET	443	49744	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:39.085833073 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:39.085961103 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:39.087155104 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:39.087563038 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:39.087606907 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:39.154109001 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:39.154182911 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.155107021 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:39.155165911 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.158663988 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.158663988 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.158679962 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:39.158866882 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:39.158998966 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.269131899 CET	80	49739	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:39.318929911 CET	49739	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:39.472091913 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:39.591882944 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:39.604300976 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:39.604459047 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:39.724195957 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:39.775610924 CET	443	49740	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:39.775691986 CET	49740	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.776619911 CET	443	49740	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:39.776716948 CET	49740	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.780953884 CET	49740	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.780965090 CET	443	49740	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:39.781089067 CET	49740	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.781315088 CET	443	49740	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:39.781524897 CET	49740	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.781554937 CET	49747	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.781604052 CET	443	49747	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:39.781864882 CET	49747	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.783343077 CET	49747	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:39.783361912 CET	443	49747	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:39.979928017 CET	443	49742	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:39.979947090 CET	443	49742	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:39.989753962 CET	49742	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:39.993927002 CET	49742	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:39.993943930 CET	443	49742	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:39.994049072 CET	49742	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:39.994237900 CET	443	49742	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:39.994481087 CET	49742	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:39.994586945 CET	49748	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:39.994688034 CET	443	49748	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:39.994774103 CET	49748	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:39.996078968 CET	49748	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:39.996112108 CET	443	49748	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:40.120899916 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:40.121016979 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:40.122629881 CET	443	49744	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:40.123162985 CET	49744	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:40.125782013 CET	49744	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:40.125796080 CET	443	49744	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:40.126029968 CET	443	49744	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:40.129112959 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:40.129164934 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:40.129196882 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:40.129271984 CET	49744	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:40.129339933 CET	49744	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:40.129419088 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:40.129450083 CET	443	49744	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:40.129559994 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:40.129565001 CET	49744	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:40.141899109 CET	49739	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:40.245465994 CET	49750	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:40.245568037 CET	443	49750	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:40.246586084 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:40.252927065 CET	49750	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:40.254210949 CET	49750	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:40.254288912 CET	443	49750	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:40.262063980 CET	80	49739	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:40.263605118 CET	49739	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:40.308994055 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:40.321844101 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:40.327002048 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:40.327045918 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:40.327395916 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:40.329454899 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:40.329569101 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:40.329658031 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:40.329912901 CET	49752	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:40.329961061 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:40.329967022 CET	443	49752	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:40.330022097 CET	49752	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:40.330135107 CET	49752	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:40.330144882 CET	443	49752	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:40.366638899 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:40.367120981 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:40.367304087 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:40.487138033 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:40.689614058 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:40.694221020 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:40.787261963 CET	49754	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:40.787359953 CET	443	49754	34.107.243.93	192.168.2.4
Dec 13, 2024 05:49:40.792051077 CET	49754	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:40.793477058 CET	49754	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:40.793519020 CET	443	49754	34.107.243.93	192.168.2.4
Dec 13, 2024 05:49:40.814475060 CET	80	49746	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:40.823287964 CET	49746	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:40.967097044 CET	49755	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:40.967200041 CET	443	49755	34.149.100.209	192.168.2.4
Dec 13, 2024 05:49:40.967319965 CET	49755	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:40.978297949 CET	49755	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:40.978338957 CET	443	49755	34.149.100.209	192.168.2.4
Dec 13, 2024 05:49:41.052102089 CET	49756	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:41.052143097 CET	443	49756	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:41.052331924 CET	49756	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:41.052546024 CET	49756	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:41.052563906 CET	443	49756	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:41.218806028 CET	443	49748	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:41.223340034 CET	443	49748	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:41.225444078 CET	49748	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:41.229681015 CET	49748	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:41.229711056 CET	443	49748	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:41.229754925 CET	49748	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:41.230003119 CET	443	49748	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:41.230860949 CET	49748	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:41.453293085 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:41.475908995 CET	443	49747	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:41.476022959 CET	49747	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:41.476912975 CET	443	49747	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:41.477027893 CET	49747	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:41.481218100 CET	443	49750	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:41.481254101 CET	443	49750	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:41.481337070 CET	49750	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:41.494329929 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:41.542884111 CET	443	49752	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:41.542969942 CET	49752	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:42.012003899 CET	443	49754	34.107.243.93	192.168.2.4
Dec 13, 2024 05:49:42.012080908 CET	49754	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:42.201600075 CET	443	49755	34.149.100.209	192.168.2.4
Dec 13, 2024 05:49:42.201690912 CET	49755	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:42.265366077 CET	443	49756	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:42.265450954 CET	49756	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:42.627819061 CET	49756	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:42.627844095 CET	443	49756	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:42.628822088 CET	443	49756	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:42.633002043 CET	49752	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:42.633080959 CET	443	49752	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:42.634118080 CET	443	49752	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:42.637839079 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:42.641638041 CET	49747	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:42.641638041 CET	49747	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:42.641655922 CET	443	49747	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:42.641710043 CET	49756	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:42.641917944 CET	443	49747	142.250.181.110	192.168.2.4
Dec 13, 2024 05:49:42.641936064 CET	49756	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:42.642080069 CET	443	49756	35.244.181.201	192.168.2.4
Dec 13, 2024 05:49:42.645612001 CET	49750	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:42.645689964 CET	443	49750	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:42.645783901 CET	49750	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:42.645875931 CET	49752	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:42.646106005 CET	49752	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:42.646228075 CET	443	49750	34.117.188.166	192.168.2.4
Dec 13, 2024 05:49:42.646322966 CET	443	49752	34.160.144.191	192.168.2.4
Dec 13, 2024 05:49:42.647696018 CET	49754	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:42.647718906 CET	443	49754	34.107.243.93	192.168.2.4
Dec 13, 2024 05:49:42.647748947 CET	49754	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:42.647969007 CET	443	49754	34.107.243.93	192.168.2.4
Dec 13, 2024 05:49:42.650209904 CET	49750	443	192.168.2.4	34.117.188.166
Dec 13, 2024 05:49:42.650213003 CET	49752	443	192.168.2.4	34.160.144.191
Dec 13, 2024 05:49:42.650264978 CET	49747	443	192.168.2.4	142.250.181.110
Dec 13, 2024 05:49:42.650264978 CET	49756	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:49:42.650300980 CET	49754	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:42.758002996 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:42.758100033 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:42.846643925 CET	49755	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:42.846685886 CET	443	49755	34.149.100.209	192.168.2.4
Dec 13, 2024 05:49:42.846973896 CET	49755	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:42.847234011 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:42.847414970 CET	443	49755	34.149.100.209	192.168.2.4
Dec 13, 2024 05:49:42.848223925 CET	49755	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:42.967209101 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:43.845088005 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:43.905616999 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:47.506905079 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:47.506962061 CET	443	49762	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:47.509666920 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:47.510926962 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:47.510946989 CET	443	49762	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:47.572932959 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:47.693087101 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:47.887998104 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:47.939229012 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:48.730627060 CET	443	49762	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:48.730701923 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:48.735450029 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:48.735465050 CET	443	49762	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:48.735519886 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:48.735682011 CET	443	49762	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:48.736291885 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:49.884536028 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:50.004539013 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:50.200208902 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:50.245846033 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:50.731462002 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:50.851268053 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:50.864463091 CET	49764	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:50.864546061 CET	443	49764	34.149.100.209	192.168.2.4
Dec 13, 2024 05:49:50.870910883 CET	49764	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:50.973072052 CET	49764	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:50.973118067 CET	443	49764	34.149.100.209	192.168.2.4
Dec 13, 2024 05:49:50.974018097 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:50.974065065 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:50.974165916 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:50.974215031 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:50.974440098 CET	49767	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:50.974451065 CET	443	49767	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:50.975709915 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:50.975723982 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:50.975745916 CET	49767	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:50.975908995 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:50.975925922 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:50.975992918 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:50.976006031 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:50.977340937 CET	49767	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:50.977350950 CET	443	49767	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:51.046561956 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:51.062232971 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:51.095006943 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:51.182100058 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:51.377351999 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:51.427175045 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:52.192822933 CET	443	49767	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:52.192959070 CET	49767	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.193571091 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:52.193677902 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.194194078 CET	443	49764	34.149.100.209	192.168.2.4
Dec 13, 2024 05:49:52.194273949 CET	49764	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:52.197673082 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:52.197747946 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.547338009 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.547368050 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:52.547818899 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:52.549179077 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.549217939 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:52.549649954 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:52.599427938 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.599586964 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.663727045 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.663805008 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.664026022 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:52.664062023 CET	49764	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:52.664062023 CET	49764	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:52.664144993 CET	443	49764	34.149.100.209	192.168.2.4
Dec 13, 2024 05:49:52.664203882 CET	49767	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.664205074 CET	49767	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.664247036 CET	443	49767	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:52.664412022 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.664866924 CET	443	49764	34.149.100.209	192.168.2.4
Dec 13, 2024 05:49:52.665000916 CET	443	49767	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:52.665066004 CET	49767	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:52.665072918 CET	49764	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:49:53.221059084 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.221187115 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.221635103 CET	443	49765	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:53.221785069 CET	49765	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.366471052 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:53.371175051 CET	49769	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.371264935 CET	443	49769	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:53.371279001 CET	49770	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.371345043 CET	443	49770	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:53.372071028 CET	49769	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.372184038 CET	49770	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.372268915 CET	49769	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.372304916 CET	443	49769	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:53.373681068 CET	49770	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.373699903 CET	443	49770	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:53.393845081 CET	49771	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.393942118 CET	443	49771	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:53.394203901 CET	49771	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.394324064 CET	49771	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:53.394361973 CET	443	49771	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:53.486174107 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:53.519536972 CET	49772	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:53.519594908 CET	443	49772	34.107.243.93	192.168.2.4
Dec 13, 2024 05:49:53.519978046 CET	49772	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:53.521446943 CET	49772	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:53.521475077 CET	443	49772	34.107.243.93	192.168.2.4
Dec 13, 2024 05:49:53.681348085 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:53.699721098 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:53.733987093 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:53.819658041 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:54.015140057 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:54.056934118 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:54.590758085 CET	443	49769	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.592139006 CET	443	49770	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.595415115 CET	443	49769	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.599361897 CET	443	49770	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.605443954 CET	49770	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.605556965 CET	49769	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.609035015 CET	443	49771	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.615331888 CET	443	49771	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.621068001 CET	49771	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.632210016 CET	49769	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.632266998 CET	443	49769	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.633189917 CET	443	49769	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.635422945 CET	49771	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.635481119 CET	443	49771	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.635776043 CET	443	49771	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.642932892 CET	49769	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.643480062 CET	443	49769	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.647281885 CET	49769	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.647339106 CET	443	49769	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.648392916 CET	49770	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.648426056 CET	443	49770	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.648458958 CET	49770	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.649019957 CET	443	49770	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.649127007 CET	49771	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.649127007 CET	49771	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.649358988 CET	443	49771	34.120.208.123	192.168.2.4
Dec 13, 2024 05:49:54.658761978 CET	49770	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.658806086 CET	49771	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.658807039 CET	49769	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:49:54.674777985 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:54.737327099 CET	443	49772	34.107.243.93	192.168.2.4
Dec 13, 2024 05:49:54.743417025 CET	443	49772	34.107.243.93	192.168.2.4
Dec 13, 2024 05:49:54.746665001 CET	49772	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:54.787631989 CET	49772	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:54.787632942 CET	49772	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:54.787692070 CET	443	49772	34.107.243.93	192.168.2.4
Dec 13, 2024 05:49:54.788326979 CET	443	49772	34.107.243.93	192.168.2.4
Dec 13, 2024 05:49:54.793777943 CET	49772	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:49:54.795067072 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:54.989849091 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:54.992819071 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:55.036567926 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:49:55.113074064 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:55.309709072 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:49:55.352977991 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:03.624984980 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:50:03.625077009 CET	443	49773	35.190.72.216	192.168.2.4
Dec 13, 2024 05:50:03.625299931 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:03.625320911 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:03.625860929 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:50:03.627110958 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:03.627110958 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:50:03.627163887 CET	443	49773	35.190.72.216	192.168.2.4
Dec 13, 2024 05:50:03.627245903 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:03.627264023 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:03.748629093 CET	49775	443	192.168.2.4	151.101.193.91
Dec 13, 2024 05:50:03.748680115 CET	443	49775	151.101.193.91	192.168.2.4
Dec 13, 2024 05:50:03.749110937 CET	49775	443	192.168.2.4	151.101.193.91
Dec 13, 2024 05:50:03.749305964 CET	49775	443	192.168.2.4	151.101.193.91
Dec 13, 2024 05:50:03.749319077 CET	443	49775	151.101.193.91	192.168.2.4
Dec 13, 2024 05:50:03.934501886 CET	49776	443	192.168.2.4	35.201.103.21
Dec 13, 2024 05:50:03.934601068 CET	443	49776	35.201.103.21	192.168.2.4
Dec 13, 2024 05:50:03.934968948 CET	49776	443	192.168.2.4	35.201.103.21
Dec 13, 2024 05:50:03.936887980 CET	49776	443	192.168.2.4	35.201.103.21
Dec 13, 2024 05:50:03.936929941 CET	443	49776	35.201.103.21	192.168.2.4
Dec 13, 2024 05:50:04.033384085 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.033442020 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:04.033915043 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.048027992 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.048047066 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:04.844027996 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:04.844198942 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:04.847119093 CET	443	49773	35.190.72.216	192.168.2.4
Dec 13, 2024 05:50:04.848402023 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:04.848436117 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:04.848711014 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:50:04.848818064 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:04.853539944 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:04.853724957 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:04.853733063 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:04.853750944 CET	443	49774	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:04.854754925 CET	49778	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:04.854850054 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:50:04.854852915 CET	443	49778	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:04.854871988 CET	443	49773	35.190.72.216	192.168.2.4
Dec 13, 2024 05:50:04.854960918 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:50:04.855045080 CET	443	49773	35.190.72.216	192.168.2.4
Dec 13, 2024 05:50:04.856774092 CET	49774	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:04.856816053 CET	49773	443	192.168.2.4	35.190.72.216
Dec 13, 2024 05:50:04.856834888 CET	49778	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:04.857146025 CET	49778	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:04.857180119 CET	443	49778	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:04.868237019 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:04.967153072 CET	443	49775	151.101.193.91	192.168.2.4
Dec 13, 2024 05:50:04.967253923 CET	49775	443	192.168.2.4	151.101.193.91
Dec 13, 2024 05:50:04.971615076 CET	49775	443	192.168.2.4	151.101.193.91
Dec 13, 2024 05:50:04.971630096 CET	443	49775	151.101.193.91	192.168.2.4
Dec 13, 2024 05:50:04.971992016 CET	443	49775	151.101.193.91	192.168.2.4
Dec 13, 2024 05:50:04.974885941 CET	49775	443	192.168.2.4	151.101.193.91
Dec 13, 2024 05:50:04.975075006 CET	49775	443	192.168.2.4	151.101.193.91
Dec 13, 2024 05:50:04.975083113 CET	443	49775	151.101.193.91	192.168.2.4
Dec 13, 2024 05:50:04.975094080 CET	443	49775	151.101.193.91	192.168.2.4
Dec 13, 2024 05:50:04.981936932 CET	49775	443	192.168.2.4	151.101.193.91
Dec 13, 2024 05:50:04.984740973 CET	49779	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.984780073 CET	443	49779	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:04.985194921 CET	49779	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.985356092 CET	49779	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.985377073 CET	443	49779	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:04.987631083 CET	49780	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.987731934 CET	443	49780	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:04.988042116 CET	49780	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.988178968 CET	49780	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.988212109 CET	443	49780	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:04.990773916 CET	49781	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.990812063 CET	443	49781	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:04.991245031 CET	49781	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.991729975 CET	49781	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:04.991749048 CET	443	49781	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:04.996758938 CET	49782	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:04.996850967 CET	443	49782	34.107.243.93	192.168.2.4
Dec 13, 2024 05:50:04.997241020 CET	49782	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:04.997564077 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:04.999542952 CET	49782	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:04.999576092 CET	443	49782	34.107.243.93	192.168.2.4
Dec 13, 2024 05:50:05.078089952 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:05.117238045 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:05.157454014 CET	443	49776	35.201.103.21	192.168.2.4
Dec 13, 2024 05:50:05.157756090 CET	49776	443	192.168.2.4	35.201.103.21
Dec 13, 2024 05:50:05.163239956 CET	49776	443	192.168.2.4	35.201.103.21
Dec 13, 2024 05:50:05.163268089 CET	443	49776	35.201.103.21	192.168.2.4
Dec 13, 2024 05:50:05.163364887 CET	49776	443	192.168.2.4	35.201.103.21
Dec 13, 2024 05:50:05.163467884 CET	443	49776	35.201.103.21	192.168.2.4
Dec 13, 2024 05:50:05.163593054 CET	49776	443	192.168.2.4	35.201.103.21
Dec 13, 2024 05:50:05.178514957 CET	49783	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:05.178599119 CET	443	49783	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:05.178689957 CET	49783	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:05.178838015 CET	49783	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:05.178855896 CET	443	49783	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:05.260545969 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:05.260782003 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:05.265062094 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:05.265074968 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:05.265315056 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:05.268620014 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:05.268764973 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:05.268774986 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:05.268785954 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:05.269025087 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:05.275470018 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:05.278790951 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:05.314073086 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:05.329715014 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:05.398462057 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:05.433723927 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:05.593657970 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:05.652781963 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:06.074239969 CET	443	49778	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:06.074399948 CET	49778	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:06.078974009 CET	49778	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:06.079005957 CET	443	49778	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:06.079360962 CET	443	49778	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:06.082619905 CET	49778	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:06.082755089 CET	49778	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:06.082793951 CET	443	49778	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:06.082967043 CET	49778	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:06.087191105 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:06.201524973 CET	443	49780	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.201617002 CET	49780	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.203104973 CET	443	49779	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.203291893 CET	49779	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.205262899 CET	443	49781	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.205344915 CET	49781	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.205621958 CET	49780	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.205642939 CET	443	49780	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.205981016 CET	443	49780	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.207139015 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:06.209151030 CET	49781	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.209161043 CET	443	49781	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.209507942 CET	443	49781	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.209855080 CET	443	49782	34.107.243.93	192.168.2.4
Dec 13, 2024 05:50:06.212340117 CET	49779	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.212357998 CET	443	49779	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.212579966 CET	49782	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:06.212711096 CET	443	49779	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.220899105 CET	49780	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.221111059 CET	443	49780	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.221359015 CET	49780	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.221380949 CET	443	49780	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.221456051 CET	49781	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.221628904 CET	443	49781	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.222014904 CET	49781	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.222024918 CET	443	49781	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.222110033 CET	49779	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.222177982 CET	49779	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.222429991 CET	443	49779	35.244.181.201	192.168.2.4
Dec 13, 2024 05:50:06.222711086 CET	49782	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:06.222760916 CET	443	49782	34.107.243.93	192.168.2.4
Dec 13, 2024 05:50:06.222790956 CET	49782	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:06.222907066 CET	443	49782	34.107.243.93	192.168.2.4
Dec 13, 2024 05:50:06.223232031 CET	49779	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.223253012 CET	49782	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:06.223254919 CET	49780	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.223267078 CET	49781	443	192.168.2.4	35.244.181.201
Dec 13, 2024 05:50:06.389818907 CET	443	49783	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:06.389986038 CET	49783	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:06.394382000 CET	49783	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:06.394411087 CET	443	49783	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:06.394794941 CET	443	49783	34.149.100.209	192.168.2.4
Dec 13, 2024 05:50:06.397701025 CET	49783	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:06.397815943 CET	49783	443	192.168.2.4	34.149.100.209
Dec 13, 2024 05:50:06.402074099 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:06.405385971 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:06.455226898 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:06.525032043 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:06.720319986 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:06.771735907 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:16.414763927 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:16.456478119 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:16.534527063 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:16.576152086 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:16.731147051 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:16.771404028 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:16.773962021 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:16.815782070 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:16.850805044 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:16.894668102 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:17.091357946 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:17.132322073 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:26.485143900 CET	49793	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:26.485238075 CET	443	49793	34.107.243.93	192.168.2.4
Dec 13, 2024 05:50:26.485511065 CET	49793	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:26.486737013 CET	49793	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:26.486772060 CET	443	49793	34.107.243.93	192.168.2.4
Dec 13, 2024 05:50:26.775799036 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:26.895898104 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:27.092398882 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:27.212583065 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:27.706260920 CET	443	49793	34.107.243.93	192.168.2.4
Dec 13, 2024 05:50:27.706453085 CET	49793	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:27.710671902 CET	49793	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:27.710671902 CET	49793	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:27.710730076 CET	443	49793	34.107.243.93	192.168.2.4
Dec 13, 2024 05:50:27.711374044 CET	443	49793	34.107.243.93	192.168.2.4
Dec 13, 2024 05:50:27.712441921 CET	49793	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:50:27.712901115 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:27.832890034 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:28.028347015 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:28.030934095 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:28.079504967 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:28.151138067 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:28.348479986 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:28.395989895 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:33.700123072 CET	49810	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:33.700131893 CET	49809	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:33.700170040 CET	443	49810	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:33.700220108 CET	443	49809	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:33.700265884 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:33.700287104 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:33.702008009 CET	49810	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:33.702173948 CET	49810	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:33.702179909 CET	443	49810	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:33.702186108 CET	49809	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:33.702187061 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:33.702318907 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:33.702337027 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:33.702392101 CET	49809	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:33.702405930 CET	443	49809	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.915303946 CET	443	49810	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.915374994 CET	49810	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.915775061 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.916018009 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.918437958 CET	49810	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.918446064 CET	443	49810	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.918839931 CET	443	49810	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.920427084 CET	443	49809	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.920553923 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.920619965 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.920679092 CET	49809	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.921109915 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.923321962 CET	49809	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.923377991 CET	443	49809	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.924067974 CET	443	49809	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.926457882 CET	49810	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.926542997 CET	49810	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.926769018 CET	443	49810	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.927294970 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.927294970 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.927684069 CET	49809	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.927731037 CET	49809	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.927771091 CET	443	49811	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.927824020 CET	49810	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.927958965 CET	49811	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.928020000 CET	443	49809	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.928131104 CET	49809	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.931845903 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:34.936718941 CET	49817	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.936805010 CET	443	49817	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.942164898 CET	49818	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.942230940 CET	443	49818	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.942284107 CET	49819	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.942370892 CET	443	49819	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.942612886 CET	49818	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.942728996 CET	49817	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.942729950 CET	49819	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.942830086 CET	49817	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.942857981 CET	443	49817	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.942991972 CET	49819	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.943011045 CET	443	49819	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.943104029 CET	49818	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.943124056 CET	443	49818	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.945372105 CET	49820	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.945450068 CET	443	49820	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:34.945684910 CET	49820	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.945816994 CET	49820	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:34.945827961 CET	443	49820	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:35.051649094 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:35.246743917 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:35.249773026 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:35.301270008 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:35.370075941 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:35.565383911 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:35.617820978 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:36.156749964 CET	443	49818	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.156968117 CET	49818	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.159789085 CET	49818	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.159801006 CET	443	49818	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.160120964 CET	443	49818	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.161972046 CET	49818	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.162070036 CET	49818	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.162132025 CET	443	49818	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.162722111 CET	443	49817	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.162962914 CET	49818	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.163094997 CET	49817	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.163997889 CET	443	49819	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.164035082 CET	443	49820	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.165522099 CET	49817	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.165550947 CET	443	49817	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.165751934 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:36.165976048 CET	443	49817	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.166106939 CET	49819	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.166239023 CET	49820	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.168206930 CET	49819	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.168220043 CET	443	49819	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.168620110 CET	443	49819	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.170516014 CET	49820	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.170530081 CET	443	49820	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.170922041 CET	443	49820	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.172908068 CET	49817	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.173090935 CET	443	49817	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.173142910 CET	49817	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.173158884 CET	443	49817	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.174252033 CET	49819	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.174319029 CET	49819	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.174633980 CET	443	49819	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.175098896 CET	49820	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.175184965 CET	49820	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.175282955 CET	443	49820	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.176825047 CET	49819	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.176826000 CET	49820	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.285491943 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:36.383408070 CET	443	49817	34.120.208.123	192.168.2.4
Dec 13, 2024 05:50:36.383661032 CET	49817	443	192.168.2.4	34.120.208.123
Dec 13, 2024 05:50:36.480904102 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:36.483427048 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:36.535948992 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:36.603238106 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:36.798618078 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:36.852504969 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:46.486255884 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:46.606662035 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:46.802759886 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:46.923144102 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:56.614157915 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:56.734322071 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:50:56.930460930 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:50:57.050605059 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:06.743712902 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:06.863506079 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:07.060275078 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:07.179990053 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:07.838504076 CET	49894	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:51:07.838551044 CET	443	49894	34.107.243.93	192.168.2.4
Dec 13, 2024 05:51:07.838723898 CET	49894	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:51:07.840920925 CET	49894	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:51:07.840940952 CET	443	49894	34.107.243.93	192.168.2.4
Dec 13, 2024 05:51:09.069977045 CET	443	49894	34.107.243.93	192.168.2.4
Dec 13, 2024 05:51:09.070070982 CET	49894	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:51:09.078058004 CET	49894	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:51:09.078063965 CET	443	49894	34.107.243.93	192.168.2.4
Dec 13, 2024 05:51:09.078170061 CET	49894	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:51:09.078236103 CET	443	49894	34.107.243.93	192.168.2.4
Dec 13, 2024 05:51:09.080692053 CET	49894	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:51:09.081710100 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:09.201462030 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:09.396327019 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:09.414021015 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:09.451867104 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:09.533984900 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:09.729845047 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:09.784040928 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:19.411511898 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:19.531238079 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:19.750173092 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:19.869956970 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:29.539268970 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:29.659012079 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:29.877857924 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:29.997581959 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:39.668720961 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:39.788455009 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:40.007458925 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:40.127993107 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:49.798577070 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:49.918797970 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:50.137103081 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:51:50.256783962 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:51:59.927386999 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:52:00.047595978 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:00.266083002 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:52:00.386393070 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:10.056745052 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:52:10.176443100 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:10.395353079 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:52:10.515252113 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:20.186098099 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:52:20.305768013 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:20.524790049 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:52:20.645302057 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:29.967351913 CET	50062	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:52:29.967401981 CET	443	50062	34.107.243.93	192.168.2.4
Dec 13, 2024 05:52:29.967786074 CET	50062	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:52:29.968769073 CET	50062	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:52:29.968790054 CET	443	50062	34.107.243.93	192.168.2.4
Dec 13, 2024 05:52:30.315072060 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:52:30.436965942 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:30.653748989 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:52:30.773619890 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:31.185349941 CET	443	50062	34.107.243.93	192.168.2.4
Dec 13, 2024 05:52:31.186734915 CET	50062	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:52:31.191593885 CET	50062	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:52:31.191613913 CET	443	50062	34.107.243.93	192.168.2.4
Dec 13, 2024 05:52:31.191703081 CET	50062	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:52:31.191777945 CET	443	50062	34.107.243.93	192.168.2.4
Dec 13, 2024 05:52:31.194727898 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:52:31.202096939 CET	50062	443	192.168.2.4	34.107.243.93
Dec 13, 2024 05:52:31.314882994 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:31.509577990 CET	80	49751	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:31.523417950 CET	49757	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:52:31.571971893 CET	49751	80	192.168.2.4	34.107.221.82
Dec 13, 2024 05:52:31.643884897 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:31.890579939 CET	80	49757	34.107.221.82	192.168.2.4
Dec 13, 2024 05:52:31.958664894 CET	49757	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 05:49:34.623652935 CET	61904	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:34.760803938 CET	53	61904	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:34.761735916 CET	63419	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:34.899415970 CET	53	63419	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:37.304579020 CET	50429	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:37.310197115 CET	59246	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:37.445446014 CET	57132	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:37.447537899 CET	53	59246	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:37.448357105 CET	51535	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:37.583045959 CET	53	57132	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:37.583859921 CET	61199	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:37.585742950 CET	53	51535	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:37.588773966 CET	64807	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:37.722636938 CET	53	61199	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:37.726783991 CET	53	64807	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:38.429522991 CET	61695	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:38.567384005 CET	53	61695	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:38.742088079 CET	50647	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:38.754060030 CET	55056	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:38.879081964 CET	53	50647	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:38.879690886 CET	58834	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:38.891027927 CET	53	55056	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:38.891947031 CET	56422	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:38.906752110 CET	55958	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:38.938524008 CET	56640	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:39.017364979 CET	53	58834	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:39.044303894 CET	53	55958	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:39.046034098 CET	55328	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:39.076433897 CET	53	56640	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:39.086350918 CET	57501	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:39.112071991 CET	53	56422	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:39.112665892 CET	64226	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:39.183257103 CET	53	55328	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:39.253345966 CET	53	64226	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:39.274247885 CET	54446	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:39.274674892 CET	52100	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:39.314244986 CET	53	57501	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:39.315035105 CET	50394	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:39.331765890 CET	58778	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:39.411374092 CET	53	54446	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:39.411859989 CET	53	52100	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:39.452977896 CET	53	50394	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:40.265551090 CET	55626	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:40.369055033 CET	60131	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:40.506150961 CET	53	60131	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:40.507325888 CET	65397	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:40.644800901 CET	53	65397	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:40.646275043 CET	61839	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:40.784006119 CET	53	61839	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:40.828351974 CET	57841	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:40.939666033 CET	53	52124	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:40.966012001 CET	53	57841	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:40.967400074 CET	55455	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:41.105068922 CET	53	55455	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:41.119184017 CET	62702	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:41.256279945 CET	53	62702	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:47.507369995 CET	50162	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:47.645626068 CET	53	50162	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:47.646425009 CET	61454	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:47.783987999 CET	53	61454	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:50.571727037 CET	63155	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:50.571963072 CET	50210	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:50.572174072 CET	54701	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:50.709353924 CET	53	63155	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:50.710231066 CET	60694	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:50.710278988 CET	53	50210	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:50.710920095 CET	59311	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:50.710967064 CET	53	54701	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:50.711754084 CET	49262	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:50.847364902 CET	53	60694	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:50.847996950 CET	53	59311	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:50.849430084 CET	64817	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:50.849905968 CET	53565	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:50.942563057 CET	53	49262	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:50.943190098 CET	65077	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:50.986730099 CET	53	64817	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:50.986809015 CET	53	53565	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:50.987407923 CET	62635	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:50.987427950 CET	59681	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:51.124989986 CET	53	59681	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:51.125821114 CET	50047	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:51.157382965 CET	53	65077	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:51.196325064 CET	53	62635	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:51.196943045 CET	50531	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:51.263602018 CET	53	50047	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:51.264349937 CET	63324	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:51.401565075 CET	53	63324	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:51.407111883 CET	53	50531	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:51.407939911 CET	55635	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:51.629453897 CET	53	55635	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:53.344734907 CET	50162	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:53.366286993 CET	60106	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:53.371227980 CET	59148	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:53.484280109 CET	53	50162	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:53.485292912 CET	54296	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:53.515532970 CET	53	60106	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:53.515625000 CET	53	59148	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:53.519910097 CET	61681	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:53.626308918 CET	53	54296	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:53.626841068 CET	64419	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:49:53.657188892 CET	53	61681	1.1.1.1	192.168.2.4
Dec 13, 2024 05:49:53.764925003 CET	53	64419	1.1.1.1	192.168.2.4
Dec 13, 2024 05:50:03.608036041 CET	54707	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:03.625777960 CET	59411	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:03.746334076 CET	53	54707	1.1.1.1	192.168.2.4
Dec 13, 2024 05:50:03.749053001 CET	50175	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:03.887732029 CET	53	50175	1.1.1.1	192.168.2.4
Dec 13, 2024 05:50:03.892905951 CET	63420	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:03.933208942 CET	53	59411	1.1.1.1	192.168.2.4
Dec 13, 2024 05:50:03.934961081 CET	54075	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:04.031737089 CET	53	63420	1.1.1.1	192.168.2.4
Dec 13, 2024 05:50:04.034049988 CET	63646	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:04.073899031 CET	53	54075	1.1.1.1	192.168.2.4
Dec 13, 2024 05:50:04.074739933 CET	50577	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:04.170851946 CET	53	63646	1.1.1.1	192.168.2.4
Dec 13, 2024 05:50:04.212347031 CET	53	50577	1.1.1.1	192.168.2.4
Dec 13, 2024 05:50:05.000071049 CET	56727	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:05.137355089 CET	53	56727	1.1.1.1	192.168.2.4
Dec 13, 2024 05:50:26.345912933 CET	61069	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:26.483973026 CET	53	61069	1.1.1.1	192.168.2.4
Dec 13, 2024 05:50:26.485586882 CET	61310	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:26.623100996 CET	53	61310	1.1.1.1	192.168.2.4
Dec 13, 2024 05:50:27.713274956 CET	50548	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:33.699455976 CET	49924	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:50:33.836453915 CET	53	49924	1.1.1.1	192.168.2.4
Dec 13, 2024 05:51:07.839591980 CET	53101	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:51:07.977174997 CET	53	53101	1.1.1.1	192.168.2.4
Dec 13, 2024 05:52:29.690408945 CET	56418	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:52:29.827655077 CET	53	56418	1.1.1.1	192.168.2.4
Dec 13, 2024 05:52:29.829027891 CET	58649	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:52:29.966288090 CET	53	58649	1.1.1.1	192.168.2.4
Dec 13, 2024 05:52:29.967320919 CET	54769	53	192.168.2.4	1.1.1.1
Dec 13, 2024 05:52:30.105427027 CET	53	54769	1.1.1.1	192.168.2.4
Dec 13, 2024 05:52:31.195467949 CET	51004	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 05:49:34.623652935 CET	192.168.2.4	1.1.1.1	0x3b70	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:34.761735916 CET	192.168.2.4	1.1.1.1	0x156f	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:49:37.304579020 CET	192.168.2.4	1.1.1.1	0x44a3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:37.310197115 CET	192.168.2.4	1.1.1.1	0xb714	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:37.445446014 CET	192.168.2.4	1.1.1.1	0xd46f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:37.448357105 CET	192.168.2.4	1.1.1.1	0x2dc7	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:37.583859921 CET	192.168.2.4	1.1.1.1	0xbd9b	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:49:37.588773966 CET	192.168.2.4	1.1.1.1	0xd1ac	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 05:49:38.429522991 CET	192.168.2.4	1.1.1.1	0x3837	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:38.742088079 CET	192.168.2.4	1.1.1.1	0x5fce	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:38.754060030 CET	192.168.2.4	1.1.1.1	0x7c91	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:38.879690886 CET	192.168.2.4	1.1.1.1	0x4501	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:49:38.891947031 CET	192.168.2.4	1.1.1.1	0x9fa2	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:38.906752110 CET	192.168.2.4	1.1.1.1	0x742b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:38.938524008 CET	192.168.2.4	1.1.1.1	0x1e23	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.046034098 CET	192.168.2.4	1.1.1.1	0x88c0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:49:39.086350918 CET	192.168.2.4	1.1.1.1	0x4587	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.112665892 CET	192.168.2.4	1.1.1.1	0x8efe	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:49:39.274247885 CET	192.168.2.4	1.1.1.1	0xd7bc	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.274674892 CET	192.168.2.4	1.1.1.1	0x6d59	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.315035105 CET	192.168.2.4	1.1.1.1	0x6736	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:49:39.331765890 CET	192.168.2.4	1.1.1.1	0x23a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:40.265551090 CET	192.168.2.4	1.1.1.1	0x1554	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:40.369055033 CET	192.168.2.4	1.1.1.1	0x785d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:40.507325888 CET	192.168.2.4	1.1.1.1	0xf29e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:40.646275043 CET	192.168.2.4	1.1.1.1	0x1df7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:49:40.828351974 CET	192.168.2.4	1.1.1.1	0xf45f	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:40.967400074 CET	192.168.2.4	1.1.1.1	0x2158	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:41.119184017 CET	192.168.2.4	1.1.1.1	0xad4f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:49:47.507369995 CET	192.168.2.4	1.1.1.1	0x12fb	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:47.646425009 CET	192.168.2.4	1.1.1.1	0xa304	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:49:50.571727037 CET	192.168.2.4	1.1.1.1	0xfe7b	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.571963072 CET	192.168.2.4	1.1.1.1	0xa178	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.572174072 CET	192.168.2.4	1.1.1.1	0xa7c9	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.710231066 CET	192.168.2.4	1.1.1.1	0xb491	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.710920095 CET	192.168.2.4	1.1.1.1	0x6213	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.711754084 CET	192.168.2.4	1.1.1.1	0x5ce7	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.849430084 CET	192.168.2.4	1.1.1.1	0xb325	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 05:49:50.849905968 CET	192.168.2.4	1.1.1.1	0x283c	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 05:49:50.943190098 CET	192.168.2.4	1.1.1.1	0x7b7c	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 05:49:50.987407923 CET	192.168.2.4	1.1.1.1	0xa1c8	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.987427950 CET	192.168.2.4	1.1.1.1	0xd414	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.125821114 CET	192.168.2.4	1.1.1.1	0x5052	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.196943045 CET	192.168.2.4	1.1.1.1	0x305d	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.264349937 CET	192.168.2.4	1.1.1.1	0x30d8	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 05:49:51.407939911 CET	192.168.2.4	1.1.1.1	0x337	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 05:49:53.344734907 CET	192.168.2.4	1.1.1.1	0x3675	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:53.366286993 CET	192.168.2.4	1.1.1.1	0x9106	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:53.371227980 CET	192.168.2.4	1.1.1.1	0x4233	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:49:53.485292912 CET	192.168.2.4	1.1.1.1	0x15db	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:53.519910097 CET	192.168.2.4	1.1.1.1	0xedff	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:49:53.626841068 CET	192.168.2.4	1.1.1.1	0xc2a4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:50:03.608036041 CET	192.168.2.4	1.1.1.1	0x667	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.625777960 CET	192.168.2.4	1.1.1.1	0x65e	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.749053001 CET	192.168.2.4	1.1.1.1	0xdb7f	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.892905951 CET	192.168.2.4	1.1.1.1	0x8760	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 05:50:03.934961081 CET	192.168.2.4	1.1.1.1	0x92b2	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:04.034049988 CET	192.168.2.4	1.1.1.1	0x8210	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 05:50:04.074739933 CET	192.168.2.4	1.1.1.1	0x53e8	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:50:05.000071049 CET	192.168.2.4	1.1.1.1	0x7cf2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:50:26.345912933 CET	192.168.2.4	1.1.1.1	0xeb82	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:26.485586882 CET	192.168.2.4	1.1.1.1	0x3597	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:50:27.713274956 CET	192.168.2.4	1.1.1.1	0x7ec0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:33.699455976 CET	192.168.2.4	1.1.1.1	0xb309	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:51:07.839591980 CET	192.168.2.4	1.1.1.1	0x9d18	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:52:29.690408945 CET	192.168.2.4	1.1.1.1	0x8136	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:52:29.829027891 CET	192.168.2.4	1.1.1.1	0x1b8f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:52:29.967320919 CET	192.168.2.4	1.1.1.1	0x9aec	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 05:52:31.195467949 CET	192.168.2.4	1.1.1.1	0x753a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 05:49:34.620270014 CET	1.1.1.1	192.168.2.4	0xd4a1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:34.760803938 CET	1.1.1.1	192.168.2.4	0x3b70	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:37.444029093 CET	1.1.1.1	192.168.2.4	0x44a3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:37.444029093 CET	1.1.1.1	192.168.2.4	0x44a3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:37.447537899 CET	1.1.1.1	192.168.2.4	0xb714	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:37.583045959 CET	1.1.1.1	192.168.2.4	0xd46f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:37.585742950 CET	1.1.1.1	192.168.2.4	0x2dc7	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:37.722636938 CET	1.1.1.1	192.168.2.4	0xbd9b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 05:49:37.726783991 CET	1.1.1.1	192.168.2.4	0xd1ac	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 05:49:38.567384005 CET	1.1.1.1	192.168.2.4	0x3837	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:38.879081964 CET	1.1.1.1	192.168.2.4	0x5fce	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:38.891027927 CET	1.1.1.1	192.168.2.4	0x7c91	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:38.891027927 CET	1.1.1.1	192.168.2.4	0x7c91	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:38.905926943 CET	1.1.1.1	192.168.2.4	0xaf8c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:38.905926943 CET	1.1.1.1	192.168.2.4	0xaf8c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.044303894 CET	1.1.1.1	192.168.2.4	0x742b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.076433897 CET	1.1.1.1	192.168.2.4	0x1e23	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:39.076433897 CET	1.1.1.1	192.168.2.4	0x1e23	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:39.076433897 CET	1.1.1.1	192.168.2.4	0x1e23	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.112071991 CET	1.1.1.1	192.168.2.4	0x9fa2	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.314244986 CET	1.1.1.1	192.168.2.4	0x4587	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.411374092 CET	1.1.1.1	192.168.2.4	0xd7bc	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.411859989 CET	1.1.1.1	192.168.2.4	0x6d59	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.411859989 CET	1.1.1.1	192.168.2.4	0x6d59	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:39.452977896 CET	1.1.1.1	192.168.2.4	0x6736	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 05:49:39.471366882 CET	1.1.1.1	192.168.2.4	0x23a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:39.471366882 CET	1.1.1.1	192.168.2.4	0x23a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:40.475287914 CET	1.1.1.1	192.168.2.4	0x1554	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:40.506150961 CET	1.1.1.1	192.168.2.4	0x785d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:40.644800901 CET	1.1.1.1	192.168.2.4	0xf29e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:40.966012001 CET	1.1.1.1	192.168.2.4	0xf45f	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:40.966012001 CET	1.1.1.1	192.168.2.4	0xf45f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:41.050292969 CET	1.1.1.1	192.168.2.4	0xc97	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:41.050292969 CET	1.1.1.1	192.168.2.4	0xc97	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:41.105068922 CET	1.1.1.1	192.168.2.4	0x2158	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:47.252342939 CET	1.1.1.1	192.168.2.4	0xe0ee	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:47.645626068 CET	1.1.1.1	192.168.2.4	0x12fb	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.709353924 CET	1.1.1.1	192.168.2.4	0xfe7b	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.710278988 CET	1.1.1.1	192.168.2.4	0xa178	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:50.710278988 CET	1.1.1.1	192.168.2.4	0xa178	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.710967064 CET	1.1.1.1	192.168.2.4	0xa7c9	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:50.710967064 CET	1.1.1.1	192.168.2.4	0xa7c9	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.847364902 CET	1.1.1.1	192.168.2.4	0xb491	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.847364902 CET	1.1.1.1	192.168.2.4	0xb491	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.847364902 CET	1.1.1.1	192.168.2.4	0xb491	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.847364902 CET	1.1.1.1	192.168.2.4	0xb491	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.847364902 CET	1.1.1.1	192.168.2.4	0xb491	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.847364902 CET	1.1.1.1	192.168.2.4	0xb491	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.847364902 CET	1.1.1.1	192.168.2.4	0xb491	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.847364902 CET	1.1.1.1	192.168.2.4	0xb491	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.847364902 CET	1.1.1.1	192.168.2.4	0xb491	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.847996950 CET	1.1.1.1	192.168.2.4	0x6213	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.870260000 CET	1.1.1.1	192.168.2.4	0xdff6	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.942563057 CET	1.1.1.1	192.168.2.4	0x5ce7	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:50.986730099 CET	1.1.1.1	192.168.2.4	0xb325	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 05:49:50.986730099 CET	1.1.1.1	192.168.2.4	0xb325	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 05:49:50.986730099 CET	1.1.1.1	192.168.2.4	0xb325	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 05:49:50.986730099 CET	1.1.1.1	192.168.2.4	0xb325	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 05:49:50.986809015 CET	1.1.1.1	192.168.2.4	0x283c	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 05:49:51.124989986 CET	1.1.1.1	192.168.2.4	0xd414	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.157382965 CET	1.1.1.1	192.168.2.4	0x7b7c	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 05:49:51.196325064 CET	1.1.1.1	192.168.2.4	0xa1c8	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:51.196325064 CET	1.1.1.1	192.168.2.4	0xa1c8	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.196325064 CET	1.1.1.1	192.168.2.4	0xa1c8	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.196325064 CET	1.1.1.1	192.168.2.4	0xa1c8	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.196325064 CET	1.1.1.1	192.168.2.4	0xa1c8	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.263602018 CET	1.1.1.1	192.168.2.4	0x5052	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.407111883 CET	1.1.1.1	192.168.2.4	0x305d	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.407111883 CET	1.1.1.1	192.168.2.4	0x305d	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.407111883 CET	1.1.1.1	192.168.2.4	0x305d	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:51.407111883 CET	1.1.1.1	192.168.2.4	0x305d	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:53.484280109 CET	1.1.1.1	192.168.2.4	0x3675	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:53.484280109 CET	1.1.1.1	192.168.2.4	0x3675	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:49:53.484280109 CET	1.1.1.1	192.168.2.4	0x3675	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:53.515532970 CET	1.1.1.1	192.168.2.4	0x9106	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:49:53.626308918 CET	1.1.1.1	192.168.2.4	0x15db	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.746334076 CET	1.1.1.1	192.168.2.4	0x667	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.746334076 CET	1.1.1.1	192.168.2.4	0x667	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.746334076 CET	1.1.1.1	192.168.2.4	0x667	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.746334076 CET	1.1.1.1	192.168.2.4	0x667	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.887732029 CET	1.1.1.1	192.168.2.4	0xdb7f	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.887732029 CET	1.1.1.1	192.168.2.4	0xdb7f	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.887732029 CET	1.1.1.1	192.168.2.4	0xdb7f	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.887732029 CET	1.1.1.1	192.168.2.4	0xdb7f	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:03.933208942 CET	1.1.1.1	192.168.2.4	0x65e	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:50:03.933208942 CET	1.1.1.1	192.168.2.4	0x65e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:04.031737089 CET	1.1.1.1	192.168.2.4	0x8760	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 05:50:04.031737089 CET	1.1.1.1	192.168.2.4	0x8760	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 05:50:04.031737089 CET	1.1.1.1	192.168.2.4	0x8760	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 05:50:04.031737089 CET	1.1.1.1	192.168.2.4	0x8760	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 05:50:04.032028913 CET	1.1.1.1	192.168.2.4	0x60fd	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:50:04.032028913 CET	1.1.1.1	192.168.2.4	0x60fd	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:04.073899031 CET	1.1.1.1	192.168.2.4	0x92b2	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:06.827198982 CET	1.1.1.1	192.168.2.4	0xb788	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:50:06.827198982 CET	1.1.1.1	192.168.2.4	0xb788	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:50:26.483973026 CET	1.1.1.1	192.168.2.4	0xeb82	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:27.851433039 CET	1.1.1.1	192.168.2.4	0x7ec0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:50:27.851433039 CET	1.1.1.1	192.168.2.4	0x7ec0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:50:33.698203087 CET	1.1.1.1	192.168.2.4	0x6b8d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:52:29.827655077 CET	1.1.1.1	192.168.2.4	0x8136	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:52:29.966288090 CET	1.1.1.1	192.168.2.4	0x1b8f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 05:52:31.333343983 CET	1.1.1.1	192.168.2.4	0x753a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 05:52:31.333343983 CET	1.1.1.1	192.168.2.4	0x753a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	7016	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 05:49:38.183335066 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:49:39.269131899 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67214 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	7016	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 05:49:39.604459047 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:49:40.689614058 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67272 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	34.107.221.82	80	7016	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 05:49:40.367304087 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:49:41.453293085 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67216 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:49:47.572932959 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:49:47.887998104 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67222 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:49:50.731462002 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:49:51.046561956 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67225 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:49:53.366471052 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:49:53.681348085 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67228 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:49:54.674777985 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:49:54.989849091 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67229 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:50:04.868237019 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:50:04.997564077 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:50:05.275470018 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67240 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:50:06.087191105 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:50:06.402074099 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67241 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:50:16.414763927 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:50:16.456478119 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:50:16.771404028 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67251 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:50:26.775799036 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:50:27.712901115 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:50:28.028347015 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67262 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:50:34.931845903 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:50:35.246743917 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67270 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:50:36.165751934 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:50:36.480904102 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67271 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:50:46.486255884 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:50:56.614157915 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:51:06.743712902 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:51:09.081710100 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:51:09.396327019 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67304 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 05:51:19.411511898 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:51:29.539268970 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:51:39.668720961 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:51:49.798577070 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:52:31.194727898 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 05:52:31.509577990 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 67386 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49757	34.107.221.82	80	7016	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 05:49:42.847234011 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:49:43.845088005 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67275 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:49:49.884536028 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:49:50.200208902 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67282 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:49:51.062232971 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:49:51.377351999 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67283 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:49:53.699721098 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:49:54.015140057 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67285 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:49:54.992819071 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:49:55.309709072 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67287 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:50:05.278790951 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:50:05.314073086 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:50:05.593657970 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67297 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:50:06.405385971 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:50:06.720319986 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67298 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:50:16.731147051 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:50:16.773962021 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:50:17.091357946 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67308 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:50:27.092398882 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:50:28.030934095 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:50:28.348479986 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67320 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:50:35.249773026 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:50:35.565383911 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67327 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:50:36.483427048 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:50:36.798618078 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67328 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:50:46.802759886 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:50:56.930460930 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:51:07.060275078 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:51:09.414021015 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:51:09.729845047 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67361 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 05:51:19.750173092 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:51:29.877857924 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:51:40.007458925 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:51:50.137103081 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 05:52:31.523417950 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 05:52:31.890579939 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 67443 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	23:49:26
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa00000
File size:	969'216 bytes
MD5 hash:	CFD9AB2985983B15F40A6F8DDDA94EE0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:49:27
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x530000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:49:27
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:49:29
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x530000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:49:29
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:49:30
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x530000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:49:30
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:49:30
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x530000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:49:30
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:49:30
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x530000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:49:30
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:49:30
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:49:30
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:49:30
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	23:49:32
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57a7d813-ab86-4a04-a462-8812601b1dad} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 23380e6df10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	23:49:34
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20230927232528 -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b57976d-da3a-4354-b0b3-d8c11ef1f763} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 23392f65510 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	23:49:39
Start date:	12/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5064 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5384 -prefMapHandle 5372 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e101298c-ffce-4ec1-91f5-1fa77204f0e6} 7016 "\\.\pipe\gecko-crash-server-pipe.7016" 233928b4710 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	1708
Total number of Limit Nodes:	50

Executed Functions

Function 00A042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A0430D

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

GetCurrentProcess.KERNEL32(?,00A9CB64,00000000,?,?), ref: 00A04422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00A04429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00A04454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A04466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00A04474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A0447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00A044A0

Strings

GetNativeSystemInfo, xrefs: 00A04460
kernel32.dll, xrefs: 00A0444F
|O, xrefs: 00A436F8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8cd282573c20b1cb25f2662c8b1f91d790d9cdebe8de93b35e865463aaae15f2
Instruction ID: 0aa2a0d01a97b9c341f31f59668bd33e645e84415fdd03b614e67b8c30de02f4
Opcode Fuzzy Hash: 8cd282573c20b1cb25f2662c8b1f91d790d9cdebe8de93b35e865463aaae15f2
Instruction Fuzzy Hash: 9DA1C7B690B3C4FFCB91C7E9BC851957FA5BB66700B18489BD0839FA62D2314607DB21

Function 00A042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A050AA,?,?,00000000,00000000), ref: 00A042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A050AA,?,?,00000000,00000000), ref: 00A042C9
LoadResource.KERNEL32(?,00000000,?,?,00A050AA,?,?,00000000,00000000,?,?,?,?,?,?,00A04F20), ref: 00A435BE
SizeofResource.KERNEL32(?,00000000,?,?,00A050AA,?,?,00000000,00000000,?,?,?,?,?,?,00A04F20), ref: 00A435D3
LockResource.KERNEL32(00A050AA,?,?,00A050AA,?,?,00000000,00000000,?,?,?,?,?,?,00A04F20,?), ref: 00A435E6

Strings

SCRIPT, xrefs: 00A042BF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ed765d32bc0aea1134e4fddaa50086afb962de5f54753b80cf991f106787959d
Instruction ID: 56e3dcd90e2db2b343185272d30b45b7a82242fd7a44860966bff67439a31f8f
Opcode Fuzzy Hash: ed765d32bc0aea1134e4fddaa50086afb962de5f54753b80cf991f106787959d
Instruction Fuzzy Hash: A0117CB1300B04BFDB219BA5EC48FA77BB9FBC9B61F10816AB502D6290DF71D8018630

Function 00A42BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00A02B6B

Part of subcall function 00A03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AD1418,?,00A02E7F,?,?,?,00000000), ref: 00A03A78

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00AC2224), ref: 00A42C10
ShellExecuteW.SHELL32(00000000,?,?,00AC2224), ref: 00A42C17

Strings

runas, xrefs: 00A42C0B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 5955b0bbcfa2c4f5064367bfcd30b456dc27a4be359f8a431b505e946bbc1dc0
Instruction ID: 4addac14d7e714eb3e080a56ebbb206201f5d3d7acee7dc071272eb307f48769
Opcode Fuzzy Hash: 5955b0bbcfa2c4f5064367bfcd30b456dc27a4be359f8a431b505e946bbc1dc0
Instruction Fuzzy Hash: 661106726083496ACB04FFA0FA56FBE77A8AB91350F44082EF142460E3CF20894AC713

Function 00A6D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A6D501
Process32FirstW.KERNEL32(00000000,?), ref: 00A6D50F
Process32NextW.KERNEL32(00000000,?), ref: 00A6D52F
CloseHandle.KERNEL32(00000000), ref: 00A6D5DC

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 28f2203f660066931b1cd981e7e50da21a87ddac7c24b14eb775101ec4640758
Instruction ID: 1335366f8ca703f128c0beba125ffc1aaea47c3eb4d5ec1cd84c5f273508bdb4
Opcode Fuzzy Hash: 28f2203f660066931b1cd981e7e50da21a87ddac7c24b14eb775101ec4640758
Instruction Fuzzy Hash: F531D6716083049FD300EF54D981AAFBBF8EF99394F10052DF586871A2EB719949CB93

Function 00A6DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00A45222), ref: 00A6DBCE
GetFileAttributesW.KERNEL32(?), ref: 00A6DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00A6DBEE
FindClose.KERNEL32(00000000), ref: 00A6DBFA

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 603aa57ad865e6e841f1c8c53b61d2cc40d70e5a85308f10d7ad3b7564e6e096
Instruction ID: 65f20fd1c38f7ddf6431b170db26d7884c4988c7a23b32a6f09825ed7394703e
Opcode Fuzzy Hash: 603aa57ad865e6e841f1c8c53b61d2cc40d70e5a85308f10d7ad3b7564e6e096
Instruction Fuzzy Hash: C5F0A030A10D1867C320EBB8AC0D8AA377C9E01374B504703F836C20E0EFB1599686D9

Function 00A5D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A5D220

Strings

X64, xrefs: 00A5D2A8
%.3d, xrefs: 00A5D22B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: f264dc80c6e4682e0c26db7d3d8b485839ded9839aa4c1a1d2c55aff02363b54
Instruction ID: 63d8794a266382741623f6c7ec0710268c3749f257e3f5c28f0c7827c811e36e
Opcode Fuzzy Hash: f264dc80c6e4682e0c26db7d3d8b485839ded9839aa4c1a1d2c55aff02363b54
Instruction Fuzzy Hash: E8D012B580C148FDCB6097D0CC459FDB37CBB08302F508456FC0691040D634D54CAB61

Function 00A24CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00A328E9,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002,00000000,?,00A328E9), ref: 00A24D09
TerminateProcess.KERNEL32(00000000,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002,00000000,?,00A328E9), ref: 00A24D10
ExitProcess.KERNEL32 ref: 00A24D22

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 126e1dd148babfd75b9267349d2a82e3e74085b8b53b6f2afc1a612bcf5ce0b5
Instruction ID: e9d1ef9cc7db0d978f3f9defd79c9875ef7eac0cdb6d452a727b7428d7a368d2
Opcode Fuzzy Hash: 126e1dd148babfd75b9267349d2a82e3e74085b8b53b6f2afc1a612bcf5ce0b5
Instruction Fuzzy Hash: 4DE0B631104558AFCF11AF98EE0AA597B69EB45B91F104025FC098B122CB35DD42CA90

Function 00A5D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A5D28C

Strings

X64, xrefs: 00A5D2A8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5ee545017074bcae45b77ad35fab3d917c6e5ee2944ef94992ee6d22a4ffddfb
Instruction ID: 347d2718970737e2d56fb52caff8ad8fd72409345c49f9bf3566ceb7775e59ac
Opcode Fuzzy Hash: 5ee545017074bcae45b77ad35fab3d917c6e5ee2944ef94992ee6d22a4ffddfb
Instruction Fuzzy Hash: 7FD0CAB480112DEECBA0CBA0EC88DDEB3BCBB08306F100292F506A2000DB7096898F20

Function 00A8AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00A8B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B1D4
_wcslen.LIBCMT ref: 00A8B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A8B236
_wcslen.LIBCMT ref: 00A8B332

Part of subcall function 00A705A7: GetStdHandle.KERNEL32(000000F6), ref: 00A705C6

_wcslen.LIBCMT ref: 00A8B34B
_wcslen.LIBCMT ref: 00A8B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A8B3B6
GetLastError.KERNEL32(00000000), ref: 00A8B407
CloseHandle.KERNEL32(?), ref: 00A8B439
CloseHandle.KERNEL32(00000000), ref: 00A8B44A
CloseHandle.KERNEL32(00000000), ref: 00A8B45C
CloseHandle.KERNEL32(00000000), ref: 00A8B46E
CloseHandle.KERNEL32(?), ref: 00A8B4E3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 2095b569ebe687c7be729ff53f97604f9705d3b32da0a36c723611aec35d12b5
Instruction ID: 9c594a20fd0c0362a1a5eea7478b4a0fd5183cc532816647ac8d98493386ab99
Opcode Fuzzy Hash: 2095b569ebe687c7be729ff53f97604f9705d3b32da0a36c723611aec35d12b5
Instruction Fuzzy Hash: EEF1AE316183409FCB14EF24D991B6FBBE1AF85314F14855DF49A9B2A2DB31EC41CB62

Function 00A0D730 Relevance: 21.6, APIs: 14, Instructions: 616windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A0D807
timeGetTime.WINMM ref: 00A0DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A0DB28
TranslateMessage.USER32(?), ref: 00A0DB7B
DispatchMessageW.USER32(?), ref: 00A0DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A0DB9F
Sleep.KERNEL32(0000000A), ref: 00A0DBB1

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 7b36416dede1073dabcdc9afc4f246184a523a2339781af0f91fe85f5b4bfc7e
Instruction ID: 1bf6ef4873c5ae23f5a9e190bb3ad8d046ccdd1e3d82c6a06966152c7034f800
Opcode Fuzzy Hash: 7b36416dede1073dabcdc9afc4f246184a523a2339781af0f91fe85f5b4bfc7e
Instruction Fuzzy Hash: BC42F131608345EFD728CF64D844BAAB7F0BF46354F148A1EE956872D1D770E889CB92

Function 00A02CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A02D07
RegisterClassExW.USER32(00000030), ref: 00A02D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A02D42
InitCommonControlsEx.COMCTL32(?), ref: 00A02D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A02D6F
LoadIconW.USER32(000000A9), ref: 00A02D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A02D94

Strings

0, xrefs: 00A02CE9
TaskbarCreated, xrefs: 00A02D37
AutoIt v3 GUI, xrefs: 00A02D23
+, xrefs: 00A02CF0

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: eb97f9ceaa05f5f9a94a19c81fc10b12ce4a3a033591be1f9b5dc862c129dd96
Instruction ID: 63d1dabe4cbacc2aa871bd7113aa53a19cb545fc6d5e817957ca7e7c7c81689d
Opcode Fuzzy Hash: eb97f9ceaa05f5f9a94a19c81fc10b12ce4a3a033591be1f9b5dc862c129dd96
Instruction Fuzzy Hash: 4221C3B5A02218AFDB00DFE4E859BDDBBB8FB08714F00411BF512A62A0DBB14546CF91

Function 00A4065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A4039A: CreateFileW.KERNEL32(00000000,00000000,?,00A40704,?,?,00000000,?,00A40704,00000000,0000000C), ref: 00A403B7

GetLastError.KERNEL32 ref: 00A4076F
__dosmaperr.LIBCMT ref: 00A40776
GetFileType.KERNEL32(00000000), ref: 00A40782
GetLastError.KERNEL32 ref: 00A4078C
__dosmaperr.LIBCMT ref: 00A40795
CloseHandle.KERNEL32(00000000), ref: 00A407B5
CloseHandle.KERNEL32(?), ref: 00A408FF
GetLastError.KERNEL32 ref: 00A40931
__dosmaperr.LIBCMT ref: 00A40938

Strings

H, xrefs: 00A408BD

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 69d9b53fb7ba589f5b0887b657d17be500d55ab258608d5fddc8ae536f6ef5fe
Instruction ID: 4dfd296709553267e007aca3668e0f0c41b9e221fe0ada27c743bd018043e6e0
Opcode Fuzzy Hash: 69d9b53fb7ba589f5b0887b657d17be500d55ab258608d5fddc8ae536f6ef5fe
Instruction Fuzzy Hash: 33A1273AA005048FDF19EF78D951FAE7BB0EB86320F24015AF9119F292DB359813DB91

Function 00A0344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AD1418,?,00A02E7F,?,?,?,00000000), ref: 00A03A78

Part of subcall function 00A03357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A03379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A0356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A4318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A431CE
RegCloseKey.ADVAPI32(?), ref: 00A43210
_wcslen.LIBCMT ref: 00A43277
_wcslen.LIBCMT ref: 00A43286

Strings

\, xrefs: 00A4328C
Software\AutoIt v3\AutoIt, xrefs: 00A03560
Include, xrefs: 00A43184, 00A431C5
\Include\, xrefs: 00A03527

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: b96f74448abf7e1712f476b820ef04b1528b2d040babb9e25238871159a4e5d1
Instruction ID: f6b34dd93939e3c71208086e2bc97ac99a7ae29da238563778fa9b8d205908bc
Opcode Fuzzy Hash: b96f74448abf7e1712f476b820ef04b1528b2d040babb9e25238871159a4e5d1
Instruction Fuzzy Hash: 2971D6715053049FD704EFA9ED81AABB7F8FFA4750F40052EF5468B1A0EB709A49CB62

Function 00A02B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A02B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00A02B9D
LoadIconW.USER32(00000063), ref: 00A02BB3
LoadIconW.USER32(000000A4), ref: 00A02BC5
LoadIconW.USER32(000000A2), ref: 00A02BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A02BEF
RegisterClassExW.USER32(?), ref: 00A02C40

Part of subcall function 00A02CD4: GetSysColorBrush.USER32(0000000F), ref: 00A02D07
Part of subcall function 00A02CD4: RegisterClassExW.USER32(00000030), ref: 00A02D31
Part of subcall function 00A02CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A02D42
Part of subcall function 00A02CD4: InitCommonControlsEx.COMCTL32(?), ref: 00A02D5F
Part of subcall function 00A02CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A02D6F
Part of subcall function 00A02CD4: LoadIconW.USER32(000000A9), ref: 00A02D85
Part of subcall function 00A02CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A02D94

Strings

0, xrefs: 00A02C0F
AutoIt v3, xrefs: 00A02C2F
#, xrefs: 00A02C16

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 86c6fd07524931a7cc54b200b50b4c9b637c93e2a63200a91db9c9a08a33ffbd
Instruction ID: 66808110944748f7b6b82e81369c6ca6b82059e3427bedd3c6daf9dcd245a784
Opcode Fuzzy Hash: 86c6fd07524931a7cc54b200b50b4c9b637c93e2a63200a91db9c9a08a33ffbd
Instruction Fuzzy Hash: 03211875E02318BBDB50DFE5EC59AA97FB4FB48B54F40011BE506AA6A0DBB10542CF90

Function 00A03170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00A0316A,?,?), ref: 00A031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00A0316A,?,?), ref: 00A03204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A03227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00A0316A,?,?), ref: 00A03232
CreatePopupMenu.USER32 ref: 00A03246
PostQuitMessage.USER32(00000000), ref: 00A03267

Strings

TaskbarCreated, xrefs: 00A0322D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 3a240a5c0b59ee208f535c418185f6890f190740ebf7cb77084196906678bc7f
Instruction ID: fd01530455baaebe9f795d006da803d08305b7b1f293689b2508f65e75cfddf2
Opcode Fuzzy Hash: 3a240a5c0b59ee208f535c418185f6890f190740ebf7cb77084196906678bc7f
Instruction Fuzzy Hash: 4341193A340208BBDF149BF8BD69BB93B6DEB5D350F040217F503862E1DB618A419761

Function 00A01410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A01459
CoUninitialize.COMBASE ref: 00A014F8
UnregisterHotKey.USER32(?), ref: 00A016DD
DestroyWindow.USER32(?), ref: 00A424B9
FreeLibrary.KERNEL32(?), ref: 00A4251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A4254B

Strings

close all, xrefs: 00A01454

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8e71c4ef509d81004e93e8d04014837c89e5f2cebdb58866b0bcac2de9de09c8
Instruction ID: b828d68ff5682bff27a73075514f4e06f8ca88394151b018a780492faf5370f8
Opcode Fuzzy Hash: 8e71c4ef509d81004e93e8d04014837c89e5f2cebdb58866b0bcac2de9de09c8
Instruction Fuzzy Hash: 04D1AD35701212CFCB19EF14D995BA9F7A0BF44310F5582ADF44A6B2A2DB31AC12CF91

Function 00A6DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00A6DE42
gethostname.WS2_32(?,00000100), ref: 00A6DE5C
gethostbyname.WS2_32(?), ref: 00A6DE69
inet_ntoa.WSOCK32(?), ref: 00A6DEAB
_strcat.LIBCMT ref: 00A6DEB9
WSACleanup.WSOCK32 ref: 00A6DEDE

Strings

0.0.0.0, xrefs: 00A6DE87

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 880d6354e6e53537e1ba3151b7d26bb185bdad6d5b42450094ffa30ea00a44ab
Instruction ID: 971a7e5abc011dc7ba39e423440b05414e094c37137c2bbe25a3c90eaed40b68
Opcode Fuzzy Hash: 880d6354e6e53537e1ba3151b7d26bb185bdad6d5b42450094ffa30ea00a44ab
Instruction Fuzzy Hash: E611EC71A04114BFCB20EB64DD4AEDE77BCDF15761F01017AF545EA091EFB18A818A90

Function 00A02C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A02C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A02CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A01CAD,?), ref: 00A02CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A01CAD,?), ref: 00A02CCF

Strings

AutoIt v3, xrefs: 00A02C89, 00A02C8E, 00A02C8F
edit, xrefs: 00A02CAC

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a578df43ee5a7b468df13870cb5dfae2e213d66e7748eeaa3f5a0c2968e53501
Instruction ID: 8956243da50682672bda2516b448a0ba84e2d289232c7beb0ce66f754cdb3823
Opcode Fuzzy Hash: a578df43ee5a7b468df13870cb5dfae2e213d66e7748eeaa3f5a0c2968e53501
Instruction Fuzzy Hash: C4F0DA796412907BEB719797AC0CEB73FBDD7C6F60B00005BF905AA5A0D6611852DAB0

Function 00A03B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A03B0F,SwapMouseButtons,00000004,?), ref: 00A03B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A03B0F,SwapMouseButtons,00000004,?), ref: 00A03B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00A03B0F,SwapMouseButtons,00000004,?), ref: 00A03B83

Strings

Control Panel\Mouse, xrefs: 00A03B3E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ba0cd34bb398f5cc06e916466c6fa855d66f601926580bcb18415a859323f586
Instruction ID: 871ab383ea39851247695e35cf4392e119709e1d1bd33380329126ccbd5af492
Opcode Fuzzy Hash: ba0cd34bb398f5cc06e916466c6fa855d66f601926580bcb18415a859323f586
Instruction Fuzzy Hash: 1F112AB6610208FFDF20CFA5EC85AAEBBBCEF05758B10445AA806D7150E6719E459760

Function 00A5D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00A5D3BF
FreeLibrary.KERNEL32 ref: 00A5D3E5

Strings

X64, xrefs: 00A5D2A8
GetSystemWow64DirectoryW, xrefs: 00A5D3B9

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 8e1b97ad67c44b68ab9271633eea0f70f9719315e563c5d71f448c495ee179e0
Instruction ID: 3e0bc4b28803f2c5a4e62c4305db1691dd366971bda1c3f12bc4add7b3399a46
Opcode Fuzzy Hash: 8e1b97ad67c44b68ab9271633eea0f70f9719315e563c5d71f448c495ee179e0
Instruction Fuzzy Hash: 6AF0E571505B11ABD77597108C489EE7228BF10B23F60865AF817E90A9EB70C98DCA96

Function 00A0DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00A532B7

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: f2b43d514169575834e88f3361e90fd1a2ad0c5f86486d579325cfa543d40799
Instruction ID: 2a03d8f007bf6ae5728a720e9fae48f7fe980af1139d798985954bebf09208f7
Opcode Fuzzy Hash: f2b43d514169575834e88f3361e90fd1a2ad0c5f86486d579325cfa543d40799
Instruction Fuzzy Hash: D3C28F71E00208CFCB14CF98E980AADB7B1FF58310F248969E956AB391D375ED45EB91

Function 00A0EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A0FE66

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 1b59615135e9e90cbaa653dd3c4ef803eab321ee082ffd3694d3d1e79047e93c
Instruction ID: 0918d94a1871ab2a4a65638e67fa47165266226980d1e21da63ea0543694f514
Opcode Fuzzy Hash: 1b59615135e9e90cbaa653dd3c4ef803eab321ee082ffd3694d3d1e79047e93c
Instruction Fuzzy Hash: D0B28B74608345CFCB24CF18E480A2AB7F1BF99314F24496EE9869B391D771ED85CB92

Function 00A03923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A433A2

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A03A04

Strings

Line: , xrefs: 00A433EB

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 24ceedfb4278962b9e9b9cc2ee07b56b389c71bdb21ed1144f17b80cd4fc8a3e
Instruction ID: f8fe95aae5edcb403aece39de2d8f1f3d565c5d7bac609c958296d746e602f4d
Opcode Fuzzy Hash: 24ceedfb4278962b9e9b9cc2ee07b56b389c71bdb21ed1144f17b80cd4fc8a3e
Instruction Fuzzy Hash: 6931E272508308ABCB20EB64EC45BEBB3ECAB40314F00492BF59A861D1DB709649C7C2

Function 00A1FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00A20668

Part of subcall function 00A232A4: RaiseException.KERNEL32(?,?,?,00A2068A,?,00AD1444,?,?,?,?,?,?,00A2068A,00A01129,00AC8738,00A01129), ref: 00A23304

__CxxThrowException@8.LIBVCRUNTIME ref: 00A20685

Strings

Unknown exception, xrefs: 00A20692

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 4bb3447e6b5b9ef612277afd45bdeaecb5e65e68034c43afe0d1327ff160a76f
Instruction ID: 367688f4346185c3cf79a5205a466dc388effbb69bf0764e103ce6940c60ddbb
Opcode Fuzzy Hash: 4bb3447e6b5b9ef612277afd45bdeaecb5e65e68034c43afe0d1327ff160a76f
Instruction Fuzzy Hash: C5F0C23490021DBBCF04B7ACF946DEE7B6C6E00354B604535B824D6593EF75DA65C6C0

Function 00A010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A01BF4
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A01BFC
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A01C07
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A01C12
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A01C1A
Part of subcall function 00A01BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A01C22

Part of subcall function 00A01B4A: RegisterWindowMessageW.USER32(00000004,?,00A012C4), ref: 00A01BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A0136A
OleInitialize.OLE32 ref: 00A01388
CloseHandle.KERNEL32(00000000,00000000), ref: 00A424AB

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: a8e082225535615d434cb5be8e87aeda4490235b8c4baf011e8a75e4fd5a7443
Instruction ID: c87d053c80840732456209aabc0b01ae1909ea73c51b31732c3577f3c8af908a
Opcode Fuzzy Hash: a8e082225535615d434cb5be8e87aeda4490235b8c4baf011e8a75e4fd5a7443
Instruction Fuzzy Hash: C0718BB4A12304AFC784EFF9BA456993BE1FB89354754826BD41BC73A2EB384442CF51

Function 00A6C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A03A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A6C259
KillTimer.USER32(?,00000001,?,?), ref: 00A6C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A6C270

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 0bd6369bcaa68d0f2f1a3f17f33334f6e8940371c1eafa8bb69316192e8ae4b0
Instruction ID: d63afa22550d45b5d86e4fc41deaf59edba9e585cc9dfd2e61bdfc22742088e2
Opcode Fuzzy Hash: 0bd6369bcaa68d0f2f1a3f17f33334f6e8940371c1eafa8bb69316192e8ae4b0
Instruction Fuzzy Hash: 7331C370A04344AFEB22DFB488A5BE7BBFC9F06314F00049AD6EA97241C7745A85CB51

Function 00A386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00A385CC,?,00AC8CC8,0000000C), ref: 00A38704
GetLastError.KERNEL32(?,00A385CC,?,00AC8CC8,0000000C), ref: 00A3870E
__dosmaperr.LIBCMT ref: 00A38739

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 2434f71c894c25b0831c346bf7a39889eaeaf0552f31f72b64b77810e43bbe06
Instruction ID: d003ac3d34d1d1b2258ec764d9119dcffc71e57fd258b6187af31ce948dab4df
Opcode Fuzzy Hash: 2434f71c894c25b0831c346bf7a39889eaeaf0552f31f72b64b77810e43bbe06
Instruction Fuzzy Hash: B5014E32A0572017D634A378AA47B7E77594B82774F39011AF8158F1D2DFA8CC819150

Function 00A0DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00A0DB7B
DispatchMessageW.USER32(?), ref: 00A0DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A0DB9F
Sleep.KERNEL32(0000000A), ref: 00A0DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00A51CC9

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: efc1006eb2c205f07141f35f7cc43fdeef9c856ff20856cb444c778d058ccfdc
Instruction ID: cc4cd7a467ef15d463a3680325714ec18b1c711850a6e9849b93d1ba902e0e30
Opcode Fuzzy Hash: efc1006eb2c205f07141f35f7cc43fdeef9c856ff20856cb444c778d058ccfdc
Instruction Fuzzy Hash: DCF0FE316443849BE730DBE09C89FEA73ADEB85711F504A1AE65A970D0DB309489DB25

Function 00A11310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A117F6

Strings

CALL, xrefs: 00A117C6

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 669fde9bdf495921019c118e67a4798c1a2f8727057a36927365887ed013b730
Instruction ID: 443232628dff59a4adad29b273aafec6707e8138955d8da7baa7df5cf4d2638b
Opcode Fuzzy Hash: 669fde9bdf495921019c118e67a4798c1a2f8727057a36927365887ed013b730
Instruction Fuzzy Hash: C5228C706083419FC714DF14C580BAABBF2BF85314F64895DF9968B3A1D735E885CB92

Function 00A101E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c637e520bb3fd2c05b829f86dc7f4208a9c7086de3a69b067e58e35da18f48
Instruction ID: b4bc08b68afd40a83e64666e980e384fa6f873e6ece655243ef9fc40235fa87e
Opcode Fuzzy Hash: 13c637e520bb3fd2c05b829f86dc7f4208a9c7086de3a69b067e58e35da18f48
Instruction Fuzzy Hash: C932CB30A00604DFCB24DF64D9A5EEEB7B1BF05311F148529E926AB2A1D771EDC8CB91

Function 00A02DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00A42C8C

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

Part of subcall function 00A02DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00A02DC4

Strings

X, xrefs: 00A42C5A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: afa868059812207867841be80b9a3683d9832070ee2b0675c9a4e0e5940156d6
Instruction ID: ffb88907bf82efbd0f65d6fc680176a835dc291e998e24cdf0ef4dd8e868a1ab
Opcode Fuzzy Hash: afa868059812207867841be80b9a3683d9832070ee2b0675c9a4e0e5940156d6
Instruction Fuzzy Hash: 7621A571A0025C9FCF01EF94D949BEE7BFCAF49314F00405AE405AB281DBB45A898F61

Function 00A5D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 00A5D375

Strings

X64, xrefs: 00A5D2A8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: 4d9cff782799d1ccae01eccd9af42cda4734ebb87b7ef41dab5b3042505ab28d
Instruction ID: 9d8d2996105653fb2025b77748ed5236c3ca59e106b56cc0a02eaa94efbc039c
Opcode Fuzzy Hash: 4d9cff782799d1ccae01eccd9af42cda4734ebb87b7ef41dab5b3042505ab28d
Instruction Fuzzy Hash: DAD0C9B5805118FFCBA0CB80DC88DDEB37CBB04302F504252F402A2000DB7096889F11

Function 00A03837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A03908

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 82df8420eac3355da1fd49e73e1b164ec6f5a86042d14b18b3e59456badafd7d
Instruction ID: 2b04cc4bab64a189971fda547cc30ab93150df857524d6116e327c4227e83765
Opcode Fuzzy Hash: 82df8420eac3355da1fd49e73e1b164ec6f5a86042d14b18b3e59456badafd7d
Instruction Fuzzy Hash: C931C3756057059FD760DF64E884797BBF8FB49308F00096EF59A87280E771AA48CB52

Function 00A1F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A1F661

Part of subcall function 00A0D730: GetInputState.USER32 ref: 00A0D807

Sleep.KERNEL32(00000000), ref: 00A5F2DE

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: f8c219f56f3e970220d4c5c5c87df302f6230ef125a122ccd1c1a8ef60cabe41
Instruction ID: afb730434a9b242ab5946043b36dab6f9045a8c8aa6547cc0b1660a18baa7af7
Opcode Fuzzy Hash: f8c219f56f3e970220d4c5c5c87df302f6230ef125a122ccd1c1a8ef60cabe41
Instruction Fuzzy Hash: 57F082312406059FD310EFA5E945B5AB7E4FF49761F00006AE85EC73A0DB70BC00CB90

Function 00A0B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A0BB4E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: c2e0d9aef4be363bab10b54513fbf8aef3fb999de5bd29ccfdb1c88d90a48945
Instruction ID: dc9bb8fdad118009101db8e4f8cef920027d5073e1264be89f394108f4b68412
Opcode Fuzzy Hash: c2e0d9aef4be363bab10b54513fbf8aef3fb999de5bd29ccfdb1c88d90a48945
Instruction Fuzzy Hash: AB32AB34A00209AFDB24CF54DA94FBEB7B5FF44350F14805AED16AB2A1C774AD85CBA1

Function 00A04ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E9C
Part of subcall function 00A04E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A04EAE
Part of subcall function 00A04E90: FreeLibrary.KERNEL32(00000000,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04EFD

Part of subcall function 00A04E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E62
Part of subcall function 00A04E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A04E74
Part of subcall function 00A04E59: FreeLibrary.KERNEL32(00000000,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E87

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6dbbd94a9f81de633b3a1073c944fd0fc8d4d2eaaecc9b27d007d07c18ed3b5b
Instruction ID: 51af687baab1a4e265d43a19a9ccde6316dee1904ea769521e1c3d6f09c06a2e
Opcode Fuzzy Hash: 6dbbd94a9f81de633b3a1073c944fd0fc8d4d2eaaecc9b27d007d07c18ed3b5b
Instruction Fuzzy Hash: 3D11E7B261020AABDF14FF74EE02FED77A5BF44B11F10842DF642A61C1DEB09A459B50

Function 00A38402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00A38440

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 6067391b432d3a65a3503174865d37e02bb296c47430cdffa929088eed8ed083
Instruction ID: 8caa7f04de6f9bca9a4e606dd1f22b824634d11c0e2dbac7f9453d4c0d02c4e3
Opcode Fuzzy Hash: 6067391b432d3a65a3503174865d37e02bb296c47430cdffa929088eed8ed083
Instruction Fuzzy Hash: 1311187590420AAFCF15DF58E94199A7BF5EF48314F104059F809AB312DB31DA11CBA5

Function 00A2E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 9c3f92c0cf512e1e242c298e024df341261f17db75382bc530039d325ca09794
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D4F0F432511A309AD6317B6DBE05B5A33A89F52331F100735F420921D2DB78E84186A5

Function 00A33820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cd0c2e17f553a931beaea1b13148318f31d99ff627ab20c1806e71635e7b3b5f
Instruction ID: d37f692ec18d1e0c89c1b403ea44a783e591a11daedd38ab7867de807c1cf630
Opcode Fuzzy Hash: cd0c2e17f553a931beaea1b13148318f31d99ff627ab20c1806e71635e7b3b5f
Instruction Fuzzy Hash: 2BE0E53310A234A6EE212BBBAD01B9A3758AF427B0F150131BC05964A0CB10DD0282E4

Function 00A04F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04F6D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bcd698012414aab0a16743f9e20448beabcbf941588a844c61eaea7e708b78df
Instruction ID: 30e5c6b6026c9c4e361b247a51ccda9b7bdc998689cf44964cfe998392076551
Opcode Fuzzy Hash: bcd698012414aab0a16743f9e20448beabcbf941588a844c61eaea7e708b78df
Instruction Fuzzy Hash: 19F015B1505756CFDB349F64E590822BBF4BF187293208A7EE3EA82661CB319884DB10

Function 00A030F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A0314E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8030a9e13c90cdb1391101e6ada44d34f8de96120fc72302482f7f9c95506d11
Instruction ID: d39509ee77e71bd884e84eaca8c56dd39f8038d8bbc0b0f344748ca9b425c1f6
Opcode Fuzzy Hash: 8030a9e13c90cdb1391101e6ada44d34f8de96120fc72302482f7f9c95506d11
Instruction Fuzzy Hash: C5F0A770A00318AFEB92DB64EC497D57BFCA701708F0000E6A5499A181DB705789CF41

Function 00A02DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00A02DC4

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5d703ea8bf90543facfa8116502e7f305ad687cd8a6f8e6587797f27bb9d3e21
Instruction ID: 6566185803e67556612a276c8b51820e0020f7912491c16ce22cd429194f0c0b
Opcode Fuzzy Hash: 5d703ea8bf90543facfa8116502e7f305ad687cd8a6f8e6587797f27bb9d3e21
Instruction Fuzzy Hash: 93E0CD76A001245BC710E7989C05FDA77DDDFC8794F040072FD09D7248DD60AD858550

Function 00A02B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A03837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A03908

Part of subcall function 00A0D730: GetInputState.USER32 ref: 00A0D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00A02B6B

Part of subcall function 00A030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A0314E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f79668663c83600b876434a870513adbcc10b4a3d28eed80dd090c4bf4f70a8b
Instruction ID: 281d8908d99a624cb637db702ff15ba656ad4474175c1c60e6a16643bf189cc0
Opcode Fuzzy Hash: f79668663c83600b876434a870513adbcc10b4a3d28eed80dd090c4bf4f70a8b
Instruction Fuzzy Hash: 05E086A370425C17CA04FBB4BA5657EB75D9BD1351F40597FF143472E3CE24454A4352

Function 00A6DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00A6DF40

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: e7dd3aa5a42b348bdf0ff94897213d11132b7367f08e0a107c4ed8c443cb3b24
Instruction ID: bf09afc8e8b57c6816bac48227640ab61f2488d7157fbc26451c10e699730067
Opcode Fuzzy Hash: e7dd3aa5a42b348bdf0ff94897213d11132b7367f08e0a107c4ed8c443cb3b24
Instruction Fuzzy Hash: 9AD05EE2A002282BDF60E6749D0DEF73AACC780224F0006A1786DD3192ED20DD4586F0

Function 00A4039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00A40704,?,?,00000000,?,00A40704,00000000,0000000C), ref: 00A403B7

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0d4687b2d4b67b0e94d824b2ab355ba9286de293a4fb9186fba886160762f728
Instruction ID: 03c36797434889da4b155c260a1187f76be99695321f7e6a61d8c5ae7b4b0695
Opcode Fuzzy Hash: 0d4687b2d4b67b0e94d824b2ab355ba9286de293a4fb9186fba886160762f728
Instruction Fuzzy Hash: 78D06C3214010DBBDF028F84DD06EDA3BAAFB48714F114100BE1856020C732E822AB94

Function 00A01CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00A01CBC

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0de6675b339ad696392807a2094aefe15ab961f5d46b6328003357881d2308f0
Instruction ID: 59097b5840b3358e49b4d7c9daea18973e2846f5b55eaa61ad691f6ae073eab7
Opcode Fuzzy Hash: 0de6675b339ad696392807a2094aefe15ab961f5d46b6328003357881d2308f0
Instruction Fuzzy Hash: 2AC092363C1304AFF214CBC4BC4EF107764A358B14F448003F60AA95E3C7A22822EB50

Non-executed Functions

Function 00A99576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A9961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A9965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A9969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A996C9
SendMessageW.USER32 ref: 00A996F2
GetKeyState.USER32(00000011), ref: 00A9978B
GetKeyState.USER32(00000009), ref: 00A99798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A997AE
GetKeyState.USER32(00000010), ref: 00A997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A997E9
SendMessageW.USER32 ref: 00A99810
SendMessageW.USER32(?,00001030,?,00A97E95), ref: 00A99918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A9992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A99941
SetCapture.USER32(?), ref: 00A9994A
ClientToScreen.USER32(?,?), ref: 00A999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A999D6
ReleaseCapture.USER32 ref: 00A999E1
GetCursorPos.USER32(?), ref: 00A99A19
ScreenToClient.USER32(?,?), ref: 00A99A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A99A80
SendMessageW.USER32 ref: 00A99AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A99AEB
SendMessageW.USER32 ref: 00A99B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A99B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A99B4A
GetCursorPos.USER32(?), ref: 00A99B68
ScreenToClient.USER32(?,?), ref: 00A99B75
GetParent.USER32(?), ref: 00A99B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A99BFA
SendMessageW.USER32 ref: 00A99C2B
ClientToScreen.USER32(?,?), ref: 00A99C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A99CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A99CDE
SendMessageW.USER32 ref: 00A99D01
ClientToScreen.USER32(?,?), ref: 00A99D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A99D82

Part of subcall function 00A19944: GetWindowLongW.USER32(?,000000EB), ref: 00A19952

GetWindowLongW.USER32(?,000000F0), ref: 00A99E05

Strings

F, xrefs: 00A99D07
@GUI_DRAGID, xrefs: 00A9997D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: e91c13b753cb77cdbd5f56554bdfaf4dcf149e3d6b7975a7be2e34d1a199da97
Instruction ID: 3796936e9d7cf018c011c0c15892c0b46a120e98897f48e4c6c46c06b9d3001e
Opcode Fuzzy Hash: e91c13b753cb77cdbd5f56554bdfaf4dcf149e3d6b7975a7be2e34d1a199da97
Instruction Fuzzy Hash: 91427C35304241BFDB24CF68CD94AABBBE5FF49720F14061EF699872A1DB31A891CB51

Function 00A94873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00A948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00A94908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00A94927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00A9494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00A9495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00A9497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00A949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00A949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00A94A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A94A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A94A7E
IsMenu.USER32(?), ref: 00A94A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A94AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A94B20
GetWindowLongW.USER32(?,000000F0), ref: 00A94B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00A94BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00A94C82
wsprintfW.USER32 ref: 00A94CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A94CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A94CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A94D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A94D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A94D5A

Strings

%d/%02d/%02d, xrefs: 00A94CA8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 700037878154ecedbf79f41eca96484c29dbe38e3713eb84b36a9e3c0df5eb68
Instruction ID: bea6ee4040a9b7e767055bba1ea168c7e1979756aa8fd93c906e64e85412a857
Opcode Fuzzy Hash: 700037878154ecedbf79f41eca96484c29dbe38e3713eb84b36a9e3c0df5eb68
Instruction Fuzzy Hash: 7E12CE71700255ABEF248F68CC49FAE7BF8AF49710F14412AF516EB2E1DB789942CB50

Function 00A1F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00A1F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A5F474
IsIconic.USER32(00000000), ref: 00A5F47D
ShowWindow.USER32(00000000,00000009), ref: 00A5F48A
SetForegroundWindow.USER32(00000000), ref: 00A5F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A5F4AA
GetCurrentThreadId.KERNEL32 ref: 00A5F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A5F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A5F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A5F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00A5F4DE
SetForegroundWindow.USER32(00000000), ref: 00A5F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F4F6
keybd_event.USER32(00000012,00000000), ref: 00A5F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F50B
keybd_event.USER32(00000012,00000000), ref: 00A5F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F519
keybd_event.USER32(00000012,00000000), ref: 00A5F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A5F528
keybd_event.USER32(00000012,00000000), ref: 00A5F52D
SetForegroundWindow.USER32(00000000), ref: 00A5F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00A5F557

Strings

Shell_TrayWnd, xrefs: 00A5F46F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 88e347983c4b528930669197f2242818e207fd99801dee1f0c662ba4c333fa09
Instruction ID: 68c9170181f9d94a10e578f751e1eb8cdd7ee14d2c9f42308a0e4ab92786274e
Opcode Fuzzy Hash: 88e347983c4b528930669197f2242818e207fd99801dee1f0c662ba4c333fa09
Instruction Fuzzy Hash: 7B315371B802187FEB20ABF55C49FBF7E7DEB44B61F110426FA04E61D1DAB15D01AA60

Function 00A61201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00A616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6170D
Part of subcall function 00A616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A6173A
Part of subcall function 00A616C3: GetLastError.KERNEL32 ref: 00A6174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00A61286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00A612A8
CloseHandle.KERNEL32(?), ref: 00A612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A612D1
GetProcessWindowStation.USER32 ref: 00A612EA
SetProcessWindowStation.USER32(00000000), ref: 00A612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A61310

Part of subcall function 00A610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A611FC), ref: 00A610D4
Part of subcall function 00A610BF: CloseHandle.KERNEL32(?,?,00A611FC), ref: 00A610E9

Strings

, xrefs: 00A6125A
default, xrefs: 00A6130B
winsta0, xrefs: 00A612CC

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 666cebf47ba040a1cb9f330696bbfc5ab965e12f91b116ab7a7e9426a861de73
Instruction ID: 82802d046cc1d5d7bdc951cd94582154360f68a82fcd2e4928deba59f098a624
Opcode Fuzzy Hash: 666cebf47ba040a1cb9f330696bbfc5ab965e12f91b116ab7a7e9426a861de73
Instruction Fuzzy Hash: 1081ACB1A00208AFDF21DFA4DD49FEE7FB9EF04704F18412AFA11A61A0DB718945CB21

Function 00A60B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A61114
Part of subcall function 00A610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61120
Part of subcall function 00A610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A6112F
Part of subcall function 00A610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61136
Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A60BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A60C00
GetLengthSid.ADVAPI32(?), ref: 00A60C17
GetAce.ADVAPI32(?,00000000,?), ref: 00A60C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A60C6D
GetLengthSid.ADVAPI32(?), ref: 00A60C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A60C8C
HeapAlloc.KERNEL32(00000000), ref: 00A60C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A60CB4
CopySid.ADVAPI32(00000000), ref: 00A60CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A60CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A60D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A60D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60D45
HeapFree.KERNEL32(00000000), ref: 00A60D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60D55
HeapFree.KERNEL32(00000000), ref: 00A60D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60D65
HeapFree.KERNEL32(00000000), ref: 00A60D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A60D78
HeapFree.KERNEL32(00000000), ref: 00A60D7F

Part of subcall function 00A61193: GetProcessHeap.KERNEL32(00000008,00A60BB1,?,00000000,?,00A60BB1,?), ref: 00A611A1
Part of subcall function 00A61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A60BB1,?), ref: 00A611A8
Part of subcall function 00A61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A60BB1,?), ref: 00A611B7

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 41c5bf07fedcd47d9aa570c647570a40ef293943d742f5a40d21e3b4f0abfb57
Instruction ID: c8c94d140490d13fae205c7829b31506447b81d1d39aac262cddd7bb91d3851d
Opcode Fuzzy Hash: 41c5bf07fedcd47d9aa570c647570a40ef293943d742f5a40d21e3b4f0abfb57
Instruction Fuzzy Hash: 90715A72A0021AEFDF10DFE4DC44FAFBBB8BF05310F144616E915A6191DB71AA46CBA0

Function 00A7EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00A9CC08), ref: 00A7EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A7EB37
GetClipboardData.USER32(0000000D), ref: 00A7EB43
CloseClipboard.USER32 ref: 00A7EB4F
GlobalLock.KERNEL32(00000000), ref: 00A7EB87
CloseClipboard.USER32 ref: 00A7EB91
GlobalUnlock.KERNEL32(00000000), ref: 00A7EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00A7EBC9
GetClipboardData.USER32(00000001), ref: 00A7EBD1
GlobalLock.KERNEL32(00000000), ref: 00A7EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00A7EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00A7EC38
GetClipboardData.USER32(0000000F), ref: 00A7EC44
GlobalLock.KERNEL32(00000000), ref: 00A7EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00A7EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A7EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A7ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00A7ECF3
CountClipboardFormats.USER32 ref: 00A7ED14
CloseClipboard.USER32 ref: 00A7ED59

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 2caa1c452baf6b7d276faa9b572c7bd459ce0945142848585f5c1e9e88e784a0
Instruction ID: f4b48c8c64bb1827f052ff54f614680822f35a4eb30b03fcbeafafe2aeef3b1f
Opcode Fuzzy Hash: 2caa1c452baf6b7d276faa9b572c7bd459ce0945142848585f5c1e9e88e784a0
Instruction Fuzzy Hash: BB61E2352042059FD310EF64DD84F6A7BE8AF88714F04C59AF55A872A2DF30DD06CBA2

Function 00A7698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A769BE
FindClose.KERNEL32(00000000), ref: 00A76A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A76A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A76A75

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00A76AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A76ADF

Strings

%02d, xrefs: 00A76C00, 00A76C0A, 00A76C5A, 00A76CAA, 00A76CFA, 00A76D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00A76B6A
%4d, xrefs: 00A76BB1
%03d, xrefs: 00A76DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00A76B32

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 7f688fbaabb438be620e3c4c53b7c2813290f2e308a150396708ad5d30309272
Instruction ID: ab5b96af7c2bb8b89f1d8b5c09ce0fc754a8eee1510ad17d83a7a2e3c052e2fc
Opcode Fuzzy Hash: 7f688fbaabb438be620e3c4c53b7c2813290f2e308a150396708ad5d30309272
Instruction Fuzzy Hash: 46D14071508344AEC710EBA4DD81EABB7ECAF88704F44491DF589D6191EB74EA48CB62

Function 00A79642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A79663
GetFileAttributesW.KERNEL32(?), ref: 00A796A1
SetFileAttributesW.KERNEL32(?,?), ref: 00A796BB
FindNextFileW.KERNEL32(00000000,?), ref: 00A796D3
FindClose.KERNEL32(00000000), ref: 00A796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00A796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00A7974A
SetCurrentDirectoryW.KERNEL32(00AC6B7C), ref: 00A79768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A79772
FindClose.KERNEL32(00000000), ref: 00A7977F
FindClose.KERNEL32(00000000), ref: 00A7978F

Strings

*.*, xrefs: 00A796F5

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 9c85cb2f6af36f5be921f5fba0d05e5380121cd7e9793d05a9bc83e5e9f73d85
Instruction ID: 8782566e2d4e40dfffba7549a72c7fded9ed8d80de69308d6c5494541addf8e7
Opcode Fuzzy Hash: 9c85cb2f6af36f5be921f5fba0d05e5380121cd7e9793d05a9bc83e5e9f73d85
Instruction Fuzzy Hash: 7D319132641619BBDB14EFB4EC49EDF77ACAF09320F10C567E819E2190EB30DD458A24

Function 00A7979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00A79819
FindClose.KERNEL32(00000000), ref: 00A79824
FindFirstFileW.KERNEL32(*.*,?), ref: 00A79840
SetCurrentDirectoryW.KERNEL32(?), ref: 00A79890
SetCurrentDirectoryW.KERNEL32(00AC6B7C), ref: 00A798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A798B8
FindClose.KERNEL32(00000000), ref: 00A798C5
FindClose.KERNEL32(00000000), ref: 00A798D5

Part of subcall function 00A6DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A6DB00

Strings

*.*, xrefs: 00A7983B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: de82891dde68eacba4051e9672878fa5605e46b5f0a0be35db3ca6eddff377a0
Instruction ID: 408d5e6d0a3d2db329299921105107be86ee06ea27ee109cd17b14c9b404e570
Opcode Fuzzy Hash: de82891dde68eacba4051e9672878fa5605e46b5f0a0be35db3ca6eddff377a0
Instruction Fuzzy Hash: 75319232641A19BADB10EFB4EC48ADF77ACAF06320F14C5A7E818A2190DB30DD458B65

Function 00A8BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00A8BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00A8BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A8C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A8C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A8C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A8C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00A8C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A8C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A8C382
RegCloseKey.ADVAPI32(00000000), ref: 00A8C38F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: a232531ce2599ae76fc1c11233672df2f1e54dd28104d2b929d372bddce8ddc5
Instruction ID: b10af756255bc04c681f09170a71799d8b674ec8f413cb4103f5a9d6475e3950
Opcode Fuzzy Hash: a232531ce2599ae76fc1c11233672df2f1e54dd28104d2b929d372bddce8ddc5
Instruction Fuzzy Hash: 3A024C71604200AFD714DF24C995E2ABBE5EF49318F18859DF84ACB2A2DB31ED46CF61

Function 00A6D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

Part of subcall function 00A6E199: GetFileAttributesW.KERNEL32(?,00A6CF95), ref: 00A6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A6D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00A6D1DD
MoveFileW.KERNEL32(?,?), ref: 00A6D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A6D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6D237

Part of subcall function 00A6D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00A6D21C,?,?), ref: 00A6D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00A6D253
FindClose.KERNEL32(00000000), ref: 00A6D264

Strings

\*.*, xrefs: 00A6D0CD, 00A6D0D6, 00A6D0EB

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 53c45586540e5dc3c8b9a729db3933a259dfb09b36ed2f62d75c3b1f4b7f9ad2
Instruction ID: cf15d13d552c6397f36c12c50bc8046a2165bd37a110cd98e86bd1a54fcbfebf
Opcode Fuzzy Hash: 53c45586540e5dc3c8b9a729db3933a259dfb09b36ed2f62d75c3b1f4b7f9ad2
Instruction Fuzzy Hash: ED616E31E0110DAFCF05EBE0DA929EEB7B9AF55340F208165E40277192EB316F09DB61

Function 00A7ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A7ED91
EmptyClipboard.USER32 ref: 00A7ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00A7EDAC
CloseClipboard.USER32 ref: 00A7EEA3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: a040cf164879af114f4bd0ac4acaaa046e92f631c9d2fcbdae4e0c999429d129
Instruction ID: d3c94999622950d7402e0ff0a0b42703276a031d8f010414938b9865a329a6e7
Opcode Fuzzy Hash: a040cf164879af114f4bd0ac4acaaa046e92f631c9d2fcbdae4e0c999429d129
Instruction Fuzzy Hash: 3841A335604611AFD720DF55E848F5ABBE5FF48328F14C49AE4198F6A2CB35EC42CB90

Function 00A6E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6170D
Part of subcall function 00A616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A6173A
Part of subcall function 00A616C3: GetLastError.KERNEL32 ref: 00A6174A

ExitWindowsEx.USER32(?,00000000), ref: 00A6E932

Strings

, xrefs: 00A6E920
@, xrefs: 00A6E925
, xrefs: 00A6E95C
SeShutdownPrivilege, xrefs: 00A6E902

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 4b9b211b5ab2929b5c1f032ae0103b807a6c36a445a9a7b6859badefda4782b1
Instruction ID: e81424ea23c5475c83394ae6ec424a7f55874f8d4ac7f179332625150f6712dd
Opcode Fuzzy Hash: 4b9b211b5ab2929b5c1f032ae0103b807a6c36a445a9a7b6859badefda4782b1
Instruction Fuzzy Hash: 3401D67B710211ABFB54E7B49C86FBBB37CAF14750F150822F912E21D1E9A15C4081A0

Function 00A81204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A81276
WSAGetLastError.WSOCK32 ref: 00A81283
bind.WSOCK32(00000000,?,00000010), ref: 00A812BA
WSAGetLastError.WSOCK32 ref: 00A812C5
closesocket.WSOCK32(00000000), ref: 00A812F4
listen.WSOCK32(00000000,00000005), ref: 00A81303
WSAGetLastError.WSOCK32 ref: 00A8130D
closesocket.WSOCK32(00000000), ref: 00A8133C

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 808bbcb5e3a172b1c11f6609cf6e70504726a9d6d636fe83f3c9a427e18501fa
Instruction ID: bba3b30be8bb6ad7fee0353ffeaba8c2a91a2e72e9bfd151660af15577c2aa18
Opcode Fuzzy Hash: 808bbcb5e3a172b1c11f6609cf6e70504726a9d6d636fe83f3c9a427e18501fa
Instruction Fuzzy Hash: 4141A4316002009FD710EF64D588B69BBE9FF46328F188199D8568F2D6D771ED82CBE1

Function 00A6D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

Part of subcall function 00A6E199: GetFileAttributesW.KERNEL32(?,00A6CF95), ref: 00A6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A6D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A6D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6D481
FindClose.KERNEL32(00000000), ref: 00A6D498
FindClose.KERNEL32(00000000), ref: 00A6D4A1

Strings

\*.*, xrefs: 00A6D3F2

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 8af70b5ad411c1fbdaaccf335ce3c9274d3bf61e955d533b3bb076b441721b32
Instruction ID: c761fe50585831eeb19383369acf1d5d62247898e106155e963818a8e1d8dfad
Opcode Fuzzy Hash: 8af70b5ad411c1fbdaaccf335ce3c9274d3bf61e955d533b3bb076b441721b32
Instruction Fuzzy Hash: 6A317E31508349ABC304EF64D9959AFB7B8AEA1354F444A1EF4D5931D1EF30AE09CB63

Function 00A3E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A3E645

Strings

1#QNAN, xrefs: 00A3F84B
1#SNAN, xrefs: 00A3F844
1#IND, xrefs: 00A3F83D
1#INF, xrefs: 00A3F852

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 05eea638af8c737b05cddd3958ab0c91e3e0b7198e137ee2e821e86d478a1139
Instruction ID: 72fe6640faeb1650dcb490c15d966699d615cb56d551334843da0872e9ff3513
Opcode Fuzzy Hash: 05eea638af8c737b05cddd3958ab0c91e3e0b7198e137ee2e821e86d478a1139
Instruction Fuzzy Hash: B8C23A71E186298FDB25CF28DD407EAB7B5EB49305F1441EAE84DE7281E774AE818F40

Function 00A7648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A764DC
CoInitialize.OLE32(00000000), ref: 00A76639
CoCreateInstance.OLE32(00A9FCF8,00000000,00000001,00A9FB68,?), ref: 00A76650
CoUninitialize.OLE32 ref: 00A768D4

Strings

.lnk, xrefs: 00A764BA, 00A76524, 00A765E0

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 67f468ab27ba076d946293aaf95820a6f17c27749911ffbc99b5e2bf99e7769b
Instruction ID: c20675d3c7d2bb5341c0db9faae39a46688f4571bc4b751a136ae612757c4049
Opcode Fuzzy Hash: 67f468ab27ba076d946293aaf95820a6f17c27749911ffbc99b5e2bf99e7769b
Instruction Fuzzy Hash: B7D14971508705AFD304EF24D981A6BB7E8FF98704F00896DF5998B292DB70ED09CB92

Function 00A822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00A822E8

Part of subcall function 00A7E4EC: GetWindowRect.USER32(?,?), ref: 00A7E504

GetDesktopWindow.USER32 ref: 00A82312
GetWindowRect.USER32(00000000), ref: 00A82319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A82355
GetCursorPos.USER32(?), ref: 00A82381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A823DF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 06615c6784dd480777fbdc51f32a617cc44cdbcd014d5f29498abab5b3fe0271
Instruction ID: 203801514e02d8e13ac83caba65dd5d7319090402c0f9c62c08b763b9d3e984b
Opcode Fuzzy Hash: 06615c6784dd480777fbdc51f32a617cc44cdbcd014d5f29498abab5b3fe0271
Instruction Fuzzy Hash: A331E372604315AFC720EF54C845F6BB7E9FF84710F00091AF9859B181DB34E909CB92

Function 00A79B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00A79B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00A79C8B

Part of subcall function 00A73874: GetInputState.USER32 ref: 00A738CB
Part of subcall function 00A73874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A73966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00A79BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00A79C75

Strings

*.*, xrefs: 00A79B5D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: bd65ffd4c1822e3a9a6d5541a791ec5d36b58f3b12db4d6d84dc2a5efeb3cc77
Instruction ID: ce81f34bc8226e725baaf58b6617ed3107c54d36c69d32a26f3faafbb3e63233
Opcode Fuzzy Hash: bd65ffd4c1822e3a9a6d5541a791ec5d36b58f3b12db4d6d84dc2a5efeb3cc77
Instruction Fuzzy Hash: B2415E7190060AAFCF15DFA4DD95AEFBBB8EF05310F24C156E409A2191EB309E84CF61

Function 00A1997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A19A4E
GetSysColor.USER32(0000000F), ref: 00A19B23
SetBkColor.GDI32(?,00000000), ref: 00A19B36

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: cf28e923cfe8521f7856aa6d4cc752e5a525e17d1a84596a5250cabc659212a3
Instruction ID: a8a9e65be283d2df8af743040be4f942121dcbd2f323bd9aa55ea1a240e20ec4
Opcode Fuzzy Hash: cf28e923cfe8521f7856aa6d4cc752e5a525e17d1a84596a5250cabc659212a3
Instruction Fuzzy Hash: 94A13A70208414BEE725DB3CADB8DFF36EDEF46381B14010AF802D6591CA359D8AD272

Function 00A81806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A8307A
Part of subcall function 00A8304E: _wcslen.LIBCMT ref: 00A8309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A8185D
WSAGetLastError.WSOCK32 ref: 00A81884
bind.WSOCK32(00000000,?,00000010), ref: 00A818DB
WSAGetLastError.WSOCK32 ref: 00A818E6
closesocket.WSOCK32(00000000), ref: 00A81915

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: dc1fde3901f8495dd6e46e88eb8c9ddd88af724c4410cdb08c4998d48d5d44d6
Instruction ID: 93c76d8c61df6a59e72af3c6e88f902f62194c04e0702dc9f6adc82254ac4ebb
Opcode Fuzzy Hash: dc1fde3901f8495dd6e46e88eb8c9ddd88af724c4410cdb08c4998d48d5d44d6
Instruction Fuzzy Hash: 0451C671A00204AFDB10EF64D986F6A77E5AB44718F048498F9065F3D3DB71AD82CBE1

Function 00A91C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A91CC0
IsWindowEnabled.USER32 ref: 00A91CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00A91CDB
IsIconic.USER32 ref: 00A91CE9
IsZoomed.USER32 ref: 00A91CF7

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f7f8a688b3e8a767d166d4319ccd2d9bf8e1fd7520de78c7b1e019c2c1650cde
Instruction ID: 5a070d1f0d2e04be60df7504d3adbc50dc200f0380ff4a81dfabaae95c19d07e
Opcode Fuzzy Hash: f7f8a688b3e8a767d166d4319ccd2d9bf8e1fd7520de78c7b1e019c2c1650cde
Instruction Fuzzy Hash: 4121A4317806125FDB208F2AD884F6A7BE5EF95325F198069E846CB351DB71EC42CB90

Function 00A08060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00A083FA
VUUU, xrefs: 00A45DF0
VUUU, xrefs: 00A0843C
ERCP, xrefs: 00A0813C
VUUU, xrefs: 00A083E8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: edc4f238927e8856accc07e524383143250b972c5052221f58cd80aa3ba61a76
Instruction ID: de6f712b2687357583e77d70d9b9a218ddf61e512383a0c94a65706ce9e2bf47
Opcode Fuzzy Hash: edc4f238927e8856accc07e524383143250b972c5052221f58cd80aa3ba61a76
Instruction Fuzzy Hash: EAA2B074E0061ECBDF24CF58D8407AEB7B1BF84310F2481AAE855AB285EB759D81CF95

Function 00A6AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00A6AAAC
SetKeyboardState.USER32(00000080), ref: 00A6AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00A6AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00A6AB88

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9a3baf302f12c1989412153bb6e36dd0a2bbf6bc06fca394b77cc8a24574a760
Instruction ID: 70b33c26155c41b25e59f7032e3c27d8a90bb76fca780f962c5419d4d4ff4da2
Opcode Fuzzy Hash: 9a3baf302f12c1989412153bb6e36dd0a2bbf6bc06fca394b77cc8a24574a760
Instruction Fuzzy Hash: 1D31F430A40648AEFB35CB658C05BFE7BBAEB65320F04421BF591A61D1D7758D81CB62

Function 00A3BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A3BB7F

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

GetTimeZoneInformation.KERNEL32 ref: 00A3BB91
WideCharToMultiByte.KERNEL32(00000000,?,00AD121C,000000FF,?,0000003F,?,?), ref: 00A3BC09
WideCharToMultiByte.KERNEL32(00000000,?,00AD1270,000000FF,?,0000003F,?,?,?,00AD121C,000000FF,?,0000003F,?,?), ref: 00A3BC36

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 7ef7c8bfcf21108d3a0adcec1a14d0e312fd87fa4c59ff482c4b3e46e31c92a2
Instruction ID: 47c8180837f0eebe1a119975d8a32689a6aadfdc3533dd969abfb7aa4b6e966b
Opcode Fuzzy Hash: 7ef7c8bfcf21108d3a0adcec1a14d0e312fd87fa4c59ff482c4b3e46e31c92a2
Instruction Fuzzy Hash: 3C31B070904205EFCB11DFA9DC819A9BBB9FF45720B1446ABF161DB2A1DB319E42CB60

Function 00A7CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00A7CE89
GetLastError.KERNEL32(?,00000000), ref: 00A7CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00A7CEFE

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 58ec462610557f04b89fdad6e36406f6898a850384882e3844fa6763b5850b03
Instruction ID: d72aceda207dcb840fe8e5db94f25cff25c327f7417f405239877efd97e1c41b
Opcode Fuzzy Hash: 58ec462610557f04b89fdad6e36406f6898a850384882e3844fa6763b5850b03
Instruction Fuzzy Hash: 3F219AB1600705ABEB20DFA5DD48BA7B7F8EB40364F10C42EE54A92151EB70EE458B64

Function 00A68298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A682AA

Strings

(, xrefs: 00A682F0
|, xrefs: 00A682DA

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 50f7ae41e0ebcb238c1dda52055d913946130f3e15a76d7ff4c326e7110bcb74
Instruction ID: 16cfa3c30f9a02ef9e1ef5d5589739212289e2196a6812f0e7fa3049fbb41920
Opcode Fuzzy Hash: 50f7ae41e0ebcb238c1dda52055d913946130f3e15a76d7ff4c326e7110bcb74
Instruction Fuzzy Hash: B7323574A00605DFCB28CF59C080AAAB7F4FF48710B15C56EE59ADB3A1EB74E981CB40

Function 00A75C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A75CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00A75D17
FindClose.KERNEL32(?), ref: 00A75D5F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 58634215793ea64c684239ffd7047360b7b46d772b9e1aec642eba0faa6a22f6
Instruction ID: 01ff93a2070f710ce1475974ccf74431c687a5b3e87ce893c82544b9367b2529
Opcode Fuzzy Hash: 58634215793ea64c684239ffd7047360b7b46d772b9e1aec642eba0faa6a22f6
Instruction Fuzzy Hash: C4519874A04A019FC714CF28D894A9AB7E4FF09324F14855EE95A8B3A2DB70FC04CB91

Function 00A32622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00A3271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A32724
UnhandledExceptionFilter.KERNEL32(?), ref: 00A32731

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7713b1f5f60894e0394c2c73d76a76ea6c011e84e9648a57828367c3ecbd8f6a
Instruction ID: 81758ca0a71427e773f9808ce0d6a4fe4e61bc68011f750a0e1def995949f012
Opcode Fuzzy Hash: 7713b1f5f60894e0394c2c73d76a76ea6c011e84e9648a57828367c3ecbd8f6a
Instruction Fuzzy Hash: 3931B774911228ABCB21DF68DD89BDDB7B8BF08310F5041EAE81CA7261E7309F818F45

Function 00A751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A75238
SetErrorMode.KERNEL32(00000000), ref: 00A752A1

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8cc925b51fd3d574ce22d5148f126bc43c532a361eec6935cec576088942bd8e
Instruction ID: 96ec4b32ac6f2f6e4b3d7101ff553530f550592a113f720787b3e165b273d8ec
Opcode Fuzzy Hash: 8cc925b51fd3d574ce22d5148f126bc43c532a361eec6935cec576088942bd8e
Instruction Fuzzy Hash: 7B313075A00518DFDB00DF94D884EEDBBB4FF49314F148099E909AB3A2DB71E856CB91

Function 00A616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A20668
Part of subcall function 00A1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A20685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A6173A
GetLastError.KERNEL32 ref: 00A6174A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 1c52ce4183afa747d353aa82df51223e38a348995664d930470841f86f545df8
Instruction ID: cafab7c012290eb4c5e0f622d441ddaf9217efa06ab582967898ffce393c76eb
Opcode Fuzzy Hash: 1c52ce4183afa747d353aa82df51223e38a348995664d930470841f86f545df8
Instruction Fuzzy Hash: 9D1191B2504304AFD718DF54EC86DABBBB9EB44764B24852EE05657641EB70BC418B60

Function 00A6D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A6D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00A6D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A6D650

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 5ea5cd7c6dce21e6b2a79d177525ca7337dbde20eacd7a1a11e0ee985318b88e
Instruction ID: ac9f3fe9b2170a0bc570e220fc66162fdef2d61850da9a04a7a1b0f2e1604a62
Opcode Fuzzy Hash: 5ea5cd7c6dce21e6b2a79d177525ca7337dbde20eacd7a1a11e0ee985318b88e
Instruction Fuzzy Hash: 92115E75E05228BFDB10CF99DC45FAFBBBCEB45B60F108116F904E7290D6704A058BA1

Function 00A61663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A6168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A616A1
FreeSid.ADVAPI32(?), ref: 00A616B1

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3f6f2c7a4ad22cd8067cb67ceff4b42224f498dbd45613d54a3d5d41ea9c1bea
Instruction ID: bef22bac277665b4ddaa0c2da8afc33ffd77a0cc0b805f2c048d5d5bd0361bb4
Opcode Fuzzy Hash: 3f6f2c7a4ad22cd8067cb67ceff4b42224f498dbd45613d54a3d5d41ea9c1bea
Instruction Fuzzy Hash: 82F0F475A50309FBDF00DFE4DD89AAEBBBCEB08614F504565E501E2191E774AA448A50

Function 00A2CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: ae1d8de887f9af6c63cc42d0b1aff3a5a8ea30e897983a1cfacfe6d47d98466f
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A4021E71E002299FDF14CFADD9806ADFBF1EF48324F254169D919E7344D731AA418B94

Function 00A768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A76918
FindClose.KERNEL32(00000000), ref: 00A76961

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ad94bd443d98613fdbd439cc15a8a376ecb9a1feebfcd0dbe0a1df5f590e3edb
Instruction ID: 7d8dd749b2cdee99030c06fa98fed89ee74d4d463beaf497ee4df6d4f3b5ac28
Opcode Fuzzy Hash: ad94bd443d98613fdbd439cc15a8a376ecb9a1feebfcd0dbe0a1df5f590e3edb
Instruction Fuzzy Hash: 501190716046019FC710DF69D884B16BBE5FF85328F14C6A9E5698F6A2CB30EC45CB91

Function 00A737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A84891,?,?,00000035,?), ref: 00A737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A84891,?,?,00000035,?), ref: 00A737F4

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a229ebea0a2e28f66e1274f9c52aef577151e578953068837c79c5dfc3f0c763
Instruction ID: c991a245bfd32c89a9b6ecf0b11cf528df9a5edbeedf6910bde9d09a0c3a6431
Opcode Fuzzy Hash: a229ebea0a2e28f66e1274f9c52aef577151e578953068837c79c5dfc3f0c763
Instruction Fuzzy Hash: 19F0E5B17042282AEB20A7A69D4DFEB7BAEEFC4771F004166F509D2281D9609945C6B0

Function 00A6B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A6B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00A6B270

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 4f62fcc3e55e0973ec466033a65d74dc1ffa8723120befb3c5fa830a138cbb78
Instruction ID: 22a3c702433179d98331e9469d7fedb767e5eb2e33b6bfba126c508635076559
Opcode Fuzzy Hash: 4f62fcc3e55e0973ec466033a65d74dc1ffa8723120befb3c5fa830a138cbb78
Instruction Fuzzy Hash: F3F06D7090428DABDB05CFA0C805BEE7BB0FF04315F00800AF951A5192C77982019FA4

Function 00A610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A611FC), ref: 00A610D4
CloseHandle.KERNEL32(?,?,00A611FC), ref: 00A610E9

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f2fa0837a83c06aa53ce9eba349d2c7b795e7bad24ef0ef590a01e29d1eb094d
Instruction ID: 2503733a2e14bf1a104174b96e85aeaf9168eee7867e27c2abc26fd1fc2867b7
Opcode Fuzzy Hash: f2fa0837a83c06aa53ce9eba349d2c7b795e7bad24ef0ef590a01e29d1eb094d
Instruction Fuzzy Hash: 0FE04F32008640AEEB252B51FD05EB77BA9EB04320F14882EF5A5804B1DF626CE0DB10

Function 00A0CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00A50C40

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: c003f806fc57871c5923e5f6b61212f9ed0184d29aa972369db7c0242086eaf3
Instruction ID: f9ad4a61b45dac28938f3ec9d4ba142203652b07f4180ddefe91cf6ba7e3a797
Opcode Fuzzy Hash: c003f806fc57871c5923e5f6b61212f9ed0184d29aa972369db7c0242086eaf3
Instruction Fuzzy Hash: E932AA7090021CDBDF14DF90E991EEDB7B5BF05314F208259E806AB2D2DB35AE4ACB61

Function 00A3676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A36766,?,?,00000008,?,?,00A3FEFE,00000000), ref: 00A36998

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 892d1cc29c31286d0412567438c41c851415fdcccff6685a6562a879bdc5989f
Instruction ID: 72197074161b3fda627a2718e9ee361849ab5f6b6f50a4c121101b44659bb75b
Opcode Fuzzy Hash: 892d1cc29c31286d0412567438c41c851415fdcccff6685a6562a879bdc5989f
Instruction Fuzzy Hash: 94B11771610609AFD719CF28C48AB657BB0FF49364F29C658F899CF2A2C735E991CB40

Function 00A1B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00A5851F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4bafa4c74f206d1001e9561f3f0a18dcbd3bb02d6ca7d0503a873e4fb53d82d7
Instruction ID: 709b777902c7062dfc75fc9365ed15f57095e3d2271b5b80eec599a5cdf6d0ac
Opcode Fuzzy Hash: 4bafa4c74f206d1001e9561f3f0a18dcbd3bb02d6ca7d0503a873e4fb53d82d7
Instruction Fuzzy Hash: C3127E75A10229DFDB14CF58C9806EEB7F5FF48310F14819AE849EB255EB349A85CBA0

Function 00A7EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00A7EABD

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d590014e92ea3ce0cbf839b378c9a304ef6d77101119feb1347cb1527037c55a
Instruction ID: 3fffc177f0480c529af6dc68129b7a1ebb333f94d5d98d0f013e0820e37bc7f9
Opcode Fuzzy Hash: d590014e92ea3ce0cbf839b378c9a304ef6d77101119feb1347cb1527037c55a
Instruction Fuzzy Hash: 43E01A312102049FC710EF59E904E9AB7E9AF987B0F00C456FD4AC7291DA70A8418BA1

Function 00A209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00A203EE), ref: 00A209DA

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 03c5ebeebb505a73403c4755c212c92274d716d063093cb84834dcaf5533da5b
Instruction ID: b25d9550704e17ee3b78264013852b7410dcbc45927524f751f9c67a0e4a7471
Opcode Fuzzy Hash: 03c5ebeebb505a73403c4755c212c92274d716d063093cb84834dcaf5533da5b
Instruction Fuzzy Hash:

Function 00A2781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00A2798B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 7e0900dcf94dfc432b0c39211e04a348e422927046d3c8accb176417e24a691d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2051657160D7355BDB38877CBA5ABBE23E99B02340F180539E982D7282CA15EFC1D352

Function 00A36DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867c22394bd36280889705be10a4cf30a4d1107b52c0c5b9263e2e6b3f5fc1f4
Instruction ID: cf134811c8c2222e6372aceafef5df2de945b4b97fea2301750fbfe21172324f
Opcode Fuzzy Hash: 867c22394bd36280889705be10a4cf30a4d1107b52c0c5b9263e2e6b3f5fc1f4
Instruction Fuzzy Hash: D0321361D29F024DD7379638C82233AA649AFB73C5F15D727F81AB5DA6EB29C4C34200

Function 00A1CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fc195d1a1998d543aaff46c728361404ddae1b71b161f8cdba876c4e32a19b
Instruction ID: 407976d5d7f55fb1a2abea5409aa0057d8ff30271969e026d35de61db8e245dd
Opcode Fuzzy Hash: 83fc195d1a1998d543aaff46c728361404ddae1b71b161f8cdba876c4e32a19b
Instruction Fuzzy Hash: E1322732A003158FDF28CB69C4906BD7BB1FB45372F298166DC49DB699E234DD89DB80

Function 00A07920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a8678498356e74d218c727a8de1dd4b68146ce0c875276c396814c22d5c2a9
Instruction ID: 593bad9e3c634257f4afefd47939a7fa6ebe28779bc0c3d9c3d8a997b9063c61
Opcode Fuzzy Hash: e2a8678498356e74d218c727a8de1dd4b68146ce0c875276c396814c22d5c2a9
Instruction Fuzzy Hash: BF22BF74E04609DFDF14CFA4D981AAEB3F6FF44300F244629E816AB292EB35AD55CB50

Function 00A091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8d4bc7bd5b08dc812b0a9dc4064cd898b9023735bdc52203819ca02a81b92d
Instruction ID: 3a333357dc28fc112ee46b2bdf72d9da77d10267e0f3ac6e344d81fb358570a2
Opcode Fuzzy Hash: fe8d4bc7bd5b08dc812b0a9dc4064cd898b9023735bdc52203819ca02a81b92d
Instruction Fuzzy Hash: B502C5B5E00209EFDF04DF54D981AAEB7B5FF44340F118169E8169B2D1EB31AE61CB91

Function 00A39EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a5b5b0f33fcf2d458431d9d07772f011d0cbef9fcd8c5d437b35a51533afd0
Instruction ID: 5a5da4b337ced77232686a5e9b0691c50b80514c685e859b36787f6ac9bc2c99
Opcode Fuzzy Hash: b4a5b5b0f33fcf2d458431d9d07772f011d0cbef9fcd8c5d437b35a51533afd0
Instruction Fuzzy Hash: D1B12321D2AF514DCB2396798831336F64CAFBB6D5F91D31BFC2678D62EB2286834140

Function 00A21C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 9f63f09eed24a604170686eff54e0a245e1433b68c9a9ae7aff67c06088004f9
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F59146725080B34ADB2D473EA57447EFFE15AA23A131A07BED4F2CA1C5FE24D954D620

Function 00A219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: c19ef142046ce809b5d94ee4eeb7d54e64f11c46b4b0399e15ef66394d47e176
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A59121722090B34ADB2D477EA57443EFFF15AA23A231A07BED4F2CA1C5FE2485549620

Function 00A27A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52144c55a5c3735529d48f3c121678d91d88ecf96de2cfe8a8ff28c48ca960ac
Instruction ID: 89cfa1fe507ba53a974280a90fd7f55e02b6e3b63650b5826a02fb4bf3129c6a
Opcode Fuzzy Hash: 52144c55a5c3735529d48f3c121678d91d88ecf96de2cfe8a8ff28c48ca960ac
Instruction Fuzzy Hash: C661457120873996DF389B2CBAA6BBE23A5DF41750F20093AF843DB281DA15DF428355

Function 00A27CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a3a0efe44d6d0ef0058cb215590d0cf3b383e254752051cd67706d68f81a83
Instruction ID: a8902d56ba2f3431143b4edeb6dd37adbcc52c4febd15d30e67f48633c04372a
Opcode Fuzzy Hash: 39a3a0efe44d6d0ef0058cb215590d0cf3b383e254752051cd67706d68f81a83
Instruction Fuzzy Hash: 5A617A7560873957DE388B2C7951BBF2394EF42700F100979F843DB681DA16EF428B66

Function 00A21706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e3a08d14102ee5b3585d34d173e957329c33639147aa5ffaf699d363cdb04fbc
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F48174726090B349DB6D473E957443EFFE15AA23A131A07BDD4F2CB1C1EE24CA54E660

Function 00A72046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a67bcc82d19ef5a1b258104fd8971417df9c54bda69be35bcc7ab96f72d81f4
Instruction ID: df0c11b0af2253074080a84eb35774a917fc20208708876ddf2140d9bd33b1c0
Opcode Fuzzy Hash: 2a67bcc82d19ef5a1b258104fd8971417df9c54bda69be35bcc7ab96f72d81f4
Instruction Fuzzy Hash: B22193326216118BDB28CF79C82277A73E5A764310F19CA2EE4A7C37D0DE35A905CB90

Function 00A82ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A82B30
DeleteObject.GDI32(00000000), ref: 00A82B43
DestroyWindow.USER32 ref: 00A82B52
GetDesktopWindow.USER32 ref: 00A82B6D
GetWindowRect.USER32(00000000), ref: 00A82B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00A82CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A82CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82CF8
GetClientRect.USER32(00000000,?), ref: 00A82D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A82D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D80
GlobalLock.KERNEL32(00000000), ref: 00A82D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82D98
GlobalUnlock.KERNEL32(00000000), ref: 00A82DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82DA8
GlobalFree.KERNEL32(00000000), ref: 00A82DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A9FC38,00000000), ref: 00A82DDB
GlobalFree.KERNEL32(00000000), ref: 00A82DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00A82E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A82E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A82E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A8303F

Strings

static, xrefs: 00A82D3A, 00A82E91
AutoIt v3, xrefs: 00A82CF2
DISPLAY, xrefs: 00A82EA2
, xrefs: 00A82FC5

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: cc5dbec8f350ca4eb34878ee44529f1d8f58a04ca86a090964757f59875af7e2
Instruction ID: 5fcbaf6f130b5423063d975f4884514cba3f98dfac21368e2df761ca957571b3
Opcode Fuzzy Hash: cc5dbec8f350ca4eb34878ee44529f1d8f58a04ca86a090964757f59875af7e2
Instruction Fuzzy Hash: 6B028075600208AFDB14DFA4DD89EAE7BB9FF48724F108159F915AB2A1DB70ED01CB60

Function 00A970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A9712F
GetSysColorBrush.USER32(0000000F), ref: 00A97160
GetSysColor.USER32(0000000F), ref: 00A9716C
SetBkColor.GDI32(?,000000FF), ref: 00A97186
SelectObject.GDI32(?,?), ref: 00A97195
InflateRect.USER32(?,000000FF,000000FF), ref: 00A971C0
GetSysColor.USER32(00000010), ref: 00A971C8
CreateSolidBrush.GDI32(00000000), ref: 00A971CF
FrameRect.USER32(?,?,00000000), ref: 00A971DE
DeleteObject.GDI32(00000000), ref: 00A971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00A97230
FillRect.USER32(?,?,?), ref: 00A97262
GetWindowLongW.USER32(?,000000F0), ref: 00A97284

Part of subcall function 00A973E8: GetSysColor.USER32(00000012), ref: 00A97421
Part of subcall function 00A973E8: SetTextColor.GDI32(?,?), ref: 00A97425
Part of subcall function 00A973E8: GetSysColorBrush.USER32(0000000F), ref: 00A9743B
Part of subcall function 00A973E8: GetSysColor.USER32(0000000F), ref: 00A97446
Part of subcall function 00A973E8: GetSysColor.USER32(00000011), ref: 00A97463
Part of subcall function 00A973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A97471
Part of subcall function 00A973E8: SelectObject.GDI32(?,00000000), ref: 00A97482
Part of subcall function 00A973E8: SetBkColor.GDI32(?,00000000), ref: 00A9748B
Part of subcall function 00A973E8: SelectObject.GDI32(?,?), ref: 00A97498
Part of subcall function 00A973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00A974B7
Part of subcall function 00A973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A974CE
Part of subcall function 00A973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00A974DB

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8e822566487503148208059ecff967fb8a7ee7c2009a978d976e14a7e1dd062c
Instruction ID: 3f7f9339e4ef0f72ea0a67091e4994bf1b300b26e58dc3609c5159341ff447f3
Opcode Fuzzy Hash: 8e822566487503148208059ecff967fb8a7ee7c2009a978d976e14a7e1dd062c
Instruction Fuzzy Hash: F1A17E72218701AFDB01DFA4DC48A6F7BE9FB49330F100B1AF962961E1DB71E9458B61

Function 00A18D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00A18E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A56AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A56AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A56F43

Part of subcall function 00A18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A18BE8,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A18FC5

SendMessageW.USER32(?,00001053), ref: 00A56F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A56F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A56FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A56FB7

Strings

0, xrefs: 00A56DCF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 2c79c71cbd7805ceceb42c04419673251181fae06c8f3c2f89c13b6bdaeb1617
Instruction ID: fc790788acd74d2b997266692333efe736b260d53be0b484b331011eae99bec2
Opcode Fuzzy Hash: 2c79c71cbd7805ceceb42c04419673251181fae06c8f3c2f89c13b6bdaeb1617
Instruction Fuzzy Hash: 2912BE30601601EFDB25CF24C954BAAB7F1FB45312F94446AF885CB2A2CB35EC9ACB51

Function 00A82711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A8273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A8286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00A828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00A82900
GetClientRect.USER32(00000000,?), ref: 00A8290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00A82955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A82964
GetStockObject.GDI32(00000011), ref: 00A82974
SelectObject.GDI32(00000000,00000000), ref: 00A82978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00A82988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A82991
DeleteDC.GDI32(00000000), ref: 00A8299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00A82A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A82A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A82A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00A82A77
GetStockObject.GDI32(00000011), ref: 00A82A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A82A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00A82A97

Strings

static, xrefs: 00A8294F, 00A82A71
AutoIt v3, xrefs: 00A828F8
DISPLAY, xrefs: 00A8295A
msctls_progress32, xrefs: 00A82A13

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 93a7229a2e27c095e7cd8b8c09781008f352a8b2599986d85837fef097d82c8b
Instruction ID: 32f13957a632c7586e92548d0f8182c8c3cfd5bbeed83986cef9c83de6f2f6f6
Opcode Fuzzy Hash: 93a7229a2e27c095e7cd8b8c09781008f352a8b2599986d85837fef097d82c8b
Instruction Fuzzy Hash: 7FB16D71A00619BFEB14DFA8DD49FAE7BA9EB08710F004115FA15EB2D0DB70AD41CBA4

Function 00A74ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A74AED
GetDriveTypeW.KERNEL32(?,00A9CB68,?,\\.\,00A9CC08), ref: 00A74BCA
SetErrorMode.KERNEL32(00000000,00A9CB68,?,\\.\,00A9CC08), ref: 00A74D36

Strings

SSA, xrefs: 00A74CA6
ATA, xrefs: 00A74C98
RAID, xrefs: 00A74CBB
1394, xrefs: 00A74C9F
Removable, xrefs: 00A74C10, 00A74C15
Fixed, xrefs: 00A74C09
MMC, xrefs: 00A74CDE
USB, xrefs: 00A74CB4
Unknown, xrefs: 00A74BED, 00A74C83
Network, xrefs: 00A74C02
SATA, xrefs: 00A74CD0
SCSI, xrefs: 00A74C8A
SAS, xrefs: 00A74CC9
SSD, xrefs: 00A74C4A
RAMDisk, xrefs: 00A74BF4
Virtual, xrefs: 00A74CE5
ATAPI, xrefs: 00A74C91
PhysicalDrive, xrefs: 00A74B76
\\.\, xrefs: 00A74B3F
iSCSI, xrefs: 00A74CC2
Fibre, xrefs: 00A74CAD
FileBackedVirtual, xrefs: 00A74CEC
CDROM, xrefs: 00A74BFB

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 143a5421841af1a43853704a53bfe8cbd179b9e88d11e495a05d94a87eacdf74
Instruction ID: 640e08b8a936a4e0a1e89b603b7c5eb8bc3ac1867f1fc095471360616e17db5c
Opcode Fuzzy Hash: 143a5421841af1a43853704a53bfe8cbd179b9e88d11e495a05d94a87eacdf74
Instruction Fuzzy Hash: 80618F31705509ABCB16DF28CE82E6977B0BF4C344B25C419F80AAB692DB35ED41DB51

Function 00A973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A97421
SetTextColor.GDI32(?,?), ref: 00A97425
GetSysColorBrush.USER32(0000000F), ref: 00A9743B
GetSysColor.USER32(0000000F), ref: 00A97446
CreateSolidBrush.GDI32(?), ref: 00A9744B
GetSysColor.USER32(00000011), ref: 00A97463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A97471
SelectObject.GDI32(?,00000000), ref: 00A97482
SetBkColor.GDI32(?,00000000), ref: 00A9748B
SelectObject.GDI32(?,?), ref: 00A97498
InflateRect.USER32(?,000000FF,000000FF), ref: 00A974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00A974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A9752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A97554
InflateRect.USER32(?,000000FD,000000FD), ref: 00A97572
DrawFocusRect.USER32(?,?), ref: 00A9757D
GetSysColor.USER32(00000011), ref: 00A9758E
SetTextColor.GDI32(?,00000000), ref: 00A97596
DrawTextW.USER32(?,00A970F5,000000FF,?,00000000), ref: 00A975A8
SelectObject.GDI32(?,?), ref: 00A975BF
DeleteObject.GDI32(?), ref: 00A975CA
SelectObject.GDI32(?,?), ref: 00A975D0
DeleteObject.GDI32(?), ref: 00A975D5
SetTextColor.GDI32(?,?), ref: 00A975DB
SetBkColor.GDI32(?,?), ref: 00A975E5

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 4ba31fc810f8d769ce3b0fba7a221670e79294f6472fa65c15062eb171eac3fb
Instruction ID: af83de6b4bdddf7b1da171778d7ef182b1d95fc76f0caf9a5cfdf70d2c48096d
Opcode Fuzzy Hash: 4ba31fc810f8d769ce3b0fba7a221670e79294f6472fa65c15062eb171eac3fb
Instruction Fuzzy Hash: 9F615F76A00618AFDF01DFA4DC49EEE7FB9EB08330F114116F915AB2A1DB749941CBA0

Function 00A90FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A91128
GetDesktopWindow.USER32 ref: 00A9113D
GetWindowRect.USER32(00000000), ref: 00A91144
GetWindowLongW.USER32(?,000000F0), ref: 00A91199
DestroyWindow.USER32(?), ref: 00A911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A9120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A9121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00A91232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A91245
IsWindowVisible.USER32(00000000), ref: 00A912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A912D0
GetWindowRect.USER32(00000000,?), ref: 00A912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00A9130E
GetMonitorInfoW.USER32(00000000,?), ref: 00A91328
CopyRect.USER32(?,?), ref: 00A9133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00A913AA

Strings

tooltips_class32, xrefs: 00A911E6
(, xrefs: 00A9131B
0, xrefs: 00A910D3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0950119a250d4d1198f87dfcddfcfb42bf703d167cfcc5964123995ba6a1d8f0
Instruction ID: 3ec1c52be4f062f1a1a76b95e4f386659a67a63c15eb61983e9c1d324747ea47
Opcode Fuzzy Hash: 0950119a250d4d1198f87dfcddfcfb42bf703d167cfcc5964123995ba6a1d8f0
Instruction Fuzzy Hash: 4CB16B71604341AFDB00DF64D984B6BBBE4FF88354F00891DF99A9B2A1CB31E845CBA1

Function 00A90241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A902E5
_wcslen.LIBCMT ref: 00A9031F
_wcslen.LIBCMT ref: 00A90389
_wcslen.LIBCMT ref: 00A903F1
_wcslen.LIBCMT ref: 00A90475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A90504

Part of subcall function 00A1F9F2: _wcslen.LIBCMT ref: 00A1F9FD

Part of subcall function 00A6223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A62258
Part of subcall function 00A6223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A6228A

Strings

SELECTCLEAR, xrefs: 00A9052D
SELECT, xrefs: 00A90548
VIEWCHANGE, xrefs: 00A90675
GETSELECTED, xrefs: 00A905E1
GETSELECTEDCOUNT, xrefs: 00A90470, 00A9048B
GETTEXT, xrefs: 00A903EC, 00A90407
DESELECT, xrefs: 00A9059C
ISSELECTED, xrefs: 00A904DD
FINDITEM, xrefs: 00A90627
SELECTALL, xrefs: 00A90515
GETITEMCOUNT, xrefs: 00A90316, 00A90337
GETSUBITEMCOUNT, xrefs: 00A90384, 00A9039F
SELECTINVERT, xrefs: 00A9057E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: a137fb47b92875a20b38a38d9d95ba719e96ed3f19f8204076880c40446ac872
Instruction ID: bf3880c15d65e97cadaceffdd9621b15a239b27df79d519ffd6e48438a4e97df
Opcode Fuzzy Hash: a137fb47b92875a20b38a38d9d95ba719e96ed3f19f8204076880c40446ac872
Instruction Fuzzy Hash: B9E1AD313082019FCB14DF24CA51D6EB7E6BFC8794B15896CF8969B2A1DB30ED45CB51

Function 00A18891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A18968
GetSystemMetrics.USER32(00000007), ref: 00A18970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A1899B
GetSystemMetrics.USER32(00000008), ref: 00A189A3
GetSystemMetrics.USER32(00000004), ref: 00A189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A18A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A18A3C
GetClientRect.USER32(00000000,000000FF), ref: 00A18A5A
GetStockObject.GDI32(00000011), ref: 00A18A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A18A81

Part of subcall function 00A1912D: GetCursorPos.USER32(?), ref: 00A19141
Part of subcall function 00A1912D: ScreenToClient.USER32(00000000,?), ref: 00A1915E
Part of subcall function 00A1912D: GetAsyncKeyState.USER32(00000001), ref: 00A19183
Part of subcall function 00A1912D: GetAsyncKeyState.USER32(00000002), ref: 00A1919D

SetTimer.USER32(00000000,00000000,00000028,00A190FC), ref: 00A18AA8

Strings

AutoIt v3 GUI, xrefs: 00A18A20

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c656caf091696f5d87c415d29564e1e612f0c6a410fe58cdf414f32dcc1d6a97
Instruction ID: 14241c0700f324783717bc43bacba3358e1944b3ced2026a4b50ea4f7ae18c76
Opcode Fuzzy Hash: c656caf091696f5d87c415d29564e1e612f0c6a410fe58cdf414f32dcc1d6a97
Instruction Fuzzy Hash: 60B17F71A40209AFDF14DFA8DD55BEE3BB5FB48315F11421AFA16A7290DB34E841CB50

Function 00A60D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A61114
Part of subcall function 00A610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61120
Part of subcall function 00A610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A6112F
Part of subcall function 00A610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61136
Part of subcall function 00A610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A60DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A60E29
GetLengthSid.ADVAPI32(?), ref: 00A60E40
GetAce.ADVAPI32(?,00000000,?), ref: 00A60E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A60E96
GetLengthSid.ADVAPI32(?), ref: 00A60EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A60EB5
HeapAlloc.KERNEL32(00000000), ref: 00A60EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A60EDD
CopySid.ADVAPI32(00000000), ref: 00A60EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A60F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A60F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A60F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60F6E
HeapFree.KERNEL32(00000000), ref: 00A60F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60F7E
HeapFree.KERNEL32(00000000), ref: 00A60F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A60F8E
HeapFree.KERNEL32(00000000), ref: 00A60F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00A60FA1
HeapFree.KERNEL32(00000000), ref: 00A60FA8

Part of subcall function 00A61193: GetProcessHeap.KERNEL32(00000008,00A60BB1,?,00000000,?,00A60BB1,?), ref: 00A611A1
Part of subcall function 00A61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A60BB1,?), ref: 00A611A8
Part of subcall function 00A61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A60BB1,?), ref: 00A611B7

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b6d637ee7c28f7cf2c801c81a0aca944e319e56542a9be87c6827d48ce69233f
Instruction ID: 6f4b3f874f666e640ae1eb9ca54952497292983d18c029a1e9bc186b401210e0
Opcode Fuzzy Hash: b6d637ee7c28f7cf2c801c81a0aca944e319e56542a9be87c6827d48ce69233f
Instruction Fuzzy Hash: 87716B72A0021AABDF21DFA4DD44FAFBBB8FF05311F144215FA19E6191DB319945CB60

Function 00A8C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A9CC08,00000000,?,00000000,?,?), ref: 00A8C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00A8C5A4
_wcslen.LIBCMT ref: 00A8C5F4
_wcslen.LIBCMT ref: 00A8C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00A8C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00A8C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00A8C84D
RegCloseKey.ADVAPI32(?), ref: 00A8C881
RegCloseKey.ADVAPI32(00000000), ref: 00A8C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00A8C960

Strings

REG_EXPAND_SZ, xrefs: 00A8C5CD
REG_QWORD, xrefs: 00A8C8C3
REG_DWORD, xrefs: 00A8C804
REG_SZ, xrefs: 00A8C644
REG_MULTI_SZ, xrefs: 00A8C6F5
REG_BINARY, xrefs: 00A8C913

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 221a6c14173628ec49318398ca08a8cdf34776e34e5245cbe247f7dccfbf05c6
Instruction ID: 41156fcd1c0639a7d5594eebe839888cfa596c031367d82f338b76d1d798b20a
Opcode Fuzzy Hash: 221a6c14173628ec49318398ca08a8cdf34776e34e5245cbe247f7dccfbf05c6
Instruction Fuzzy Hash: 841258356042019FDB14EF14D991A2AB7E5EF88724F04889DF89A9B3A2DB31FD41CF91

Function 00A9091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A909C6
_wcslen.LIBCMT ref: 00A90A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A90A54
_wcslen.LIBCMT ref: 00A90A8A
_wcslen.LIBCMT ref: 00A90B06
_wcslen.LIBCMT ref: 00A90B81

Part of subcall function 00A1F9F2: _wcslen.LIBCMT ref: 00A1F9FD

Part of subcall function 00A62BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A62BFA

Strings

COLLAPSE, xrefs: 00A90B01, 00A90B1C
SELECT, xrefs: 00A90D11
CHECK, xrefs: 00A90A85, 00A90AA0
GETITEMCOUNT, xrefs: 00A90C1E
GETSELECTED, xrefs: 00A90C4E
EXPAND, xrefs: 00A90BF8
ISCHECKED, xrefs: 00A90CE1
GETTEXT, xrefs: 00A90C97
UNCHECK, xrefs: 00A90D3E
GETTOTALCOUNT, xrefs: 00A909F2, 00A90A17
EXISTS, xrefs: 00A90B7C, 00A90B97

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 495c734ac68a67ccb732c9940e650a3dca067721cab286c8969361329734b6a3
Instruction ID: a3e3c5f6c445bc474ac77678cbd46397184c5ed9e8e7725c3757bb51b55aebfb
Opcode Fuzzy Hash: 495c734ac68a67ccb732c9940e650a3dca067721cab286c8969361329734b6a3
Instruction Fuzzy Hash: 5EE189362087019FCB14EF28C550D6EB7E1BF98394B15895CF8969B3A2DB30ED85CB81

Function 00A8C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
_wcslen.LIBCMT ref: 00A8C9F1
_wcslen.LIBCMT ref: 00A8CA68
_wcslen.LIBCMT ref: 00A8CA9E
_wcslen.LIBCMT ref: 00A8CAF9
_wcslen.LIBCMT ref: 00A8CB2F
_wcslen.LIBCMT ref: 00A8CB7F

Strings

HKU, xrefs: 00A8CBF0
HKCR, xrefs: 00A8CB29, 00A8CB2E
HKLM, xrefs: 00A8CA98, 00A8CA9D
HKCU, xrefs: 00A8CBCE
HKEY_CURRENT_USER, xrefs: 00A8CBBD
HKEY_CLASSES_ROOT, xrefs: 00A8CAF3, 00A8CAF8
HKCC, xrefs: 00A8CBAC
HKEY_USERS, xrefs: 00A8CBDF
HKEY_CURRENT_CONFIG, xrefs: 00A8CB79, 00A8CB7E
HKEY_LOCAL_MACHINE, xrefs: 00A8CA62, 00A8CA67

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c5a1aebcd1fa55c18546e0cb63693d86c83a855054dbf8dbd96f5fcab39ebe75
Instruction ID: 08b00c51d10d24fa96da096fbd39108c10e79e8722bbe412eeb690e236a19bc4
Opcode Fuzzy Hash: c5a1aebcd1fa55c18546e0cb63693d86c83a855054dbf8dbd96f5fcab39ebe75
Instruction Fuzzy Hash: 7B71093260056A8BCB10FF7CDD41ABF73A2AB607B4B110529F8669B284E631CD45CBB0

Function 00A9833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A9835A
_wcslen.LIBCMT ref: 00A9836E
_wcslen.LIBCMT ref: 00A98391
_wcslen.LIBCMT ref: 00A983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A95BF2), ref: 00A9844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A98487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A98501
FreeLibrary.KERNEL32(?), ref: 00A9850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A9851D
DestroyIcon.USER32(?,?,?,?,?,00A95BF2), ref: 00A9852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A98549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A98555

Strings

.dll, xrefs: 00A983AB
.exe, xrefs: 00A98388
.icl, xrefs: 00A98368

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 30159a86830badc8db5311817f1c1524bfb2d8eb06617a4bec3b82cad6dac102
Instruction ID: f11b7503d270f6273388500681dff064d031e796407b5ada5c90b0034aa75695
Opcode Fuzzy Hash: 30159a86830badc8db5311817f1c1524bfb2d8eb06617a4bec3b82cad6dac102
Instruction Fuzzy Hash: 1F61DF71640619BBEF14DF64DC81BBE77A8BF09B21F10461AF815D60D1DF78A980CBA0

Function 00A07778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00A45153
#pragma compile, xrefs: 00A077D3
#comments-start, xrefs: 00A0785F, 00A078B1
', xrefs: 00A45169
#comments-end, xrefs: 00A078D9
#requireadmin, xrefs: 00A077FF
#notrayicon, xrefs: 00A077E7
#cs, xrefs: 00A07873, 00A078C5
Cannot parse #include, xrefs: 00A45279
Unterminated group of comments, xrefs: 00A4528C
#OnAutoItStartRegister, xrefs: 00A07817
Bad directive syntax error, xrefs: 00A4519A
#ce, xrefs: 00A078ED
#include, xrefs: 00A07847
#include-once, xrefs: 00A0782F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 1f8565225377d44408707a41f0fa7c58ddb11d41d24a553939c128e8be9af89a
Instruction ID: 62cfdfa419cf513a3e83cec80ab21a4ec8e4418b9ace0cdeee3524dbdb54f84a
Opcode Fuzzy Hash: 1f8565225377d44408707a41f0fa7c58ddb11d41d24a553939c128e8be9af89a
Instruction Fuzzy Hash: 3081D171F04609BFDB20AF64ED42FAE37A8AF95340F044425F905AA1D2EB74EA51C7A1

Function 00A73E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A73EF8
_wcslen.LIBCMT ref: 00A73F03
_wcslen.LIBCMT ref: 00A73F5A
_wcslen.LIBCMT ref: 00A73F98
GetDriveTypeW.KERNEL32(?), ref: 00A73FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A7401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A74059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A74087

Strings

close, xrefs: 00A73EFE, 00A73F18
closed, xrefs: 00A73F08, 00A73F2D, 00A73F46, 00A73F7E, 00A73F97
open, xrefs: 00A73F54, 00A73F59
set cd door , xrefs: 00A74028
wait, xrefs: 00A74044
open , xrefs: 00A73FE5
close cd wait, xrefs: 00A74072
type cdaudio alias cd wait, xrefs: 00A74001

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e6513775b331b722197d6e6987e2c60cfdd461d21ec163baaff292772aa8cabb
Instruction ID: 97b13fba0d6a6173e603dfc3648fa080196b8c54a74b8fae1a82bdd932055075
Opcode Fuzzy Hash: e6513775b331b722197d6e6987e2c60cfdd461d21ec163baaff292772aa8cabb
Instruction Fuzzy Hash: 1E71D072A042159FC710EF24CD8096AB7F4EF98758F01C92DF59A97291EB30ED46CB92

Function 00A65A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00A65A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A65A40
SetWindowTextW.USER32(?,?), ref: 00A65A57
GetDlgItem.USER32(?,000003EA), ref: 00A65A6C
SetWindowTextW.USER32(00000000,?), ref: 00A65A72
GetDlgItem.USER32(?,000003E9), ref: 00A65A82
SetWindowTextW.USER32(00000000,?), ref: 00A65A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A65AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A65AC3
GetWindowRect.USER32(?,?), ref: 00A65ACC
_wcslen.LIBCMT ref: 00A65B33
SetWindowTextW.USER32(?,?), ref: 00A65B6F
GetDesktopWindow.USER32 ref: 00A65B75
GetWindowRect.USER32(00000000), ref: 00A65B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00A65BD3
GetClientRect.USER32(?,?), ref: 00A65BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00A65C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A65C2F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 82023945c0ae4914d8d108f72dc0a6b7733dacf0a84234d6a5f7772c3d2f7748
Instruction ID: 126737e26e0ee25a87fbae65e8606e568a7b8d32559452c43db8f17bb7508738
Opcode Fuzzy Hash: 82023945c0ae4914d8d108f72dc0a6b7733dacf0a84234d6a5f7772c3d2f7748
Instruction Fuzzy Hash: 10716E31A00B09AFDB20DFB8CE85A6EBBF5FF48714F104519E542A25A0DB75E945CB50

Function 00A7FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00A7FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00A7FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00A7FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00A7FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00A7FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00A7FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00A7FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00A7FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00A7FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00A7FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00A7FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00A7FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00A7FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00A7FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00A7FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00A7FECC
GetCursorInfo.USER32(?), ref: 00A7FEDC
GetLastError.KERNEL32 ref: 00A7FF1E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 7b8df50588ca4bf4782ede70feddfa8a643122fcbfa93210ae04f05a25e508ab
Instruction ID: f90d3a034d5d60ae6d5320b225ffb9207412475e8e80548609d30f3ff8c70a0c
Opcode Fuzzy Hash: 7b8df50588ca4bf4782ede70feddfa8a643122fcbfa93210ae04f05a25e508ab
Instruction Fuzzy Hash: FF4124B0D083196EDB10DFBA9C8585EBFE8FF04764B50852AE11DEB281DB789901CE91

Function 00A200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00A200C6

Part of subcall function 00A200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00AD070C,00000FA0,5BBE2EFC,?,?,?,?,00A423B3,000000FF), ref: 00A2011C
Part of subcall function 00A200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00A423B3,000000FF), ref: 00A20127
Part of subcall function 00A200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00A423B3,000000FF), ref: 00A20138
Part of subcall function 00A200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00A2014E
Part of subcall function 00A200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00A2015C
Part of subcall function 00A200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00A2016A
Part of subcall function 00A200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A20195
Part of subcall function 00A200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A201A0

___scrt_fastfail.LIBCMT ref: 00A200E7

Part of subcall function 00A200A3: __onexit.LIBCMT ref: 00A200A9

Strings

kernel32.dll, xrefs: 00A20133
SleepConditionVariableCS, xrefs: 00A20154
WakeAllConditionVariable, xrefs: 00A20162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00A20122
InitializeConditionVariable, xrefs: 00A20148

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 923c2c500a0c7b819d98ac7c0be7ca923c08a3e7b8ac87259aa9922c5f7b655c
Instruction ID: e21eabcb038a89163e7badacffc25e8e5eadc6cbe580f83b608d845f873de5ab
Opcode Fuzzy Hash: 923c2c500a0c7b819d98ac7c0be7ca923c08a3e7b8ac87259aa9922c5f7b655c
Instruction Fuzzy Hash: 0121D732745B207FEB109BB8BC06F6A73E4FB05B61F100637F806E6692DE6498008A94

Function 00A630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A6318D
_wcslen.LIBCMT ref: 00A631F8

Strings

CLASS, xrefs: 00A63188, 00A631A5
NAME, xrefs: 00A63335, 00A63346
CLASSNN, xrefs: 00A631F3, 00A63204
TEXT, xrefs: 00A6347C
REGEXPCLASS, xrefs: 00A63255, 00A63266
INSTANCE, xrefs: 00A63453

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: f18b4c264a1cf30d81a4741b2ff32e8c0e6698344042676f956faa01453d45fc
Instruction ID: fb5b08b1d7123f28d83cd4c7a27cdd863cde679669d52d4ae61b0b02df083d24
Opcode Fuzzy Hash: f18b4c264a1cf30d81a4741b2ff32e8c0e6698344042676f956faa01453d45fc
Instruction Fuzzy Hash: C8E1A333E00526ABCF149F78C851BEEFBB4BF54710F558129E556A7240EF30AE868790

Function 00A744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00A9CC08), ref: 00A74527
_wcslen.LIBCMT ref: 00A7453B
_wcslen.LIBCMT ref: 00A74599
_wcslen.LIBCMT ref: 00A745F4
_wcslen.LIBCMT ref: 00A7463F
_wcslen.LIBCMT ref: 00A746A7

Part of subcall function 00A1F9F2: _wcslen.LIBCMT ref: 00A1F9FD

GetDriveTypeW.KERNEL32(?,00AC6BF0,00000061), ref: 00A74743

Strings

network, xrefs: 00A7469D, 00A746A2
cdrom, xrefs: 00A7458F, 00A74594
all, xrefs: 00A74531, 00A74536
removable, xrefs: 00A745EA, 00A745EF
ramdisk, xrefs: 00A746F1
fixed, xrefs: 00A74635, 00A7463A
unknown, xrefs: 00A74708

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: afae2be100ce06ef749d12a3fa56a0ee32bc0bd21e3ff478945663a8bd1223e7
Instruction ID: 7e7e60bb8e244bc2eaf9e351a07a2bb1f9274323bce96b2ef6dd5a8ad661738b
Opcode Fuzzy Hash: afae2be100ce06ef749d12a3fa56a0ee32bc0bd21e3ff478945663a8bd1223e7
Instruction Fuzzy Hash: A0B1D0716083029FC714DF28DD90A6AB7E5AFA9760F50CA2DF49AC7291D730DD44CB92

Function 00A0326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00AD1990), ref: 00A42F8D
GetMenuItemCount.USER32(00AD1990), ref: 00A4303D
GetCursorPos.USER32(?), ref: 00A43081
SetForegroundWindow.USER32(00000000), ref: 00A4308A
TrackPopupMenuEx.USER32(00AD1990,00000000,?,00000000,00000000,00000000), ref: 00A4309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A430A9

Strings

0, xrefs: 00A0327D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: ad72dab62ecfce21a962fb3d5633d53ee416f9236571ac1030fa619ba521aa0c
Instruction ID: cf8555d2fb521d243bb54a87ede5f810da84b5be15942a00a5dda8fe178d8bb5
Opcode Fuzzy Hash: ad72dab62ecfce21a962fb3d5633d53ee416f9236571ac1030fa619ba521aa0c
Instruction Fuzzy Hash: 6171F535640209BEEB21CF64DC49FAABF78FF45364F204216F625AA1E0C7B1A964CB50

Function 00A96CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00A96DEB

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A96E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A96E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A96E94
DestroyWindow.USER32(?), ref: 00A96EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A00000,00000000), ref: 00A96EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A96EFD
GetDesktopWindow.USER32 ref: 00A96F16
GetWindowRect.USER32(00000000), ref: 00A96F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A96F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A96F4D

Part of subcall function 00A19944: GetWindowLongW.USER32(?,000000EB), ref: 00A19952

Strings

tooltips_class32, xrefs: 00A96E58, 00A96EDD
0, xrefs: 00A96D98

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: b379330980105531c7f2a19cbb5b88ff9535ba5982cf393b432f8a3b3bd0c76c
Instruction ID: 02cf44a45186eb80375c038aa394c3f3e3cfb80463f5222ab1936a24359f8964
Opcode Fuzzy Hash: b379330980105531c7f2a19cbb5b88ff9535ba5982cf393b432f8a3b3bd0c76c
Instruction Fuzzy Hash: 72715674604244AFDB21CF68D954FBABBE9FF89314F44081EF989872A1DB74A906CB11

Function 00A9911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

DragQueryPoint.SHELL32(?,?), ref: 00A99147

Part of subcall function 00A97674: ClientToScreen.USER32(?,?), ref: 00A9769A
Part of subcall function 00A97674: GetWindowRect.USER32(?,?), ref: 00A97710
Part of subcall function 00A97674: PtInRect.USER32(?,?,00A98B89), ref: 00A97720

SendMessageW.USER32(?,000000B0,?,?), ref: 00A991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A99225
SendMessageW.USER32(?,000000B0,?,?), ref: 00A9923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A99255
SendMessageW.USER32(?,000000B1,?,?), ref: 00A99277
DragFinish.SHELL32(?), ref: 00A9927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A99371

Strings

@GUI_DRAGFILE, xrefs: 00A99320
@GUI_DROPID, xrefs: 00A9929E
@GUI_DRAGID, xrefs: 00A992E9

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 1d863bb03d76f1811a4a10e9ba69f8b739f2faf70a1783aa8ec867cea29bbc05
Instruction ID: b7871a032a43a9a6b6968603f4d6094c2b930c4e65cfa36d91ce228d6774549e
Opcode Fuzzy Hash: 1d863bb03d76f1811a4a10e9ba69f8b739f2faf70a1783aa8ec867cea29bbc05
Instruction Fuzzy Hash: 12618A71208305AFD701DFA4DD85DAFBBE8FF89750F00091EF596961A1DB309A49CB62

Function 00A7C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A7C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A7C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A7C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A7C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00A7C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A7C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A7C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A7C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A7C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A7C5F0
InternetCloseHandle.WININET(00000000), ref: 00A7C5FB

Strings

, xrefs: 00A7C575

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0964fcd4c30bbe7588568707c60ef0f2394b300e1a8c18ca06f4884e5fe938bc
Instruction ID: 7c3cb4c23895b77348e46a12daf9f7dea79ed77f717e69f1bb325edab3feb819
Opcode Fuzzy Hash: 0964fcd4c30bbe7588568707c60ef0f2394b300e1a8c18ca06f4884e5fe938bc
Instruction Fuzzy Hash: E5512BB1640604BFDB21DFA4CD88AAB7BBCFB08764F00C51EF94A96250DB35E9459B60

Function 00A9856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00A98592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985BA
GlobalLock.KERNEL32(00000000), ref: 00A985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985D7
GlobalUnlock.KERNEL32(00000000), ref: 00A985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00A9FC38,?), ref: 00A98611
GlobalFree.KERNEL32(00000000), ref: 00A98621
GetObjectW.GDI32(?,00000018,?), ref: 00A98641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00A98671
DeleteObject.GDI32(?), ref: 00A98699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A986AF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: eb0616e9812d361f23b378f35f575a1469561248b0e99421bd28eae44dcf0e7f
Instruction ID: a4119cd520b732fc07e49e8cc16e0213d8ac4b1230fa4ff903c0e6efad490c43
Opcode Fuzzy Hash: eb0616e9812d361f23b378f35f575a1469561248b0e99421bd28eae44dcf0e7f
Instruction Fuzzy Hash: 6E411975700604AFDB11DFA5DD48EAA7BBCFF89721F108159F905EB260DB349902CB60

Function 00A714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A71502
VariantCopy.OLEAUT32(?,?), ref: 00A7150B
VariantClear.OLEAUT32(?), ref: 00A71517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00A71657
VariantInit.OLEAUT32(?), ref: 00A71708
SysFreeString.OLEAUT32(?), ref: 00A7178C
VariantClear.OLEAUT32(?), ref: 00A717D8
VariantClear.OLEAUT32(?), ref: 00A717E7
VariantInit.OLEAUT32(00000000), ref: 00A71823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A71625
Default, xrefs: 00A716AF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 534a73df0a26583389f1a55b5bef1b79103984b6480344b046fbc125a56485c0
Instruction ID: 0351fb896dd781fb6d3e1f2a76c3d057fb773244402461cea81e1b7d3f892b0e
Opcode Fuzzy Hash: 534a73df0a26583389f1a55b5bef1b79103984b6480344b046fbc125a56485c0
Instruction Fuzzy Hash: C0D1DD72A00615EBDF189F69E985BB9B7F9BF44704F14C05AE40AAB180DB30EC45DB62

Function 00A8B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A8B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00A8B80A
RegCloseKey.ADVAPI32(?), ref: 00A8B87E
RegCloseKey.ADVAPI32(?), ref: 00A8B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A8B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A8B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00A8B922
FreeLibrary.KERNEL32(00000000), ref: 00A8B983
RegCloseKey.ADVAPI32(00000000), ref: 00A8B994

Strings

RegDeleteKeyExW, xrefs: 00A8B8FE
advapi32.dll, xrefs: 00A8B8ED

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 1955b49472e2d0fd8d9a2e439f7d8d7258c7d1844d87506d096144436a33db96
Instruction ID: d63a972558fed6909e8bf41c9fba7855d8b9dd7b04c1121be5a5b8f8e0c47097
Opcode Fuzzy Hash: 1955b49472e2d0fd8d9a2e439f7d8d7258c7d1844d87506d096144436a33db96
Instruction Fuzzy Hash: 4CC17E30214201AFD714EF24C495F2ABBE5BF84318F14855CF59A4B2A2CB75ED46CBA2

Function 00A8255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A825E8
CreateCompatibleDC.GDI32(?), ref: 00A825F4
SelectObject.GDI32(00000000,?), ref: 00A82601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A8266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A826D0
SelectObject.GDI32(?,?), ref: 00A826D8
DeleteObject.GDI32(?), ref: 00A826E1
DeleteDC.GDI32(?), ref: 00A826E8
ReleaseDC.USER32(00000000,?), ref: 00A826F3

Strings

(, xrefs: 00A8268D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e228ed3dba3a004bc20e4f657d5fdcfd8ed9476ca1bcabcb8d79fb005498cff2
Instruction ID: 1e1306cfc9693be822b026aa17600b9b0bd9b3bd5a82e55462cf30454a1187db
Opcode Fuzzy Hash: e228ed3dba3a004bc20e4f657d5fdcfd8ed9476ca1bcabcb8d79fb005498cff2
Instruction Fuzzy Hash: AD61F375E00219EFCF14DFE8D984AAEBBB5FF48310F20852AE955A7250E770A941CF64

Function 00A3DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00A3DAA1

Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D659
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D66B
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D67D
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D68F
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6A1
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6B3
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6C5
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6D7
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6E9
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D6FB
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D70D
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D71F
Part of subcall function 00A3D63C: _free.LIBCMT ref: 00A3D731

_free.LIBCMT ref: 00A3DA96

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A3DAB8
_free.LIBCMT ref: 00A3DACD
_free.LIBCMT ref: 00A3DAD8
_free.LIBCMT ref: 00A3DAFA
_free.LIBCMT ref: 00A3DB0D
_free.LIBCMT ref: 00A3DB1B
_free.LIBCMT ref: 00A3DB26
_free.LIBCMT ref: 00A3DB5E
_free.LIBCMT ref: 00A3DB65
_free.LIBCMT ref: 00A3DB82
_free.LIBCMT ref: 00A3DB9A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b93d9865debfbc1a363ab733d278cc2a6938834d255316bd56fe93c788bb87db
Instruction ID: 5a6f6b3f117df63b7113a7ead8bf854b9a67a749510ccf9038109eb62c73cb87
Opcode Fuzzy Hash: b93d9865debfbc1a363ab733d278cc2a6938834d255316bd56fe93c788bb87db
Instruction Fuzzy Hash: DF312732A04705DFEB22AF39FA45B5AB7E9FF40360F154469F459DB191DB31AC808B20

Function 00A6365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A6369C
_wcslen.LIBCMT ref: 00A636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A63797
GetClassNameW.USER32(?,?,00000400), ref: 00A6380C
GetDlgCtrlID.USER32(?), ref: 00A6385D
GetWindowRect.USER32(?,?), ref: 00A63882
GetParent.USER32(?), ref: 00A638A0
ScreenToClient.USER32(00000000), ref: 00A638A7
GetClassNameW.USER32(?,?,00000100), ref: 00A63921
GetWindowTextW.USER32(?,?,00000400), ref: 00A6395D

Strings

%s%u, xrefs: 00A63734

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: c687c729c04310573e6d506d0105ab4bbe086b0dfc0078aed55529a4be19181b
Instruction ID: be1fe28d35fc2dbdb7ff8ec8423c5fdd3129afdfe577a07ce30eed5c424c204e
Opcode Fuzzy Hash: c687c729c04310573e6d506d0105ab4bbe086b0dfc0078aed55529a4be19181b
Instruction Fuzzy Hash: 0991B172204706AFDB19DF64C895BEAB7B8FF44350F008529F99AC6190DB30EA46CB91

Function 00A64954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00A64994
GetWindowTextW.USER32(?,?,00000400), ref: 00A649DA
_wcslen.LIBCMT ref: 00A649EB
CharUpperBuffW.USER32(?,00000000), ref: 00A649F7
_wcsstr.LIBVCRUNTIME ref: 00A64A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00A64A64
GetWindowTextW.USER32(?,?,00000400), ref: 00A64A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00A64AE6
GetClassNameW.USER32(?,?,00000400), ref: 00A64B20
GetWindowRect.USER32(?,?), ref: 00A64B8B

Strings

ThumbnailClass, xrefs: 00A64A6F, 00A64AF1

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 85e2eadfc3d8e317f42fe1a3201848d4659b2ef9e4a54944c4ba46a6b16a6be8
Instruction ID: c75509d0ea4448aaa1a4badbe9d65717f99de2f5434cb4c5b7da586de3b3ea3b
Opcode Fuzzy Hash: 85e2eadfc3d8e317f42fe1a3201848d4659b2ef9e4a54944c4ba46a6b16a6be8
Instruction Fuzzy Hash: 1991EE72104205AFDB04CF54C981BAA7BF8FF88354F04846AFE859A196DB30ED45CBA1

Function 00A98D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A98D5A
GetFocus.USER32 ref: 00A98D6A
GetDlgCtrlID.USER32(00000000), ref: 00A98D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00A98E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A98ECF
GetMenuItemCount.USER32(?), ref: 00A98EEC
GetMenuItemID.USER32(?,00000000), ref: 00A98EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A98F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A98F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A98FA1

Strings

0, xrefs: 00A98E9F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 67087b4810601e9d2e77a437b66bacef16056baf6767b4db47cfcc5dcdc0163a
Instruction ID: 829ffd7dd2f21bf99732e8e41282d2e2c55e5c6490cd768989d0be47b221ce3d
Opcode Fuzzy Hash: 67087b4810601e9d2e77a437b66bacef16056baf6767b4db47cfcc5dcdc0163a
Instruction Fuzzy Hash: 8A81AE71608311AFDF10CF24D984AAB7BE9FF8A764F14091EF98597291DB38D901CBA1

Function 00A6DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A6DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A6DC46
_wcslen.LIBCMT ref: 00A6DC50
_wcsstr.LIBVCRUNTIME ref: 00A6DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A6DCBC

Strings

StringFileInfo\, xrefs: 00A6DC8F
04090000, xrefs: 00A6DCF2
\VarFileInfo\Translation, xrefs: 00A6DCB4
%u.%u.%u.%u, xrefs: 00A6DD9A
DefaultLangCodepage, xrefs: 00A6DD1F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a2e4626957f43e27e7a00a65b868338792c0ba9e8f8a92c42b10927afa5642de
Instruction ID: d062fb61ac710704dafddb59b9c2fcd9feb0460107f231b24558612a5e5a1120
Opcode Fuzzy Hash: a2e4626957f43e27e7a00a65b868338792c0ba9e8f8a92c42b10927afa5642de
Instruction Fuzzy Hash: 1D41F232A40214BADB10BB78ED43EFF77BCEF45760F14046AF900A6182EB749A0187A4

Function 00A8CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A8CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00A8CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A8CD48

Part of subcall function 00A8CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00A8CCAA
Part of subcall function 00A8CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00A8CCBD
Part of subcall function 00A8CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A8CCCF
Part of subcall function 00A8CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A8CD05
Part of subcall function 00A8CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A8CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A8CCF3

Strings

RegDeleteKeyExW, xrefs: 00A8CCC9
advapi32.dll, xrefs: 00A8CCB8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f6d44055cbfeb60f145bedddc85cb6c0b3c4bf68e901ad86c2b36d7669bebdd8
Instruction ID: 99bd824d0e0e7e3a3be4223593a06c78f13877c76b2c76a82845e65774a46ab7
Opcode Fuzzy Hash: f6d44055cbfeb60f145bedddc85cb6c0b3c4bf68e901ad86c2b36d7669bebdd8
Instruction Fuzzy Hash: 803160B1A01129BBDB20EB95DC88EFFBB7CEF45760F000166A905E3150DA749A46DFB0

Function 00A73D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A73D40
_wcslen.LIBCMT ref: 00A73D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A73D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A73DBE
RemoveDirectoryW.KERNEL32(?), ref: 00A73DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A73E55
CloseHandle.KERNEL32(00000000), ref: 00A73E60
CloseHandle.KERNEL32(00000000), ref: 00A73E6B

Strings

:, xrefs: 00A73D82
\, xrefs: 00A73D77
\??\%s, xrefs: 00A73D5B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: bce8975ea4260902d3188bfe979235800b84acabe54a4a0990263e245e0602fb
Instruction ID: 495915dd1e2d4a695d0d59a57a969e6c9c5ebaacde8238dabd5bfbf1b90a9d08
Opcode Fuzzy Hash: bce8975ea4260902d3188bfe979235800b84acabe54a4a0990263e245e0602fb
Instruction Fuzzy Hash: E031AF72A00219ABDF20DBA4DC49FEB37BCEF88710F1181B6F509D6061EB7097858B24

Function 00A6E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A6E6B4

Part of subcall function 00A1E551: timeGetTime.WINMM(?,?,00A6E6D4), ref: 00A1E555

Sleep.KERNEL32(0000000A), ref: 00A6E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00A6E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A6E727
SetActiveWindow.USER32 ref: 00A6E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A6E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A6E773
Sleep.KERNEL32(000000FA), ref: 00A6E77E
IsWindow.USER32 ref: 00A6E78A
EndDialog.USER32(00000000), ref: 00A6E79B

Strings

BUTTON, xrefs: 00A6E719

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: dd08c2d9353f4eff710039280fccdbd739ed13aa31aed9a2f58e4ada50cda6e3
Instruction ID: d20f40dbfbbb0a2f99c876a8c98ad2a722e1a7828491fcf6d97b1ae7d8384ef2
Opcode Fuzzy Hash: dd08c2d9353f4eff710039280fccdbd739ed13aa31aed9a2f58e4ada50cda6e3
Instruction Fuzzy Hash: 19218CB9341704BFEB01DFE4EC89B263B79FB64758B101826F912821A1DF71AC16DB24

Function 00A6E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A6EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A6EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A6EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A6EAA7

Strings

status PlayMe mode, xrefs: 00A6EA58
play PlayMe, xrefs: 00A6EAA2
close PlayMe, xrefs: 00A6EA6E, 00A6EA9B
open , xrefs: 00A6EA0C
alias PlayMe, xrefs: 00A6EA36
play PlayMe wait, xrefs: 00A6EA91

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ca4e316e5b6b387a5ea8eac4a8cfbc89dca79f526ea69fe4f390042879f13c83
Instruction ID: 25407dd89247ddf614e14d7fc89b06a086a35bf1e85877def5e1890f89f75c2b
Opcode Fuzzy Hash: ca4e316e5b6b387a5ea8eac4a8cfbc89dca79f526ea69fe4f390042879f13c83
Instruction Fuzzy Hash: C111A335A5021D79D720E7A5ED4AEFF6A7CFFD1B40F0008297401A20D1EE700905C6B1

Function 00A65CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A65CE2
GetWindowRect.USER32(00000000,?), ref: 00A65CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00A65D59
GetDlgItem.USER32(?,00000002), ref: 00A65D69
GetWindowRect.USER32(00000000,?), ref: 00A65D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00A65DCF
GetDlgItem.USER32(?,000003E9), ref: 00A65DDD
GetWindowRect.USER32(00000000,?), ref: 00A65DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00A65E31
GetDlgItem.USER32(?,000003EA), ref: 00A65E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A65E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A65E67

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0749e6f1993c3854a61fcd2787f9f0610b7bd971a7f57f5ae1d19ce74510eca1
Instruction ID: e77a8d21533aeec2de8947995a9c67e67c40b4ee5919fc598e588f8595ba1ae8
Opcode Fuzzy Hash: 0749e6f1993c3854a61fcd2787f9f0610b7bd971a7f57f5ae1d19ce74510eca1
Instruction Fuzzy Hash: 08510C71F00605AFDF18CFA8DD89AAEBBB5EF48310F548129F515E6290DB709E01CB60

Function 00A18BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A18BE8,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A18FC5

DestroyWindow.USER32(?), ref: 00A18C81
KillTimer.USER32(00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A18D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00A56973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00A18BBA,00000000,?), ref: 00A569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A18BBA,00000000), ref: 00A569D4
DeleteObject.GDI32(00000000), ref: 00A569E6

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: beff6a349063291c40701f39ec336db2bd4fe24c9535d05a87ef873d6e0f3348
Instruction ID: 67317e849d28b787b8689e03df10be71bfbc3dc56eb7ec4c982b93d51d3d015a
Opcode Fuzzy Hash: beff6a349063291c40701f39ec336db2bd4fe24c9535d05a87ef873d6e0f3348
Instruction Fuzzy Hash: AC618D30602700EFCB25DFA8DA58BA977F1FB40352F54451AE4439B960CB39A9C6DF90

Function 00A19838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00A19944: GetWindowLongW.USER32(?,000000EB), ref: 00A19952

GetSysColor.USER32(0000000F), ref: 00A19862

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d6f9e3b6141c59f187250bfa8ca5a38e24116c97dcf6f6082334416978f2bd4d
Instruction ID: 850d859686d8e40cbd3b9645b0e65c3963c4a677ca90d8e61e6dc730346bf2ce
Opcode Fuzzy Hash: d6f9e3b6141c59f187250bfa8ca5a38e24116c97dcf6f6082334416978f2bd4d
Instruction Fuzzy Hash: 4641A531204640AFDB209F7C9C94BFA3BA5FB06771F244616F9A29B1E1DB319C82DB11

Function 00A696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00A4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00A69717
LoadStringW.USER32(00000000,?,00A4F7F8,00000001), ref: 00A69720

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00A4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00A69742
LoadStringW.USER32(00000000,?,00A4F7F8,00000001), ref: 00A69745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00A69866

Strings

Line %d (File "%s"):, xrefs: 00A6978F
%s (%d) : ==> %s: %s %s, xrefs: 00A6984A
Line %d:, xrefs: 00A697A0
Error: , xrefs: 00A6981D
^ ERROR, xrefs: 00A697FB

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 95c1d222f4ee9a03f381642362a387d2e6fc42cf469f3c0f62b9a3ab4226425d
Instruction ID: 3124b6f19e0d8515ea06305f75044e108b9e8372e9e5992102084a9ee42e51a2
Opcode Fuzzy Hash: 95c1d222f4ee9a03f381642362a387d2e6fc42cf469f3c0f62b9a3ab4226425d
Instruction Fuzzy Hash: 2A41197290020DAADF04EBE0EF86EEFB77CAF55340F500465B60576092EA356F49CB61

Function 00A606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A60804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00A6082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A60837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A6083C

Strings

\IPC$, xrefs: 00A60784
SOFTWARE\Classes\, xrefs: 00A6070E
\CLSID, xrefs: 00A60724

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 99fbf9da71c8e6ed3806090343cf95a065c21acea194702269401187f89b06c4
Instruction ID: 811b1a488e7ed0f62704bd9ba3890ace53dc28bb2074ae88df3eacbaa83c98af
Opcode Fuzzy Hash: 99fbf9da71c8e6ed3806090343cf95a065c21acea194702269401187f89b06c4
Instruction Fuzzy Hash: B9410672D1062DABDF15EBA4ED85DEEB778BF14350F044169E901A71A1EB30AE44CBA0

Function 00A83C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A83C5C
CoInitialize.OLE32(00000000), ref: 00A83C8A
CoUninitialize.OLE32 ref: 00A83C94
_wcslen.LIBCMT ref: 00A83D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00A83DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A83ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00A83F0E
CoGetObject.OLE32(?,00000000,00A9FB98,?), ref: 00A83F2D
SetErrorMode.KERNEL32(00000000), ref: 00A83F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A83FC4
VariantClear.OLEAUT32(?), ref: 00A83FD8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9a07e4523d647cbb45eaeb62e562e6444de4bbeb2c390a6d2583e74a114f7fbf
Instruction ID: 1835ba6173d00249f1d459a11758abf3483f15a850ac1d9b2cbfdc222cbc3878
Opcode Fuzzy Hash: 9a07e4523d647cbb45eaeb62e562e6444de4bbeb2c390a6d2583e74a114f7fbf
Instruction Fuzzy Hash: 1CC147726083059FDB00EF68C98492BBBE9FF89B44F10491DF98A9B251DB31ED45CB52

Function 00A77A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A77AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A77B8F
SHGetDesktopFolder.SHELL32(?), ref: 00A77BA3
CoCreateInstance.OLE32(00A9FD08,00000000,00000001,00AC6E6C,?), ref: 00A77BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A77C74
CoTaskMemFree.OLE32(?,?), ref: 00A77CCC
SHBrowseForFolderW.SHELL32(?), ref: 00A77D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A77D7A
CoTaskMemFree.OLE32(00000000), ref: 00A77D81
CoTaskMemFree.OLE32(00000000), ref: 00A77DD6
CoUninitialize.OLE32 ref: 00A77DDC

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 0caa77b4653edfecdc473e7f196feb328b9382304b1c5557fcac92d7ff873ab6
Instruction ID: 894ec5bd963e2006e661599cfd2ef875c3c6aaba0f20ef16d8d267d55d5470b3
Opcode Fuzzy Hash: 0caa77b4653edfecdc473e7f196feb328b9382304b1c5557fcac92d7ff873ab6
Instruction Fuzzy Hash: F6C10C75A04109AFDB14DFA4C984DAEBBF5FF48314B14C499E81ADB262DB30ED45CB90

Function 00A9541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A95504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A95515
CharNextW.USER32(00000158), ref: 00A95544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A95585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A9559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A955AC

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 16a2833d7da388fa96afa19aceef522cb7bad57706c92816d4270e23f9771490
Instruction ID: 13024a49b1d710a05ca93e6470a98a841fdbd9ef793dd114968be1fbc144b51f
Opcode Fuzzy Hash: 16a2833d7da388fa96afa19aceef522cb7bad57706c92816d4270e23f9771490
Instruction Fuzzy Hash: 0C618E35F00608AFDF12DFA4CC869FE7BF9EB45720F108145FA25AA291D7749A81DB60

Function 00A5FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A5FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00A5FB08
VariantInit.OLEAUT32(?), ref: 00A5FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A5FB3A
VariantCopy.OLEAUT32(?,?), ref: 00A5FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A5FBA1
VariantClear.OLEAUT32(?), ref: 00A5FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00A5FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A5FBCC
VariantClear.OLEAUT32(?), ref: 00A5FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A5FBE9

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3d30bb489e4356c9ec71b1b6f2c2ec60dfe5d25ad16721dc4664acc3632f1fd0
Instruction ID: 9fa0e0447b65d0e0604220a28da64d9201241e4b89c6b2e71b7c3989707069cb
Opcode Fuzzy Hash: 3d30bb489e4356c9ec71b1b6f2c2ec60dfe5d25ad16721dc4664acc3632f1fd0
Instruction Fuzzy Hash: 04416375B00219DFCF00DFA8D8589ADBBB9FF48355F018065F916A7261CB30A946CFA1

Function 00A69C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A69CA1
GetAsyncKeyState.USER32(000000A0), ref: 00A69D22
GetKeyState.USER32(000000A0), ref: 00A69D3D
GetAsyncKeyState.USER32(000000A1), ref: 00A69D57
GetKeyState.USER32(000000A1), ref: 00A69D6C
GetAsyncKeyState.USER32(00000011), ref: 00A69D84
GetKeyState.USER32(00000011), ref: 00A69D96
GetAsyncKeyState.USER32(00000012), ref: 00A69DAE
GetKeyState.USER32(00000012), ref: 00A69DC0
GetAsyncKeyState.USER32(0000005B), ref: 00A69DD8
GetKeyState.USER32(0000005B), ref: 00A69DEA

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d426351b89d01621c914e70d93ee634328ca4b3a0a43dd4116e9494aab579a7b
Instruction ID: f415de64eed881740db0a5a63f478825241c78c3ca4b22613fd14c1608f184be
Opcode Fuzzy Hash: d426351b89d01621c914e70d93ee634328ca4b3a0a43dd4116e9494aab579a7b
Instruction Fuzzy Hash: 3141C834604BC9ADFF31D7A4C8043B7BEB8AF11354F04806ADAC6565C2DBB599D8C7A2

Function 00A8055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A805BC
inet_addr.WSOCK32(?), ref: 00A8061C
gethostbyname.WSOCK32(?), ref: 00A80628
IcmpCreateFile.IPHLPAPI ref: 00A80636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00A807B9
WSACleanup.WSOCK32 ref: 00A807BF

Strings

Ping, xrefs: 00A80676

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: df4deffd2172358d385edd6ad99286f1d9e0d5d57486d505776b5e41482ed65f
Instruction ID: 41c4c9b1f84c5c4a3fce10f238f762e4566622e4b5619a7183ab682c66540f60
Opcode Fuzzy Hash: df4deffd2172358d385edd6ad99286f1d9e0d5d57486d505776b5e41482ed65f
Instruction Fuzzy Hash: A891BF356086419FD360EF15D988F1ABBE0AF44318F1485A9F46A8B7A2CB70FC49CF91

Function 00A88CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00A88CF3
_wcslen.LIBCMT ref: 00A88D4E
_wcslen.LIBCMT ref: 00A88D9C
_wcslen.LIBCMT ref: 00A88DDC
_wcslen.LIBCMT ref: 00A88E6E

Strings

none, xrefs: 00A88E65, 00A88E6A
cdecl, xrefs: 00A88D48, 00A88D4D
stdcall, xrefs: 00A88DD6, 00A88DDB
winapi, xrefs: 00A88D96, 00A88D9B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 2e6fe6d7cb1372a8dbe3237206260439b163979259b6cc8077d75b3927f6b230
Instruction ID: 8510f4c99b729652ffacc28e17cf02f91dbb279b30653a8426d81866853d99b3
Opcode Fuzzy Hash: 2e6fe6d7cb1372a8dbe3237206260439b163979259b6cc8077d75b3927f6b230
Instruction Fuzzy Hash: 50519231A001169BCF14EF6CC9409BEB7B5BF64724BA14229E966E72C5DF39DD40C790

Function 00A8372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00A83774
CoUninitialize.OLE32 ref: 00A8377F
CoCreateInstance.OLE32(?,00000000,00000017,00A9FB78,?), ref: 00A837D9
IIDFromString.OLE32(?,?), ref: 00A8384C
VariantInit.OLEAUT32(?), ref: 00A838E4
VariantClear.OLEAUT32(?), ref: 00A83936

Strings

Invalid parameter, xrefs: 00A83865
NULL Pointer assignment, xrefs: 00A8381E
Failed to create object, xrefs: 00A837E4, 00A8389A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 9c116845e217ef08bf9ff9415da50207028960c461d62ee596a8f1bcc64a0747
Instruction ID: 7018fba300ab099831841fb79cd911c315c1f21d257f51268292860661f42b08
Opcode Fuzzy Hash: 9c116845e217ef08bf9ff9415da50207028960c461d62ee596a8f1bcc64a0747
Instruction Fuzzy Hash: 7E61A072608701AFDB10EF54C948F6ABBE8EF49B10F004849F9859B291D770EE49CB92

Function 00A78195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A78257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A78267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A78273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A78310
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78324
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A7838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78395

Strings

*.*, xrefs: 00A7839B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f92adc2c33add46c576893caaa4250a9455c7a4b97dd1ceaf0e9fc59508ba842
Instruction ID: 9f9647d03d5cb6347370f647a1f15fa05edc008e296b7e9e93017e79f9f61b54
Opcode Fuzzy Hash: f92adc2c33add46c576893caaa4250a9455c7a4b97dd1ceaf0e9fc59508ba842
Instruction Fuzzy Hash: 6B617B726083059FC710EF64D9449AFB3E8FF89324F04892EF99987251DB35E945CB92

Function 00A73388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A733CF

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A733F0

Strings

Line %d (File "%s"):, xrefs: 00A73443, 00A7345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00A73504
Error: , xrefs: 00A734D1
"%s" (%d) : ==> %s:, xrefs: 00A73522
Incorrect parameters to object property !, xrefs: 00A734AB
^ ERROR , xrefs: 00A7349E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: d3a555d84bdfda191e0f22ca62a5bb0525467f47ddda9f3756b81be761e47707
Instruction ID: 5731148694e8311748f712b4fcca57f84ee17e47eb6bde5e0a4cfdefcfd9d6c6
Opcode Fuzzy Hash: d3a555d84bdfda191e0f22ca62a5bb0525467f47ddda9f3756b81be761e47707
Instruction Fuzzy Hash: 77518C72900209BADF18EBE0DE46EEEB778AF04340F108465F509760A2EB312F58DB61

Function 00A6B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A6B5FC
_wcslen.LIBCMT ref: 00A6B608
_wcslen.LIBCMT ref: 00A6B64D
_wcslen.LIBCMT ref: 00A6B68C
_wcslen.LIBCMT ref: 00A6B6C7

Strings

KEYS, xrefs: 00A6B647, 00A6B64C
EXISTS, xrefs: 00A6B686, 00A6B68B
APPEND, xrefs: 00A6B6C1, 00A6B6C6
REMOVE, xrefs: 00A6B602, 00A6B607

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: cdef311ad10b5a6c310a5bc23fa9c239705c074d4ea1192f9ed0ec42aad4462f
Instruction ID: a71f2486e9e38d11412c806ba035eb6320c4098aff64fb071baad5e7121924a7
Opcode Fuzzy Hash: cdef311ad10b5a6c310a5bc23fa9c239705c074d4ea1192f9ed0ec42aad4462f
Instruction Fuzzy Hash: BD41C636A211269BCB209F7DCD905BE77B5AFA0B54B254529E421DB284F731CDC1C7B0

Function 00A75393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A75416
GetLastError.KERNEL32 ref: 00A75420
SetErrorMode.KERNEL32(00000000,READY), ref: 00A754A7

Strings

READY, xrefs: 00A75460, 00A75468
READONLY, xrefs: 00A75452
INVALID, xrefs: 00A75459
NOTREADY, xrefs: 00A7544B
UNKNOWN, xrefs: 00A75444

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8900d626af7eb4251f435f6c750ff67749e40fe954d1214448b51bde478315c9
Instruction ID: 30eb69f793a96c811293dd9b85b2dd492b0ffca5a6d45a01ede4981d58ea851e
Opcode Fuzzy Hash: 8900d626af7eb4251f435f6c750ff67749e40fe954d1214448b51bde478315c9
Instruction Fuzzy Hash: 40319F35E005049FDB10DF68C984BAABBB5EF05315F14C06AE40ACB292DBB1ED86CB91

Function 00A93C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00A93C79
SetMenu.USER32(?,00000000), ref: 00A93C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A93D10
IsMenu.USER32(?), ref: 00A93D24
CreatePopupMenu.USER32 ref: 00A93D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A93D5B
DrawMenuBar.USER32 ref: 00A93D63

Strings

0, xrefs: 00A93C54
F, xrefs: 00A93D4E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: dbc055591fef9f119be17fdda8e753b9cbfae927905568833c362fb66211ef6d
Instruction ID: 8e6ef96ca79e3842608761a78aba21ca8a193d88ba3ead7a37fbd9a54b7c8c19
Opcode Fuzzy Hash: dbc055591fef9f119be17fdda8e753b9cbfae927905568833c362fb66211ef6d
Instruction Fuzzy Hash: 784157BAB01609AFDF14CFA4D894AAA7BF5FF49350F140429F946A7360D730AA11CF94

Function 00A61EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00A61F64
GetDlgCtrlID.USER32 ref: 00A61F6F
GetParent.USER32 ref: 00A61F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A61F8E
GetDlgCtrlID.USER32(?), ref: 00A61F97
GetParent.USER32(?), ref: 00A61FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A61FAE

Strings

ComboBox, xrefs: 00A61EEC
ListBox, xrefs: 00A61F21

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 4b545d0f90520f81de74a6a89400bbfb9736e0e40f81b54ea6032a203395e508
Instruction ID: c799f24c6a0a48f73369ba95be8ba411515dfb2cf352a2c2910b6e7953ee27e6
Opcode Fuzzy Hash: 4b545d0f90520f81de74a6a89400bbfb9736e0e40f81b54ea6032a203395e508
Instruction Fuzzy Hash: C121BE71E00218BBCF04EFA0DC85EEEBBB8EF15310F004116FA61A72E1DB3959199B60

Function 00A93A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A93A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A93AA0
GetWindowLongW.USER32(?,000000F0), ref: 00A93AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A93AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A93B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A93BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A93BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A93BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A93BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A93C13

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 2c3c78b7730eab7670622f73fcec4648d7e5a302a7da77240c95bc67b2ed3c6d
Instruction ID: ec772df00d336966dfdffb8a9349d81477c677343382ad101442030fc49babe4
Opcode Fuzzy Hash: 2c3c78b7730eab7670622f73fcec4648d7e5a302a7da77240c95bc67b2ed3c6d
Instruction Fuzzy Hash: 12615B75A00248AFDF10DFA8CD81EEE77F8EB09710F10419AFA15A7292D774AE46DB50

Function 00A6B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A6B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B165
GetWindowThreadProcessId.USER32(00000000), ref: 00A6B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A6B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00A6A1E1,?,00000001), ref: 00A6B21D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 584c7c38d9045d09eb397d571fb2a6b650f94d257638a6be37016840eb11a6f8
Instruction ID: d7c230950e2df76e89bcfe3f8f7ce4f546d3ec479de56a481b75a7c79687226d
Opcode Fuzzy Hash: 584c7c38d9045d09eb397d571fb2a6b650f94d257638a6be37016840eb11a6f8
Instruction Fuzzy Hash: D3319172610604BFDF10DFA4DC58BAE7BB9BB51321F108116FA06D61A0DBB49A828F71

Function 00A32C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A32C94

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A32CA0
_free.LIBCMT ref: 00A32CAB
_free.LIBCMT ref: 00A32CB6
_free.LIBCMT ref: 00A32CC1
_free.LIBCMT ref: 00A32CCC
_free.LIBCMT ref: 00A32CD7
_free.LIBCMT ref: 00A32CE2
_free.LIBCMT ref: 00A32CED
_free.LIBCMT ref: 00A32CFB

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b0d061ed36a3355f28b214eeb8cb20772df4c788da4a7a1d2fc446e1d8cfb4ba
Instruction ID: f63dc1290b42930180499a3976290828c5e2d28d2da11c0e834d9bcfe3430fbf
Opcode Fuzzy Hash: b0d061ed36a3355f28b214eeb8cb20772df4c788da4a7a1d2fc446e1d8cfb4ba
Instruction Fuzzy Hash: E511C876100118BFCB02EF54EA82EDD7BA5FF45350F4144A5FA489F232DA31EE509B90

Function 00A77DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A77FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00A77FC1
GetFileAttributesW.KERNEL32(?), ref: 00A77FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A78005
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78017
SetCurrentDirectoryW.KERNEL32(?), ref: 00A78060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A780B0

Strings

*.*, xrefs: 00A78066

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 9be1dc4fc16b6834a89ac52d925e4977cf09fe5f113db30e09872127ac8666b7
Instruction ID: f031a54469ca3901bacdffb5334705ea7accf4969f27e5d4ea3528d952291511
Opcode Fuzzy Hash: 9be1dc4fc16b6834a89ac52d925e4977cf09fe5f113db30e09872127ac8666b7
Instruction Fuzzy Hash: E5818E725082059BDB20EF14CD449AEB3E8BF88714F54CC6EF889D7250EB75ED498B92

Function 00A05BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A05C7A

Part of subcall function 00A05D0A: GetClientRect.USER32(?,?), ref: 00A05D30
Part of subcall function 00A05D0A: GetWindowRect.USER32(?,?), ref: 00A05D71
Part of subcall function 00A05D0A: ScreenToClient.USER32(?,?), ref: 00A05D99

GetDC.USER32 ref: 00A446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A44708
SelectObject.GDI32(00000000,00000000), ref: 00A44716
SelectObject.GDI32(00000000,00000000), ref: 00A4472B
ReleaseDC.USER32(?,00000000), ref: 00A44733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A447C4

Strings

U, xrefs: 00A44693

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 624c3f43575704ddf606d20ffb04043f398a703dfb3eedfa7bd9cdaf72957d41
Instruction ID: ce9e6a25329dfd95562b047e3a94f66e4d293d400e93ba0d6dc75c3ff4390a94
Opcode Fuzzy Hash: 624c3f43575704ddf606d20ffb04043f398a703dfb3eedfa7bd9cdaf72957d41
Instruction Fuzzy Hash: 6D71F239900209EFDF21CF64C984BBA7BB5FF8A361F14426AED565A1A6C7309C42DF50

Function 00A7359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00A735E4

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

LoadStringW.USER32(00AD2390,?,00000FFF,?), ref: 00A7360A

Strings

Line %d (File "%s"):, xrefs: 00A7366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00A73724
Error: , xrefs: 00A736EF
^ ERROR, xrefs: 00A736C9
"%s" (%d) : ==> %s:, xrefs: 00A73742

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 98779ed92ec2622d1902668ae16f9c9b81535d234d403c46ab90dc3df2959df0
Instruction ID: 00b9c13f7fb023a03847540edde7c6266948f02ceecb947ddcaff204aee5b1e7
Opcode Fuzzy Hash: 98779ed92ec2622d1902668ae16f9c9b81535d234d403c46ab90dc3df2959df0
Instruction Fuzzy Hash: 1A516F72D00209BADF14EBE0DE42EEEBB78AF14340F148125F105761A2DB311B99DF61

Function 00A98B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

Part of subcall function 00A1912D: GetCursorPos.USER32(?), ref: 00A19141
Part of subcall function 00A1912D: ScreenToClient.USER32(00000000,?), ref: 00A1915E
Part of subcall function 00A1912D: GetAsyncKeyState.USER32(00000001), ref: 00A19183
Part of subcall function 00A1912D: GetAsyncKeyState.USER32(00000002), ref: 00A1919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00A98B6B
ImageList_EndDrag.COMCTL32 ref: 00A98B71
ReleaseCapture.USER32 ref: 00A98B77
SetWindowTextW.USER32(?,00000000), ref: 00A98C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A98C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00A98CFF

Strings

@GUI_DRAGFILE, xrefs: 00A98C9A
@GUI_DROPID, xrefs: 00A98C51

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 0f573284516f4ceb7b3b4023c5aeebadd1c94a9600d7c1c97e2e2bfe8b09b8f2
Instruction ID: 6b52cb09cc722e41a4de43cabfd8c0c1703a6bc75bd4f7e0d38e495d3017869c
Opcode Fuzzy Hash: 0f573284516f4ceb7b3b4023c5aeebadd1c94a9600d7c1c97e2e2bfe8b09b8f2
Instruction Fuzzy Hash: 5E519B71205304AFDB00DF64DDA6FAA77E4FB89710F40062EF952A72E2CB749945CB62

Function 00A7C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A7C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A7C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A7C2CA
GetLastError.KERNEL32 ref: 00A7C322
SetEvent.KERNEL32(?), ref: 00A7C336
InternetCloseHandle.WININET(00000000), ref: 00A7C341

Strings

, xrefs: 00A7C2BB

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 4efc83bc1c382d9558279fff40394961be4762cb7ddba3cae2d9c587f92dcf2d
Instruction ID: 85c445c5130e58e5eed64a80c1e922d3d60c776f7bc82826926fbb07859fb2e6
Opcode Fuzzy Hash: 4efc83bc1c382d9558279fff40394961be4762cb7ddba3cae2d9c587f92dcf2d
Instruction Fuzzy Hash: E2317CB1600708AFD721DFA48D88AABBBFCEB49764F10C51EF44A97201DB34DD059B60

Function 00A6989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A43AAF,?,?,Bad directive syntax error,00A9CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A698BC
LoadStringW.USER32(00000000,?,00A43AAF,?), ref: 00A698C3

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A69987

Strings

., xrefs: 00A6996D
Line %d (File "%s"):, xrefs: 00A6992D
Line %d:, xrefs: 00A69912
Error: , xrefs: 00A69955
%s (%d) : ==> %s.: %s %s, xrefs: 00A698F1

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d55071eb29c262fedb23cb059c732db44e8c78664b6f08667ec86865b0c9275b
Instruction ID: e9f130f58cf4b7144eb115845bfbc489f03dd62c2fb8fed6cd082cbf5391a036
Opcode Fuzzy Hash: d55071eb29c262fedb23cb059c732db44e8c78664b6f08667ec86865b0c9275b
Instruction Fuzzy Hash: A2217A3290021EBBCF15EF90DE46EEE7779BF18300F04486AF515660A2EB31AA58DB11

Function 00A6209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00A620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A6214D

Strings

SHELLDLL_DefView, xrefs: 00A620CC
smallicons, xrefs: 00A62115
list, xrefs: 00A6212F
details, xrefs: 00A620FB
largeicons, xrefs: 00A620E1

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 4c073ca017b2b316b0b641177e972f275c1316d3298877a72835fa080a9ec534
Instruction ID: 917c8d32b2ce013f17daa9ad6c27f2523eda794005726e48854c267f4a548332
Opcode Fuzzy Hash: 4c073ca017b2b316b0b641177e972f275c1316d3298877a72835fa080a9ec534
Instruction Fuzzy Hash: 74110A7668CB16B9F601A334EC06FE677BCDB16764B21022AFB04A90D1FE616C425714

Function 00A38D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32ee3d99bd697cdcb4881789862ee2055c8d8b4312bd64be51555061ae2b79b
Instruction ID: 460cc1d7360a4cddbea7e3bbe87664c50a6ceb60a2708565a4c5bd7a25c43d02
Opcode Fuzzy Hash: f32ee3d99bd697cdcb4881789862ee2055c8d8b4312bd64be51555061ae2b79b
Instruction Fuzzy Hash: 0AC1D174A04349AFDF15DFECD841BAEBBB0AF0A310F1441A9F455A7392CB749942CB61

Function 00A3CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00A3CEB7
_free.LIBCMT ref: 00A3CF22
_free.LIBCMT ref: 00A3CF48
_free.LIBCMT ref: 00A3CF71
_free.LIBCMT ref: 00A3CFA9
_free.LIBCMT ref: 00A3CFDA
_free.LIBCMT ref: 00A3D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00A3D09C
_free.LIBCMT ref: 00A3D0B5

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 4a0ee2547716cc2239a13e475f07845be0855458613b1d08ebd89e37e9b13f30
Instruction ID: 32ea380b144df05b93af683a140d50f37fba02456bf7eff2906e518cc65e07d7
Opcode Fuzzy Hash: 4a0ee2547716cc2239a13e475f07845be0855458613b1d08ebd89e37e9b13f30
Instruction Fuzzy Hash: E1612871905310AFDB25AFB4AD81BAE7BA6EF06330F14416EF945B7281E7329D01C790

Function 00A950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00A95186
ShowWindow.USER32(?,00000000), ref: 00A951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00A951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00A951D1

Part of subcall function 00A96FBA: DeleteObject.GDI32(00000000), ref: 00A96FE6

GetWindowLongW.USER32(?,000000F0), ref: 00A9520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A9521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A9524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00A95287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00A95296

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 179bd0ac850ef5fd047429b463b85ad2b6043579b706ddb0bcdc9180cd190a21
Instruction ID: 5434ca3c22c8594f17a5b87d614c1c94c42b4b67a96a01d72c8149e061e674fd
Opcode Fuzzy Hash: 179bd0ac850ef5fd047429b463b85ad2b6043579b706ddb0bcdc9180cd190a21
Instruction Fuzzy Hash: 11518C34F51A08BEEF26AF74CC4BBD93BE5AB05321F244212F6159A2E0C775A981DB41

Function 00A18B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00A56890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00A568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00A568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A18874,00000000,00000000,00000000,000000FF,00000000), ref: 00A56901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A5691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A18874,00000000,00000000,00000000,000000FF,00000000), ref: 00A5692D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 02ac7af4242c4a5a5ee5aea4c87f3a038786386a2e65df8340db10bb8a8f6a3b
Instruction ID: 2bdee21cfd805c39d9f2373f934481f260ce4dae787eec7b21d2e409fb1ac0fb
Opcode Fuzzy Hash: 02ac7af4242c4a5a5ee5aea4c87f3a038786386a2e65df8340db10bb8a8f6a3b
Instruction Fuzzy Hash: 9D51B6B0A04209EFDB20CF64CC95FAA3BB6FF58760F104529F906972A0DB74E991DB50

Function 00A7C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A7C182
GetLastError.KERNEL32 ref: 00A7C195
SetEvent.KERNEL32(?), ref: 00A7C1A9

Part of subcall function 00A7C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A7C272
Part of subcall function 00A7C253: GetLastError.KERNEL32 ref: 00A7C322
Part of subcall function 00A7C253: SetEvent.KERNEL32(?), ref: 00A7C336
Part of subcall function 00A7C253: InternetCloseHandle.WININET(00000000), ref: 00A7C341

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ea6c592f4b7d4d9c4ce365c95d84392c3f805e551d7a7106a96a8d859d6973bf
Instruction ID: 26ca5a32475109051999b190a084497b50dda11ed329cc31bef1f0ba47f53888
Opcode Fuzzy Hash: ea6c592f4b7d4d9c4ce365c95d84392c3f805e551d7a7106a96a8d859d6973bf
Instruction Fuzzy Hash: C6318371200B01AFDB21AFE5DD44AA7BBF8FF14320B50C52EF55A86611DB30E9159BA0

Function 00A625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A63A57
Part of subcall function 00A63A3D: GetCurrentThreadId.KERNEL32 ref: 00A63A5E
Part of subcall function 00A63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A625B3), ref: 00A63A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00A625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A62601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00A62605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A6260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A62623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00A62627

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 88b4c7b79d334dad63573e2a9b1019cd57655eb5faa928f16e3b065dcdd19be6
Instruction ID: 22c968a20c34abd9f8b7063c80094a6d13e8831179a5e4205f09c022ab16f744
Opcode Fuzzy Hash: 88b4c7b79d334dad63573e2a9b1019cd57655eb5faa928f16e3b065dcdd19be6
Instruction Fuzzy Hash: 4801D831390A20BBFB10A7A9DC8AF593F69DF5EB61F100012F314AE0D1CDE21445DA69

Function 00A61803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00A61449,?,?,00000000), ref: 00A6180C
HeapAlloc.KERNEL32(00000000,?,00A61449,?,?,00000000), ref: 00A61813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A61449,?,?,00000000), ref: 00A61828
GetCurrentProcess.KERNEL32(?,00000000,?,00A61449,?,?,00000000), ref: 00A61830
DuplicateHandle.KERNEL32(00000000,?,00A61449,?,?,00000000), ref: 00A61833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A61449,?,?,00000000), ref: 00A61843
GetCurrentProcess.KERNEL32(00A61449,00000000,?,00A61449,?,?,00000000), ref: 00A6184B
DuplicateHandle.KERNEL32(00000000,?,00A61449,?,?,00000000), ref: 00A6184E
CreateThread.KERNEL32(00000000,00000000,00A61874,00000000,00000000,00000000), ref: 00A61868

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c0b5cd1073dcb150cdf839df938633ee648268659bd6208016f96b559d461ad8
Instruction ID: 0f9539326aa416451551572a91ad027f5d12c64b39597cb6b12ff317fa1de331
Opcode Fuzzy Hash: c0b5cd1073dcb150cdf839df938633ee648268659bd6208016f96b559d461ad8
Instruction Fuzzy Hash: 4601A8B5340708BFEA10EBA5DD4AF6B7BACEB89B11F504512FA05DB1A1CA7098018B34

Function 00A8A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00A6D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00A6D501
Part of subcall function 00A6D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00A6D50F
Part of subcall function 00A6D4DC: CloseHandle.KERNEL32(00000000), ref: 00A6D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A8A16D
GetLastError.KERNEL32 ref: 00A8A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A8A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A8A268
GetLastError.KERNEL32(00000000), ref: 00A8A273
CloseHandle.KERNEL32(00000000), ref: 00A8A2C4

Strings

SeDebugPrivilege, xrefs: 00A8A18F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 66449d2677d604610e5645cffd1df7eb49455bc33414598a6a24eb695c4af02c
Instruction ID: 3fda9390ebbb5054ee12bd9a3c6751b9113b9df887736ef60681faac84fca099
Opcode Fuzzy Hash: 66449d2677d604610e5645cffd1df7eb49455bc33414598a6a24eb695c4af02c
Instruction Fuzzy Hash: DF61C3702046429FE720EF18C494F56BBE1AF54318F18858DE4664F7A3DB76EC45CB92

Function 00A93886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A93925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A9393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A93954
_wcslen.LIBCMT ref: 00A93999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A939F4

Strings

SysListView32, xrefs: 00A938F7

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a0550c0735e3b0daf6030af93a1700800689b7114b7973fc35e5f6644207bd0e
Instruction ID: 9787f35fb649b06185798f6fdaf07f34df19b13052bce25c5313b8f2765374ed
Opcode Fuzzy Hash: a0550c0735e3b0daf6030af93a1700800689b7114b7973fc35e5f6644207bd0e
Instruction Fuzzy Hash: 52418372A00219ABEF21DFA4CC45BEE7BF9EF08354F100526F959E7281D7759980CB90

Function 00A6BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A6BCFD
IsMenu.USER32(00000000), ref: 00A6BD1D
CreatePopupMenu.USER32 ref: 00A6BD53
GetMenuItemCount.USER32(014C5730), ref: 00A6BDA4
InsertMenuItemW.USER32(014C5730,?,00000001,00000030), ref: 00A6BDCC

Strings

2, xrefs: 00A6BD37
0, xrefs: 00A6BCA8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2ad97aa582ba17e054992a6ef28f26e582d188cb80f8aba213eda444b86293cb
Instruction ID: baaef7fb8a66a89a68a344589a70706ed3dc73afd86f2ca643db4e5fd87ec82c
Opcode Fuzzy Hash: 2ad97aa582ba17e054992a6ef28f26e582d188cb80f8aba213eda444b86293cb
Instruction Fuzzy Hash: 5751AF70A10205EBDF21DFA8D984BAEBBF8BF45324F14426AE851DB291D7709981CB71

Function 00A6C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A6C913

Strings

warning, xrefs: 00A6C8FC
info, xrefs: 00A6C8B4
stop, xrefs: 00A6C8E4
blank, xrefs: 00A6C895
question, xrefs: 00A6C8CC

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b7c24f64875999f9b16a3ba3960936f1e5e5c18c125eac7c7156952d096b03ad
Instruction ID: 06da8e4084aedd268a0921de97156fcc1025e23335fc8b809f7504a8f9a42658
Opcode Fuzzy Hash: b7c24f64875999f9b16a3ba3960936f1e5e5c18c125eac7c7156952d096b03ad
Instruction Fuzzy Hash: 4511B733689706BAE715DB54AC82DBA67BCDF19774B60043FF544A7282E7B05E005264

Function 00A6ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A6ED2A
_wcslen.LIBCMT ref: 00A6ED3B
_wcslen.LIBCMT ref: 00A6ED79
_wcslen.LIBCMT ref: 00A6EDAF
_wcslen.LIBCMT ref: 00A6EDDF
_wcslen.LIBCMT ref: 00A6EDEF
_wcslen.LIBCMT ref: 00A6EE2B
_wcslen.LIBCMT ref: 00A6EE5A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4e31d4b62ddb6b6773933e03fab089386edf7938c3bb29773dc879824e70820c
Instruction ID: 84eddd4972638356ba3da74961b31db1ec33c1ca38a0a7b2ba573692e1e93838
Opcode Fuzzy Hash: 4e31d4b62ddb6b6773933e03fab089386edf7938c3bb29773dc879824e70820c
Instruction Fuzzy Hash: 22419375C10228B5DB11EBF8988A9CFB7BCAF49710F508472E528E3122FB34E255C3A5

Function 00A1F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A1F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A5F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A5F454

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7cfbf87594aebe2d03dba47be73a99596757e19ab945d96f9b7c193a41e2639f
Instruction ID: e6e4e121fb8258a03ac338f77976bb4e8cb36372f7fdb498ef0bd268193d6d05
Opcode Fuzzy Hash: 7cfbf87594aebe2d03dba47be73a99596757e19ab945d96f9b7c193a41e2639f
Instruction Fuzzy Hash: 78414B312086C0BFD738EB79CD887AA7BA1BB46331F58443DE49756560D631A8C6CB10

Function 00A92D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A92D1B
GetDC.USER32(00000000), ref: 00A92D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A92D2E
ReleaseDC.USER32(00000000,00000000), ref: 00A92D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A92D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A92D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A95A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00A92DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A92DE1

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ac64b8987e6ad8d1c20f0cae51fec2cd3eccdf4599526111dded7472a65804a9
Instruction ID: edd99ada9995e53179ef94e937606816a25cf7a950baea29c25415e54404ae02
Opcode Fuzzy Hash: ac64b8987e6ad8d1c20f0cae51fec2cd3eccdf4599526111dded7472a65804a9
Instruction Fuzzy Hash: BB317C72201614BFEF118F90CC8AFEB3BA9EF09725F044056FE089A291CA759C51CBB4

Function 00A65622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A65637
_memcmp.LIBVCRUNTIME ref: 00A65659
_memcmp.LIBVCRUNTIME ref: 00A65671
_memcmp.LIBVCRUNTIME ref: 00A65684
_memcmp.LIBVCRUNTIME ref: 00A6569E
_memcmp.LIBVCRUNTIME ref: 00A656B1
_memcmp.LIBVCRUNTIME ref: 00A656C9
_memcmp.LIBVCRUNTIME ref: 00A656E4

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: db6051be97278971d2af9887a241519484ed1748319bf4d6ff3f14053a3d9226
Instruction ID: 4ade12e7f47ab12d75ef01133c44fd905f6deaa22368273b871fadf82fbda4c2
Opcode Fuzzy Hash: db6051be97278971d2af9887a241519484ed1748319bf4d6ff3f14053a3d9226
Instruction Fuzzy Hash: 2A219275F40A197BD6149635EF82FBA33BDAE20394F484430FD04AE681F720ED20C5A5

Function 00A84FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00A85007
NULL Pointer assignment, xrefs: 00A8502E, 00A85383

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bc0db2e3d070406b84a8ed5c38587f54e1f158c0b2c068145b49d5294d152aab
Instruction ID: a98c2c0ef161a9bd65158b6fecdd284f28ef5b5cb17912b940d9f50cda3abbae
Opcode Fuzzy Hash: bc0db2e3d070406b84a8ed5c38587f54e1f158c0b2c068145b49d5294d152aab
Instruction Fuzzy Hash: E2D1BD75E0060AAFDF10EFA8C894BAEB7B5FF48354F148569E915AB280E770DD41CB90

Function 00A41522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00A415CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00A41651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A416E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00A416FB

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A41777
__freea.LIBCMT ref: 00A417A2
__freea.LIBCMT ref: 00A417AE

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 324af7965aadba3d07f58f04248c28a3435649c7fc511b4c66c326f3640a2242
Instruction ID: 56f286b85454d15c56efd9267201aca7d60efa01ddd36b00d69c89fd09a36f3d
Opcode Fuzzy Hash: 324af7965aadba3d07f58f04248c28a3435649c7fc511b4c66c326f3640a2242
Instruction Fuzzy Hash: F391B27AE002169EDF208FA4C981AEEBBB5AFC9350F184659F805E7141EB35DD81CB61

Function 00A84523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A84648
VariantInit.OLEAUT32(?), ref: 00A84749
VariantClear.OLEAUT32(?), ref: 00A84753
VariantClear.OLEAUT32(?), ref: 00A847B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00A8472C
Null Object assignment in FOR..IN loop, xrefs: 00A845D8, 00A84706, 00A847BE

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: e87e3bd212aad594ff7907664deec2f9a5b3b6fd8ede69bfe87f593ae8379c06
Instruction ID: bbe24ec0a9bb558ff49101f9469e3b6c2cf229161988cbead4b3a9efb0af268d
Opcode Fuzzy Hash: e87e3bd212aad594ff7907664deec2f9a5b3b6fd8ede69bfe87f593ae8379c06
Instruction Fuzzy Hash: 3B917271A0021AAFDF24DFA5C844FAEBBB8EF4A714F108569F515AB280D7749941CFA0

Function 00A71187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00A7125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A71284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00A712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A7135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A71430

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 42f86fd3b21ad5b383a7fda7fda0e0452aa7fd023ef5835cd8f10949832f462c
Instruction ID: 8b99ec0e8ee5cf9a43073f09f3927062846b0be19d616ca37d318e1c4c542a85
Opcode Fuzzy Hash: 42f86fd3b21ad5b383a7fda7fda0e0452aa7fd023ef5835cd8f10949832f462c
Instruction Fuzzy Hash: F491AE75A00219AFDB00DFA8D884BBEB7F5FF45325F14C029E958EB292D774A941CB90

Function 00A1948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f987467818002fba8f9c7cb93d18c56012f0f29d658929f6dd4dd4c56a4eac74
Instruction ID: 6156616d4041a3cb2eaa542d907c0222be5da6fff59dae446244282a81a8e96a
Opcode Fuzzy Hash: f987467818002fba8f9c7cb93d18c56012f0f29d658929f6dd4dd4c56a4eac74
Instruction Fuzzy Hash: 5B913871D40219EFCB10CFA9CC84AEEBBB9FF49320F148155E915B7251D774AA86CB60

Function 00A83947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A8396B
CharUpperBuffW.USER32(?,?), ref: 00A83A7A
_wcslen.LIBCMT ref: 00A83A8A
VariantClear.OLEAUT32(?), ref: 00A83C1F

Part of subcall function 00A70CDF: VariantInit.OLEAUT32(00000000), ref: 00A70D1F
Part of subcall function 00A70CDF: VariantCopy.OLEAUT32(?,?), ref: 00A70D28
Part of subcall function 00A70CDF: VariantClear.OLEAUT32(?), ref: 00A70D34

Strings

Incorrect Parameter format, xrefs: 00A839A6, 00A83BA1
AUTOIT.ERROR, xrefs: 00A83A80, 00A83A85

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 83c134edf5045e7a548db4269a15ea9582070d49c6bbae6e18fcf994b8125538
Instruction ID: e51aa12b5e6165b8df376e4dea182d164ec84b76dfb788267dd6220ec88bd356
Opcode Fuzzy Hash: 83c134edf5045e7a548db4269a15ea9582070d49c6bbae6e18fcf994b8125538
Instruction Fuzzy Hash: 8B917A756083059FCB04EF24C58496AB7E4FF88714F14882DF88A9B351DB31EE45CB92

Function 00A84BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00A6000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?,?,00A6035E), ref: 00A6002B
Part of subcall function 00A6000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60046
Part of subcall function 00A6000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60054
Part of subcall function 00A6000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?), ref: 00A60064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00A84C51
_wcslen.LIBCMT ref: 00A84D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A84DCF
CoTaskMemFree.OLE32(?), ref: 00A84DDA

Strings

NULL Pointer assignment, xrefs: 00A84E23, 00A84E52

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 2d71f9b6c9df78f6cecaf1fbb946e7453229db4f1bc3f6ec0e59a23a07da0cc5
Instruction ID: 75db48bb9f3113934378397d9fd1dd77965e87cf24d312e4bdeb255a95d91de5
Opcode Fuzzy Hash: 2d71f9b6c9df78f6cecaf1fbb946e7453229db4f1bc3f6ec0e59a23a07da0cc5
Instruction Fuzzy Hash: 0C912871D0021DAFDF14EFA4D891EEEB7B8BF08314F10816AE915A7291EB309A45CF60

Function 00A920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A92183
GetMenuItemCount.USER32(00000000), ref: 00A921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A921DD
_wcslen.LIBCMT ref: 00A92213
GetMenuItemID.USER32(?,?), ref: 00A9224D
GetSubMenu.USER32(?,?), ref: 00A9225B

Part of subcall function 00A63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A63A57
Part of subcall function 00A63A3D: GetCurrentThreadId.KERNEL32 ref: 00A63A5E
Part of subcall function 00A63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A625B3), ref: 00A63A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A922E3

Part of subcall function 00A6E97B: Sleep.KERNEL32 ref: 00A6E9F3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 44c43a004f249d067590ddb427a4fa056f94df468c69376b5ecea211d8dd9e51
Instruction ID: 110bff2a614c5263ff00f18c30f58a32718f75f61bdd6adaeaf9225aa05c50e6
Opcode Fuzzy Hash: 44c43a004f249d067590ddb427a4fa056f94df468c69376b5ecea211d8dd9e51
Instruction Fuzzy Hash: B1717D75B00215AFCF10EFA8D945BAEB7F5EF88320F148469E816EB341DB34AD418B90

Function 00A97E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(014C5708), ref: 00A97F37
IsWindowEnabled.USER32(014C5708), ref: 00A97F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00A9801E
SendMessageW.USER32(014C5708,000000B0,?,?), ref: 00A98051
IsDlgButtonChecked.USER32(?,?), ref: 00A98089
GetWindowLongW.USER32(014C5708,000000EC), ref: 00A980AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A980C3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: dd6ee786c760f9efeb65a9dd17a13eb8d2d6e691846276e760597f4cb5c73bc0
Instruction ID: d365b3ed7a5157fe1bd7be03ccca02eec7841e24f32b7d26e8621db2f3a79ed5
Opcode Fuzzy Hash: dd6ee786c760f9efeb65a9dd17a13eb8d2d6e691846276e760597f4cb5c73bc0
Instruction Fuzzy Hash: 71717C34709214AFEF21DF64C994FAEBBF5EF0A310F14445AE946A7261CB35AC45DB20

Function 00A6AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A6AEF9
GetKeyboardState.USER32(?), ref: 00A6AF0E
SetKeyboardState.USER32(?), ref: 00A6AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A6AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A6AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A6AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A6B020

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5aa19537f470fe5d49792175e12064dabe97964daa7c89937c68f925d02c64da
Instruction ID: 9d19545eed4c4ac27363df73d8c2b33f7e2670241321a85517ecdebae143cf38
Opcode Fuzzy Hash: 5aa19537f470fe5d49792175e12064dabe97964daa7c89937c68f925d02c64da
Instruction Fuzzy Hash: 3751C2A0A147D53DFB3683348C45BBABEF95B06304F088489E1D9958C3C7A9ACC4DB62

Function 00A6ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A6AD19
GetKeyboardState.USER32(?), ref: 00A6AD2E
SetKeyboardState.USER32(?), ref: 00A6AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A6ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A6ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A6AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A6AE38

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3b894f7995741a31c0833ee3b0bf2b5f3db2e2dce00c6b8024a598fa92927f5a
Instruction ID: 0a85e7a775ef423527265aa8e781541281b3e697c43c6c5c4b7c8ffc040b61a9
Opcode Fuzzy Hash: 3b894f7995741a31c0833ee3b0bf2b5f3db2e2dce00c6b8024a598fa92927f5a
Instruction Fuzzy Hash: 0A5108A16047E57DFB3383348C95BBA7EF85B55300F088489E1D5668C3D7A5EC84DB62

Function 00A3542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00A43CD6,?,?,?,?,?,?,?,?,00A35BA3,?,?,00A43CD6,?,?), ref: 00A35470
__fassign.LIBCMT ref: 00A354EB
__fassign.LIBCMT ref: 00A35506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00A43CD6,00000005,00000000,00000000), ref: 00A3552C
WriteFile.KERNEL32(?,00A43CD6,00000000,00A35BA3,00000000,?,?,?,?,?,?,?,?,?,00A35BA3,?), ref: 00A3554B
WriteFile.KERNEL32(?,?,00000001,00A35BA3,00000000,?,?,?,?,?,?,?,?,?,00A35BA3,?), ref: 00A35584

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4ac015ef570ed81df96a002731da5d936c399a96a680cf76ebce2b5020b89567
Instruction ID: ef8afdda1fe4aaf7938fd958ad3d9e37c760b5a5d76fe0d6538fa80213b65e42
Opcode Fuzzy Hash: 4ac015ef570ed81df96a002731da5d936c399a96a680cf76ebce2b5020b89567
Instruction Fuzzy Hash: A2519071E00649AFDB10CFA8D845AEEBBF9EF09310F14456AF956E7291D730AA41CB60

Function 00A22D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A22D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00A22D53
_ValidateLocalCookies.LIBCMT ref: 00A22DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00A22E0C
_ValidateLocalCookies.LIBCMT ref: 00A22E61

Strings

csm, xrefs: 00A22DF6

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f6177b5dad0ad0ceca91dd9618c2631c49202fcad35706c938b5183eaeffa7f8
Instruction ID: feee4d2df80f0fd5f1e062d9b922675b8e7cea834ed4872612ed2839dfa94694
Opcode Fuzzy Hash: f6177b5dad0ad0ceca91dd9618c2631c49202fcad35706c938b5183eaeffa7f8
Instruction Fuzzy Hash: 4E419D35E00229BBCF10DF6CE845BAEBBB5BF45324F148165E815AB392D735AA05CB90

Function 00A810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A8307A
Part of subcall function 00A8304E: _wcslen.LIBCMT ref: 00A8309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A81112
WSAGetLastError.WSOCK32 ref: 00A81121
WSAGetLastError.WSOCK32 ref: 00A811C9
closesocket.WSOCK32(00000000), ref: 00A811F9

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 16f08654171c90c2fd2adfe024563eb684677807c8e37185be3bd04fa890d91a
Instruction ID: fd42c740b001dad7fa498e57a22e2a22a187b1be48b8e1acb4322ab9140ea617
Opcode Fuzzy Hash: 16f08654171c90c2fd2adfe024563eb684677807c8e37185be3bd04fa890d91a
Instruction Fuzzy Hash: BE41F431600604AFDB10EF54D888BA9B7E9FF45764F148259F9059B291DB70AD82CBE1

Function 00A6CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A6CF22,?), ref: 00A6DDFD

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A6CF22,?), ref: 00A6DE16

lstrcmpiW.KERNEL32(?,?), ref: 00A6CF45
MoveFileW.KERNEL32(?,?), ref: 00A6CF7F
_wcslen.LIBCMT ref: 00A6D005
_wcslen.LIBCMT ref: 00A6D01B
SHFileOperationW.SHELL32(?), ref: 00A6D061

Strings

\*.*, xrefs: 00A6CFF3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 692c56f8eab060b1f12e1d969fe8516766c858289d58de7f98056c64d121e2b5
Instruction ID: 8a7b5fef1d3e89a7b80b69048d6b051f375ea8e0b943336b3bd432efdca7a891
Opcode Fuzzy Hash: 692c56f8eab060b1f12e1d969fe8516766c858289d58de7f98056c64d121e2b5
Instruction Fuzzy Hash: 59416971D452189FDF12EFA4DA81AEEB7B8AF08780F0000E6E545EB142EF34A785CB50

Function 00A92DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00A92E1C
GetWindowLongW.USER32(?,000000F0), ref: 00A92E4F
GetWindowLongW.USER32(?,000000F0), ref: 00A92E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00A92EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00A92EE0
GetWindowLongW.USER32(?,000000F0), ref: 00A92EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A92F0B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4316235a1fe43541631db931063aeaf8b3c8d67b6e31d2d853d8d12cdf781501
Instruction ID: d2b8a6463b02a633c54837e8c4b61c04ac5c1e38076472ce5de4b938fcd15124
Opcode Fuzzy Hash: 4316235a1fe43541631db931063aeaf8b3c8d67b6e31d2d853d8d12cdf781501
Instruction Fuzzy Hash: B4310E35745240AFEF21CF98DCD4FA53BE0FB8A720F1501A6FA018B2B2CB61A8419B50

Function 00A67726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A67769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A6778F
SysAllocString.OLEAUT32(00000000), ref: 00A67792
SysAllocString.OLEAUT32(?), ref: 00A677B0
SysFreeString.OLEAUT32(?), ref: 00A677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00A677DE
SysAllocString.OLEAUT32(?), ref: 00A677EC

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c1cb0d659a13a10af0e694e10330433a7f759e221fdb1aa48ed0a4daff455311
Instruction ID: cc141da66d3234c5ae35470a26c1cf0146d928bed6a3e020b5e3d031d883954e
Opcode Fuzzy Hash: c1cb0d659a13a10af0e694e10330433a7f759e221fdb1aa48ed0a4daff455311
Instruction Fuzzy Hash: 87218E76718219AFDF10DFA8CD88CBF77BCEB09768B048126BA15DB190DA74DC428764

Function 00A677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A67842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A67868
SysAllocString.OLEAUT32(00000000), ref: 00A6786B
SysAllocString.OLEAUT32 ref: 00A6788C
SysFreeString.OLEAUT32 ref: 00A67895
StringFromGUID2.OLE32(?,?,00000028), ref: 00A678AF
SysAllocString.OLEAUT32(?), ref: 00A678BD

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2f17a68b4dc05a4081b2661c7a0a0fbb0c3bd1baf1a3dccbc41f0d3682844a9e
Instruction ID: 53406930a27d483acfbecf581bf90ad2e65322bafce783038712e36c30559047
Opcode Fuzzy Hash: 2f17a68b4dc05a4081b2661c7a0a0fbb0c3bd1baf1a3dccbc41f0d3682844a9e
Instruction Fuzzy Hash: D7215C36718204AFDF10AFE8DC8CDAE77BCEB097647108126B915CB2A1DA74DC81CB64

Function 00A704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A7052E

Strings

nul, xrefs: 00A70567

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 008b9c51011e3fe6c2623f75d613473fc0703907541bba6e03b8bb7b0efdd213
Instruction ID: 60847a61f8a852b82bd2604bc6b99800376817ad71d4a4fd76ebcf8043a56c68
Opcode Fuzzy Hash: 008b9c51011e3fe6c2623f75d613473fc0703907541bba6e03b8bb7b0efdd213
Instruction Fuzzy Hash: 80216D75600305EBDF209F69DC44E9A7BB4AF54724F20CA19F8A9D62E0D7709941CF20

Function 00A705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A70601

Strings

nul, xrefs: 00A70639

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 1b3261fdf13aa573d48bedc43109a30a0388b47fcf7b55495df601c76cc3e328
Instruction ID: a255ff784e31f17bc10a3b1fa04c99ea06296c0229f040fabaa7288f08d2dbca
Opcode Fuzzy Hash: 1b3261fdf13aa573d48bedc43109a30a0388b47fcf7b55495df601c76cc3e328
Instruction Fuzzy Hash: 12218375600305DBDB209F698C54E9A77E4BF95734F20CB1AF8A5E72D0DBB09961CB20

Function 00A940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A0604C
Part of subcall function 00A0600E: GetStockObject.GDI32(00000011), ref: 00A06060
Part of subcall function 00A0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A0606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A94112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A9411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A9412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A94139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A94145

Strings

Msctls_Progress32, xrefs: 00A940E3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7d7190d1938a8caa42394ebe47959df6c1476d3b819036bec3cb9b6e8f629444
Instruction ID: 638a25ddf0199bf460be004d3b3ed89835d0505450d5bc2be6d431a3ac20e382
Opcode Fuzzy Hash: 7d7190d1938a8caa42394ebe47959df6c1476d3b819036bec3cb9b6e8f629444
Instruction Fuzzy Hash: 0711B6B224011D7EEF118F64CC85EE77F9DEF08798F114111B718A2050C7769C22DBA4

Function 00A3D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A3D7A3: _free.LIBCMT ref: 00A3D7CC

_free.LIBCMT ref: 00A3D82D

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A3D838
_free.LIBCMT ref: 00A3D843
_free.LIBCMT ref: 00A3D897
_free.LIBCMT ref: 00A3D8A2
_free.LIBCMT ref: 00A3D8AD
_free.LIBCMT ref: 00A3D8B8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ae7fcd789960766625c394a40f1b6d8a2e79cbfab2602943b83fb950f3c6d686
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D0118F71940B14FADA31BFF0EE47FCBBBDCAF40700F400825B699AA292DA75B5058760

Function 00A6DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A6DA74
LoadStringW.USER32(00000000), ref: 00A6DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A6DA91
LoadStringW.USER32(00000000), ref: 00A6DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A6DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A6DAB9

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 280d23dfdd23c887e7c0a0a5948b772387ac19fc81258e7ce78eeb2cc9baa853
Instruction ID: 96556582262b0f30cbc2cfc998c96f4947e821687d9779def181c48699196f56
Opcode Fuzzy Hash: 280d23dfdd23c887e7c0a0a5948b772387ac19fc81258e7ce78eeb2cc9baa853
Instruction Fuzzy Hash: BD0162F2A042087FEB10DBE09D89EE7367CE708351F400596B706E2041EA749E854F74

Function 00A7096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(014BE910,014BE910), ref: 00A7097B
EnterCriticalSection.KERNEL32(014BE8F0,00000000), ref: 00A7098D
TerminateThread.KERNEL32(?,000001F6), ref: 00A7099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00A709A9
CloseHandle.KERNEL32(?), ref: 00A709B8
InterlockedExchange.KERNEL32(014BE910,000001F6), ref: 00A709C8
LeaveCriticalSection.KERNEL32(014BE8F0), ref: 00A709CF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 90cbfde32a7bb48d895f9e4fcf94794d0b814aa0f48fb4b0e623bf5e7bd5cc5b
Instruction ID: 4d6b81e7a50dde10044fca618554b4a4cee21c510e0fdc892dc45daffb4e957d
Opcode Fuzzy Hash: 90cbfde32a7bb48d895f9e4fcf94794d0b814aa0f48fb4b0e623bf5e7bd5cc5b
Instruction Fuzzy Hash: 62F01D32542912EBDB41ABA4EE89AD6BA25BF01712F805016F201508A0CB75A466CFA0

Function 00A81C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A81DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A81DE1
WSAGetLastError.WSOCK32 ref: 00A81DF2
htons.WSOCK32(?,?,?,?,?), ref: 00A81EDB
inet_ntoa.WSOCK32(?), ref: 00A81E8C

Part of subcall function 00A639E8: _strlen.LIBCMT ref: 00A639F2

Part of subcall function 00A83224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00A7EC0C), ref: 00A83240

_strlen.LIBCMT ref: 00A81F35

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9a8de73515aeae26ff5b19427c2b061395ba95b6257315be06d28b094310e81d
Instruction ID: f6921c4a7114a3eba2f2747466bfbd60497d9272866e02ac397b225f1214003c
Opcode Fuzzy Hash: 9a8de73515aeae26ff5b19427c2b061395ba95b6257315be06d28b094310e81d
Instruction Fuzzy Hash: 46B10171604300AFC724EF24C885E2A7BE9AF84318F54894CF55A5F2E2DB71ED82CB91

Function 00A05D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A05D30
GetWindowRect.USER32(?,?), ref: 00A05D71
ScreenToClient.USER32(?,?), ref: 00A05D99
GetClientRect.USER32(?,?), ref: 00A05ED7
GetWindowRect.USER32(?,?), ref: 00A05EF8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 0c82094de5cf531e5d917b027ec5a994508159b16a4e8f74f1d06017188bd9a8
Instruction ID: c95a61e64e0beb05e95ef7491fac186f6ce54a92d6e33f9a08d1e1fef1570246
Opcode Fuzzy Hash: 0c82094de5cf531e5d917b027ec5a994508159b16a4e8f74f1d06017188bd9a8
Instruction Fuzzy Hash: C1B15739A00A4ADBDB14CFB9C4807EAB7F1FF58310F14941AE8A9D7290DB34AA51DF54

Function 00A301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00A300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A300D6
__allrem.LIBCMT ref: 00A300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A3010B
__allrem.LIBCMT ref: 00A30122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A30140

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: f0c2f542ce8eb99528898409866193df5ef832fe3798f7ebf89b1a0de83daa13
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 1A812476A00B169FE7249F2CDD52F6BB3F9AF41760F24423AF551D6681E770D9008B90

Function 00A361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A282D9,00A282D9,?,?,?,00A3644F,00000001,00000001,8BE85006), ref: 00A36258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A3644F,00000001,00000001,8BE85006,?,?,?), ref: 00A362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A363D8
__freea.LIBCMT ref: 00A363E5

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

__freea.LIBCMT ref: 00A363EE
__freea.LIBCMT ref: 00A36413

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7a098e0cd0179c91da055f1dba73df16701c505e488116c8673fe5efc26944a8
Instruction ID: 5abebf7b378d8d53bcfa6e9eb1004a8adc2efc93523d10bf95d12dd8e950b292
Opcode Fuzzy Hash: 7a098e0cd0179c91da055f1dba73df16701c505e488116c8673fe5efc26944a8
Instruction Fuzzy Hash: 2151AF73A00216BBEF258FA4DD81EBF7BA9EB44750F258629FC05DA141EB34DC44C6A0

Function 00A8BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A8BD25
RegCloseKey.ADVAPI32(00000000), ref: 00A8BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A8BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A8BDF3
RegCloseKey.ADVAPI32(?), ref: 00A8BDFF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 877aa6dd504b2657c074e9374cbab3593c30dcb0a308e6fed23689f5d961d394
Instruction ID: 511f4b8cc296ec4e4d069add1d635fe6d48fa449b66d649c6e714e0cba0f7672
Opcode Fuzzy Hash: 877aa6dd504b2657c074e9374cbab3593c30dcb0a308e6fed23689f5d961d394
Instruction Fuzzy Hash: 2B81AF70218241EFD714EF24C991E2ABBE5FF84308F14895CF4598B2A2DB31ED45CBA2

Function 00A5F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00A5F7B9
SysAllocString.OLEAUT32(00000001), ref: 00A5F860
VariantCopy.OLEAUT32(00A5FA64,00000000), ref: 00A5F889
VariantClear.OLEAUT32(00A5FA64), ref: 00A5F8AD
VariantCopy.OLEAUT32(00A5FA64,00000000), ref: 00A5F8B1
VariantClear.OLEAUT32(?), ref: 00A5F8BB

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 460d32a52f57a8f2493e2ef896f8b0662ef1af1f3ba78293229d03a697413cb0
Instruction ID: 7c4b8ac8a3667d3063d572f44ee9d99f331ad5eabe913366b3447ae397a09590
Opcode Fuzzy Hash: 460d32a52f57a8f2493e2ef896f8b0662ef1af1f3ba78293229d03a697413cb0
Instruction Fuzzy Hash: 6E51C331600710FECF20AB65D995B29B3A8FF45312F248467ED06DF296DB709C84C796

Function 00A7910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00A794E5
_wcslen.LIBCMT ref: 00A79506
_wcslen.LIBCMT ref: 00A7952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00A79585

Strings

X, xrefs: 00A79412

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a67d841fecb6bc88f75375ab890cf69617ce19326fca5a75b012d1bacee134d9
Instruction ID: a8755faad98f0ca7bedeabae7d2d62ad9079b7c26c9e3b559ed6df09c556a75a
Opcode Fuzzy Hash: a67d841fecb6bc88f75375ab890cf69617ce19326fca5a75b012d1bacee134d9
Instruction Fuzzy Hash: AFE1C1316083508FD724EF24D981A6BB7E4BF85314F04C96DF8999B2A2DB30ED05CB92

Function 00A1920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

BeginPaint.USER32(?,?,?), ref: 00A19241
GetWindowRect.USER32(?,?), ref: 00A192A5
ScreenToClient.USER32(?,?), ref: 00A192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A192D3
EndPaint.USER32(?,?,?,?,?), ref: 00A19321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A571EA

Part of subcall function 00A19339: BeginPath.GDI32(00000000), ref: 00A19357

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: d51bb2693cd85eeba925282b22235e4649f7198587f71ce47f9dcaa71d52c83b
Instruction ID: e4b374a5aee486f51ff5e243cec6e708fb0a858d6cd9a253fe2872630047e13d
Opcode Fuzzy Hash: d51bb2693cd85eeba925282b22235e4649f7198587f71ce47f9dcaa71d52c83b
Instruction Fuzzy Hash: 46419F30205600AFD711DFA4DCA4FAB7BB8FB45721F14022AF9659B2B2C7319886DB61

Function 00A707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A7080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00A70847
EnterCriticalSection.KERNEL32(?), ref: 00A70863
LeaveCriticalSection.KERNEL32(?), ref: 00A708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00A708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A70921

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: b202ef0ac7e6170479c668b51405597535e51f6ae4b2e7a9698f742808f3bd7b
Instruction ID: c220fcf0bdea55aea871ea97c5b261053893a1238374e3ff5b237cf34ddd84ea
Opcode Fuzzy Hash: b202ef0ac7e6170479c668b51405597535e51f6ae4b2e7a9698f742808f3bd7b
Instruction Fuzzy Hash: DA415A71A00205EFDF14EF94DD85AAA77B8FF44310F1480A5ED049A29BDB30DE65DBA4

Function 00A981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00A5F3AB,00000000,?,?,00000000,?,00A5682C,00000004,00000000,00000000), ref: 00A9824C
EnableWindow.USER32(?,00000000), ref: 00A98272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A982D1
ShowWindow.USER32(?,00000004), ref: 00A982E5
EnableWindow.USER32(?,00000001), ref: 00A9830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A9832F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f3e42d429e1302608b01d4c86199b8c55ae954da2b1d590f714c19c4d8b4b0b7
Instruction ID: 41513ff057d9702e5db00cfb8b234b7688b35db65dc702a26bc8f71d1bfcb7dd
Opcode Fuzzy Hash: f3e42d429e1302608b01d4c86199b8c55ae954da2b1d590f714c19c4d8b4b0b7
Instruction Fuzzy Hash: B141A334702644AFDF21CF55C899BE57BE0FB0B714F1841AAE5194F2A3CB39A842CB50

Function 00A64C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A64C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A64CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A64CEA
_wcslen.LIBCMT ref: 00A64D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A64D10
_wcsstr.LIBVCRUNTIME ref: 00A64D1A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 9a97a046b7e62d009e23914e6236c4ef4476a5fbf68ff972266a70da279b6e71
Instruction ID: f17684cdea2c4f6f915b35529e998546814ff7aa7c5ee4205c2d32ec94093575
Opcode Fuzzy Hash: 9a97a046b7e62d009e23914e6236c4ef4476a5fbf68ff972266a70da279b6e71
Instruction Fuzzy Hash: B9212332604240BFEB259B79AD09E7B7BBCDF49760F10803AF905CA192EE65CC4192A0

Function 00A7581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A03A97,?,?,00A02E7F,?,?,?,00000000), ref: 00A03AC2

_wcslen.LIBCMT ref: 00A7587B
CoInitialize.OLE32(00000000), ref: 00A75995
CoCreateInstance.OLE32(00A9FCF8,00000000,00000001,00A9FB68,?), ref: 00A759AE
CoUninitialize.OLE32 ref: 00A759CC

Strings

.lnk, xrefs: 00A75876, 00A758C1, 00A75985

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c43ff43011dbd60d220f7efdfbb044f458d8e1e421bfc2068e782d615503ed89
Instruction ID: 4a48f8e26921f519df361aa05691acb94875db37a42af91bb0abd343b21c8f6e
Opcode Fuzzy Hash: c43ff43011dbd60d220f7efdfbb044f458d8e1e421bfc2068e782d615503ed89
Instruction Fuzzy Hash: 20D16471A047059FC714DF24C980A2ABBE5FF89714F14885DF88A9B3A1DB71EC45CB92

Function 00A6175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A60FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A60FCA
Part of subcall function 00A60FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A60FD6
Part of subcall function 00A60FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A60FE5
Part of subcall function 00A60FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A60FEC
Part of subcall function 00A60FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A61002

GetLengthSid.ADVAPI32(?,00000000,00A61335), ref: 00A617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A617BA
HeapAlloc.KERNEL32(00000000), ref: 00A617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A617DA
GetProcessHeap.KERNEL32(00000000,00000000,00A61335), ref: 00A617EE
HeapFree.KERNEL32(00000000), ref: 00A617F5

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 296d33eb27dd217fec96046231b6b3fe33890570f499d9b95f987e47fd60413d
Instruction ID: 9e2671dfd828c5a43d49ea4cbc838c73708b28f6421e5fbbd9775dea6c98a8af
Opcode Fuzzy Hash: 296d33eb27dd217fec96046231b6b3fe33890570f499d9b95f987e47fd60413d
Instruction Fuzzy Hash: B211A932600605EFDB10DFA4CC49FAE7BB9EB42365F284119F481A7210DB36AA41CF60

Function 00A614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00A61506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A61515
CloseHandle.KERNEL32(00000004), ref: 00A61520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A6154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A61563

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 16547be8acbd3eb87bc16636c618c2a62bf639b320af615824f74ed3b88ce9e2
Instruction ID: 0414117875b03b1671c0511ff84b22cafe411837f6e30a99979bc7cefb77886f
Opcode Fuzzy Hash: 16547be8acbd3eb87bc16636c618c2a62bf639b320af615824f74ed3b88ce9e2
Instruction Fuzzy Hash: CB112972601209ABDF11CFE8EE49FDE7BB9EF48758F084015FA05A2060C7758E61DB61

Function 00A23382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A23379,00A22FE5), ref: 00A23390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A2339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A233B7
SetLastError.KERNEL32(00000000,?,00A23379,00A22FE5), ref: 00A23409

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e661b98aa4efb7b545022488b87a1135b76c451b0bf31284754ea62c14f089a3
Instruction ID: 5c310506349c6f9e0950964ae93798d8d8a8b71998f7efaeb234ba776a6fa5e6
Opcode Fuzzy Hash: e661b98aa4efb7b545022488b87a1135b76c451b0bf31284754ea62c14f089a3
Instruction Fuzzy Hash: 23012433208731BEEE24B7BC7D85A272A99EB07779720023AF410881F0FF194E035144

Function 00A32D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A35686,00A43CD6,?,00000000,?,00A35B6A,?,?,?,?,?,00A2E6D1,?,00AC8A48), ref: 00A32D78
_free.LIBCMT ref: 00A32DAB
_free.LIBCMT ref: 00A32DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00A2E6D1,?,00AC8A48,00000010,00A04F4A,?,?,00000000,00A43CD6), ref: 00A32DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00A2E6D1,?,00AC8A48,00000010,00A04F4A,?,?,00000000,00A43CD6), ref: 00A32DEC
_abort.LIBCMT ref: 00A32DF2

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 34e6501072c56248229714c0e6f4f28692958e4fe5f817657149556f5ecf882e
Instruction ID: 74eea2cd0f2f9b6f1f46d98381c43a73bcfc2fa5aecfb744ae39553bfba63419
Opcode Fuzzy Hash: 34e6501072c56248229714c0e6f4f28692958e4fe5f817657149556f5ecf882e
Instruction Fuzzy Hash: 35F0F632645A102BD62277B9BD0AF5F2669AFC27F1F250519F828D71E2EF3488035360

Function 00A98A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A19693
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196A2
Part of subcall function 00A19639: BeginPath.GDI32(?), ref: 00A196B9
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A98A4E
LineTo.GDI32(?,00000003,00000000), ref: 00A98A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A98A70
LineTo.GDI32(?,00000000,00000003), ref: 00A98A80
EndPath.GDI32(?), ref: 00A98A90
StrokePath.GDI32(?), ref: 00A98AA0

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fc1181c4db4e405b9d50b7398f90cdc7a1dec7db8430a949b6444017ce84f394
Instruction ID: f1f16c95e15adf28856db22ce8a093a06689e78649e42220e3583e3252f132d2
Opcode Fuzzy Hash: fc1181c4db4e405b9d50b7398f90cdc7a1dec7db8430a949b6444017ce84f394
Instruction Fuzzy Hash: FC11CC76140149FFDF11DFD4EC48E9A7F6DEB04364F048012FA1996161CB719D56DB60

Function 00A651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A65218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A65229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A65230
ReleaseDC.USER32(00000000,00000000), ref: 00A65238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A6524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00A65261

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: cf0060e75d099411b044052d0970c5c8cc9e4c62fdd08fbc5f0a8b59a3a3a5af
Instruction ID: d86f078c78ac607f304fa7cf88e05e8ac160a1f3d98c8e60029ab0ac39033b7a
Opcode Fuzzy Hash: cf0060e75d099411b044052d0970c5c8cc9e4c62fdd08fbc5f0a8b59a3a3a5af
Instruction Fuzzy Hash: 30014475E00B14BBEB109BF59C49A5EBFB8EF44761F144066FA04A7281DA709905CB60

Function 00A01BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A01BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A01BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A01C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A01C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A01C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A01C22

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d0b2e48712477675de595c67c3d9a12fcfcd2c13929a87173cacb73c0c896d29
Instruction ID: d59b012671a552ab9af5031eb7f5e11aec87810618e417dafd9cb8c593d45c03
Opcode Fuzzy Hash: d0b2e48712477675de595c67c3d9a12fcfcd2c13929a87173cacb73c0c896d29
Instruction Fuzzy Hash: BD016CB0902B597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 00A6EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A6EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A6EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00A6EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6EB75

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6855f4fc8a48b7e53b0ce7f4e443acb86fee0f1ba39b4ce742f52198e9811c6d
Instruction ID: 1e1ee81b0f1fcf9c806b6f8d25715af7e6a9f681fdd2d4bbd260dd1874641aac
Opcode Fuzzy Hash: 6855f4fc8a48b7e53b0ce7f4e443acb86fee0f1ba39b4ce742f52198e9811c6d
Instruction Fuzzy Hash: 8CF05472340958BBE72197929C0EEEF7E7CEFCAB21F00415AF601D1091DBA45A02C6B5

Function 00A57439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00A57452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A57469
GetWindowDC.USER32(?), ref: 00A57475
GetPixel.GDI32(00000000,?,?), ref: 00A57484
ReleaseDC.USER32(?,00000000), ref: 00A57496
GetSysColor.USER32(00000005), ref: 00A574B0

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 8ef4f941042f58323d201fdffb0ae80b0a69371680e2aacf1b4def237a55fb4b
Instruction ID: cf6bc9378648e34db58272fe58cd67263710f754979e82a03ef3382a067b224d
Opcode Fuzzy Hash: 8ef4f941042f58323d201fdffb0ae80b0a69371680e2aacf1b4def237a55fb4b
Instruction Fuzzy Hash: F6014B31600615EFDB519FA8EC08BAE7BB5FB04322F614165FE16A21A1CF311E52EB50

Function 00A61874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A6187F
UnloadUserProfile.USERENV(?,?), ref: 00A6188B
CloseHandle.KERNEL32(?), ref: 00A61894
CloseHandle.KERNEL32(?), ref: 00A6189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A618A5
HeapFree.KERNEL32(00000000), ref: 00A618AC

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 45058d3460852b82d17ca90a3f80d46ee397cf1e05304e8134004b82166bbb67
Instruction ID: 39223bf13f0c78dd19ff82e4f26d758fa219ca552a274ea899b37b72cca18e08
Opcode Fuzzy Hash: 45058d3460852b82d17ca90a3f80d46ee397cf1e05304e8134004b82166bbb67
Instruction Fuzzy Hash: E1E0C236204901BBDA019BE1EE0C90ABB29FB49B32B208222F22585070CF329422DB64

Function 00A6C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A6C6EE
_wcslen.LIBCMT ref: 00A6C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A6C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A6C7CA

Strings

0, xrefs: 00A6C6AF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: b2563846454394a19d9f2543d53cd614161888c309fbfc7c5318e10785368043
Instruction ID: 6026c9ed2ba2e4e0ab7a6fd70f3b55ba9958cdfd0fd9ae00663f969b567fa453
Opcode Fuzzy Hash: b2563846454394a19d9f2543d53cd614161888c309fbfc7c5318e10785368043
Instruction Fuzzy Hash: AA51CD71604340ABD7109F28D985B7BB7F8AF49324F040A2AF9E6D32E1DB70D9448B96

Function 00A8AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00A8AEA3

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

GetProcessId.KERNEL32(00000000), ref: 00A8AF38
CloseHandle.KERNEL32(00000000), ref: 00A8AF67

Strings

@, xrefs: 00A8AE72
<, xrefs: 00A8AE6B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 4ce241357133f17330477e7c0be0752e46fe41753e649c526d5e4a464cf57aa3
Instruction ID: b6669b0cb916bd908a94419e5a292a6b014b19a9fa52a7a48c565284dfd145ec
Opcode Fuzzy Hash: 4ce241357133f17330477e7c0be0752e46fe41753e649c526d5e4a464cf57aa3
Instruction Fuzzy Hash: A6717B71A00619DFDB14EF94D584A9EBBF0FF08314F04849AE816AB392CB75ED85CB91

Function 00A6719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A67206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A6723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A6724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A672CF

Strings

DllGetClassObject, xrefs: 00A67242

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ad44950683faf3462fcf1b3350c502c5053ee19d1d67bda5117a1658e5540795
Instruction ID: be58f5e44c5eb6243ddf1acba8247e47155d7bddefbb4e3a1dd0b700930f51f8
Opcode Fuzzy Hash: ad44950683faf3462fcf1b3350c502c5053ee19d1d67bda5117a1658e5540795
Instruction Fuzzy Hash: 2B417EB1A14204EFDB15CFA4C894A9E7BB9EF44718F2480ADFD059F20AD7B0D945CBA0

Function 00A93D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A93E35
IsMenu.USER32(?), ref: 00A93E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A93E92
DrawMenuBar.USER32 ref: 00A93EA5

Strings

0, xrefs: 00A93D89

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b15da153d5212495545841fb7d3b941517d12d8ea22558a5db07c51ed14ecdc3
Instruction ID: b4cf87a107e8144532104bdd84a3c6c39fb511e425d7d018d28bbea143d08f4f
Opcode Fuzzy Hash: b15da153d5212495545841fb7d3b941517d12d8ea22558a5db07c51ed14ecdc3
Instruction Fuzzy Hash: ED411876A01209AFDF10DF94D884AAABBF9FF49364F044129E905AB250D730AE55CF50

Function 00A61DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A61E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A61E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A61EA9

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Strings

ComboBox, xrefs: 00A61DF0
ListBox, xrefs: 00A61E25

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 063b0608c3abd6383d02f06df0eba374c861013aef1b0e5f6e69cbbf2e654865
Instruction ID: ce66fdbcaee863eead2e02d33891752140884ec0ec24bf27e0b1dc7955e3071a
Opcode Fuzzy Hash: 063b0608c3abd6383d02f06df0eba374c861013aef1b0e5f6e69cbbf2e654865
Instruction Fuzzy Hash: 2C212772E00108BEDB14ABA4DD45DFFBBB8EF45360B184519F925A71E1DB398D0A9620

Function 00A92F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A92F8D
LoadLibraryW.KERNEL32(?), ref: 00A92F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A92FA9
DestroyWindow.USER32(?), ref: 00A92FB1

Strings

SysAnimate32, xrefs: 00A92F68

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a5891a14aeac3d6b7330ba24e2eedae3673c22fe23b319a64716ed8d5ad3b2e0
Instruction ID: c040788bda2f914ed54f1cd814d360e45fcaa45dd3a48c3d25de15fb349ae8d3
Opcode Fuzzy Hash: a5891a14aeac3d6b7330ba24e2eedae3673c22fe23b319a64716ed8d5ad3b2e0
Instruction Fuzzy Hash: 9C218872300209BBEF108FA4DC84FBB37F9EB59364F104619FA5492190D771DC619760

Function 00A24D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A24D1E,00A328E9,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002), ref: 00A24D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A24DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00A24D1E,00A328E9,?,00A24CBE,00A328E9,00AC88B8,0000000C,00A24E15,00A328E9,00000002,00000000), ref: 00A24DC3

Strings

mscoree.dll, xrefs: 00A24D86
CorExitProcess, xrefs: 00A24D98

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2743bca03155dec652b8af684155eca8288858f01da9f691c5eeff3d33f69f9b
Instruction ID: 78ee3b45ada72faf3f98995a5aec838d125340859a6ae17d7e12b668357b8809
Opcode Fuzzy Hash: 2743bca03155dec652b8af684155eca8288858f01da9f691c5eeff3d33f69f9b
Instruction Fuzzy Hash: 65F06234A40618BBDB119FD4EC49FAEBFB5EF48761F4001A5F809A22A0CF345D41CB94

Function 00A04E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A04EAE
FreeLibrary.KERNEL32(00000000,?,?,00A04EDD,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04EC0

Strings

kernel32.dll, xrefs: 00A04E94
Wow64DisableWow64FsRedirection, xrefs: 00A04EA8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f77a1d1b84d7aca3da2dd7e86062fd7d2c3d1fbe866c46084bef00cbbcd0af86
Instruction ID: 679f7aa8226b20c40453a0ca06dddb066e21fbf6f73453acc0fe36d1a6491b20
Opcode Fuzzy Hash: f77a1d1b84d7aca3da2dd7e86062fd7d2c3d1fbe866c46084bef00cbbcd0af86
Instruction Fuzzy Hash: 46E08636B059226BD2215765BC18B9B6554BF85F727150216FD04D2150DF64CD0340E4

Function 00A04E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A04E74
FreeLibrary.KERNEL32(00000000,?,?,00A43CDE,?,00AD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A04E87

Strings

kernel32.dll, xrefs: 00A04E5B
Wow64RevertWow64FsRedirection, xrefs: 00A04E6E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 046f4604775e9526fc463d2dc9fdbc1a82c657beb209de51035b36f645833fc9
Instruction ID: 973f82e7c58c34baffe6155ed56ea155c4b5f3bea64f8428112b1576b9f72e0e
Opcode Fuzzy Hash: 046f4604775e9526fc463d2dc9fdbc1a82c657beb209de51035b36f645833fc9
Instruction Fuzzy Hash: B5D0C232702E2167CA221B24BC08ECB2A18BF89F31315061AFA09A2190CF24CD0281D4

Function 00A72947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A72C05
DeleteFileW.KERNEL32(?), ref: 00A72C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A72C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A72CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A72CC0

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 157e1042a8c9bceb7ddb4834d4b499c7e71d33d8c6947733f0b3000aff6d1152
Instruction ID: 20886968a658521a7ff6536041a08dd0b97f5e19acc6973d33c93135e9bd5ac7
Opcode Fuzzy Hash: 157e1042a8c9bceb7ddb4834d4b499c7e71d33d8c6947733f0b3000aff6d1152
Instruction Fuzzy Hash: 28B13D72D0012DABDF11DFA4DD85EDEB7BDEF49350F1080A6F509E6141EA309A448F61

Function 00A8A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00A8A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A8A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A8A468
CloseHandle.KERNEL32(?), ref: 00A8A63D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: b5559223f4a1c2db34984a0bcfabec4d6bc6a8288d96308a9b14d8ca7d52f583
Instruction ID: 8ebe37126079eb4e6333eeb7daef571d0c15157dda3d69e6961c953d5f5bbae3
Opcode Fuzzy Hash: b5559223f4a1c2db34984a0bcfabec4d6bc6a8288d96308a9b14d8ca7d52f583
Instruction Fuzzy Hash: 34A1C1716043019FE720EF28D986F2AB7E1AF94714F14881DF55A9B2D2DBB0EC41CB92

Function 00A6E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A6CF22,?), ref: 00A6DDFD

Part of subcall function 00A6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A6CF22,?), ref: 00A6DE16

Part of subcall function 00A6E199: GetFileAttributesW.KERNEL32(?,00A6CF95), ref: 00A6E19A

lstrcmpiW.KERNEL32(?,?), ref: 00A6E473
MoveFileW.KERNEL32(?,?), ref: 00A6E4AC
_wcslen.LIBCMT ref: 00A6E5EB
_wcslen.LIBCMT ref: 00A6E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00A6E650

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: b136ecf96fca992380443993a7ee84912d69ac693d231cd2d3dddf0c9b38d40d
Instruction ID: a441ac083c3932a5828867dbf16d47c9a47e9a4519f68f33a7765ebe770d1a1f
Opcode Fuzzy Hash: b136ecf96fca992380443993a7ee84912d69ac693d231cd2d3dddf0c9b38d40d
Instruction Fuzzy Hash: 7C51A6B25083849FC724EBA4DD819DF73ECAF84340F00492EF689D3191EF75A6888766

Function 00A8B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8B6AE,?,?), ref: 00A8C9B5
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8C9F1
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA68
Part of subcall function 00A8C998: _wcslen.LIBCMT ref: 00A8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A8BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A8BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A8BB63
RegCloseKey.ADVAPI32(?,?), ref: 00A8BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00A8BBB3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: bd7b41f33b9444d4d4e90bc33ce4de13cb866463e0387c3b821fd5f4167a1089
Instruction ID: a1cec1487fd8217669209f3e8e3c17e28d1fb76e709ffbd4edbe83dc11847b54
Opcode Fuzzy Hash: bd7b41f33b9444d4d4e90bc33ce4de13cb866463e0387c3b821fd5f4167a1089
Instruction Fuzzy Hash: 7161C131218245EFD314EF14C494E2ABBE5FF84348F14855CF4998B2A2DB31ED45CBA2

Function 00A68BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A68BCD
VariantClear.OLEAUT32 ref: 00A68C3E
VariantClear.OLEAUT32 ref: 00A68C9D
VariantClear.OLEAUT32(?), ref: 00A68D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A68D3B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 74e37abc527953135ed2e216847eb2dc16ced205b5cbbae4e97f0d449ca60151
Instruction ID: cb85d848ac305a2708d25f898836cd42037ec7dab6ea5414ac712b2957518ead
Opcode Fuzzy Hash: 74e37abc527953135ed2e216847eb2dc16ced205b5cbbae4e97f0d449ca60151
Instruction Fuzzy Hash: 05517BB5A00619EFCB10CF68C884AAAB7F8FF89310B158559F915DB350EB34E911CFA0

Function 00A78AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A78BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00A78BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A78C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A78C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A78C5F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f62f8d36645085c24e0e203be805298a95df83c9dac92199237062569bd916a5
Instruction ID: df54a7b35975c5257fb5e0b6d2219913ed42608df30b7fd7297eed5cf2cb322e
Opcode Fuzzy Hash: f62f8d36645085c24e0e203be805298a95df83c9dac92199237062569bd916a5
Instruction Fuzzy Hash: D5513A35A002199FCB01DF64C985AADBBF5BF48314F08C459E84AAB3A2CB35ED41CB90

Function 00A88EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A88F40
GetProcAddress.KERNEL32(00000000,?), ref: 00A88FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A88FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00A89032
FreeLibrary.KERNEL32(00000000), ref: 00A89052

Part of subcall function 00A1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00A71043,?,753CE610), ref: 00A1F6E6
Part of subcall function 00A1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00A5FA64,00000000,00000000,?,?,00A71043,?,753CE610,?,00A5FA64), ref: 00A1F70D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 11b36b1c1e63987998cc5ff679aaa4398478d2bec6ba6864c2443bdb5451cc60
Instruction ID: 13503d135921f7dee3039b2cbde48057286721356ea64f81255de090f4e4c245
Opcode Fuzzy Hash: 11b36b1c1e63987998cc5ff679aaa4398478d2bec6ba6864c2443bdb5451cc60
Instruction Fuzzy Hash: D3514035605205DFC711EF54C5848AEBBF1FF49324B488099E91A9B362DB31ED86CF91

Function 00A96B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00A96C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00A96C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A96C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00A7AB79,00000000,00000000), ref: 00A96C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00A96CC7

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: cc84716b8fe38a0f53e7134c881d52736aee1ed5cc42f2b49414ab9c822fef5b
Instruction ID: 4a363215b8c02cd0fbccb14b664e4e05b5a828b2c9d0c7280b815294bffd712b
Opcode Fuzzy Hash: cc84716b8fe38a0f53e7134c881d52736aee1ed5cc42f2b49414ab9c822fef5b
Instruction Fuzzy Hash: CC41AE35B04104AFDF24CF68CD98FA97BE5EF09360F150229F999A72A0D771AD41CA50

Function 00A32051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A320C3
_free.LIBCMT ref: 00A320E3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 51aa75ec95fbfb2a17f6e6f88b7b4bf8fb69ea548a1b5397194dd40f8b2ab1c8
Instruction ID: 9307b560e2bfbb5a727d4bf68968204168cbf2491b9fadc4f139f117826d673b
Opcode Fuzzy Hash: 51aa75ec95fbfb2a17f6e6f88b7b4bf8fb69ea548a1b5397194dd40f8b2ab1c8
Instruction Fuzzy Hash: E741B132A00200AFCB24DF78C981B5EB7B5EF89714F1545A9F616EB391DA31AD01CB80

Function 00A1912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A19141
ScreenToClient.USER32(00000000,?), ref: 00A1915E
GetAsyncKeyState.USER32(00000001), ref: 00A19183
GetAsyncKeyState.USER32(00000002), ref: 00A1919D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 975c824cd6f9ef9dea6a6bc2abe8cc918874c8423fa6aeda228ae07efa95c2e6
Instruction ID: 9fe5dfc5bb04af64d29e6c0b42b1bb7b2097e211f4e22a78cccaa8f43f7ad739
Opcode Fuzzy Hash: 975c824cd6f9ef9dea6a6bc2abe8cc918874c8423fa6aeda228ae07efa95c2e6
Instruction Fuzzy Hash: ED414075A0851ABBDF159F64D858BEEB7B4FB05324F204315E829A72E0C7306994CB51

Function 00A73874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00A73922
TranslateMessage.USER32(?), ref: 00A7394B
DispatchMessageW.USER32(?), ref: 00A73955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A73966

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5a23b7118d87c938faae469d00fa88637b92e6d3f675c216e35705c691bfcb2a
Instruction ID: 3fe6224245ae54e277d60265203044073d9b1059e34f9d90f2cbe8d2c3e930c0
Opcode Fuzzy Hash: 5a23b7118d87c938faae469d00fa88637b92e6d3f675c216e35705c691bfcb2a
Instruction Fuzzy Hash: E1312B72605341AEEF34CBB4DC68BB637E8AB05300F05C56ED56B86190D7F49686EB11

Function 00A7CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00A7CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A7C21E,00000000), ref: 00A7CFF2

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 5d971174800e4746dcfdf0c4e19531397e7aeab0e0af3e654340ff4a0ba5a189
Instruction ID: ae8368b4f7f968a5f652e233dc9e013dcff3a40c02d75068f1e213a9de152619
Opcode Fuzzy Hash: 5d971174800e4746dcfdf0c4e19531397e7aeab0e0af3e654340ff4a0ba5a189
Instruction Fuzzy Hash: 77314871600705AFDB20DFA5DD84AABBBF9EB14365B10C42EF50AE2141DB30AE41DB60

Function 00A61901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A61915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00A619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00A619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00A619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00A619E2

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 57d24810a7dc5f34c4adb251edb5ac1421e419cc1777f203c3c59c7b66c79d91
Instruction ID: 19e0d62a5a4ce8aa60570a2778015c84231e182a1991c92f8bd3154abaea5da3
Opcode Fuzzy Hash: 57d24810a7dc5f34c4adb251edb5ac1421e419cc1777f203c3c59c7b66c79d91
Instruction Fuzzy Hash: 1931C072A00219EFCB00CFA8CD99ADE3FB5EB04325F144229FA21A72D1C7709944CB90

Function 00A80930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A80951
GetForegroundWindow.USER32 ref: 00A80968
GetDC.USER32(00000000), ref: 00A809A4
GetPixel.GDI32(00000000,?,00000003), ref: 00A809B0
ReleaseDC.USER32(00000000,00000003), ref: 00A809E8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 821a1a98bb33742153dc60282c4341f53e893ce802705bd2b769512e961079ea
Instruction ID: 233b1afd734121e1934ced1394b2f107dd8970d34ec82aeb2bdf4bbbf5f5e8a5
Opcode Fuzzy Hash: 821a1a98bb33742153dc60282c4341f53e893ce802705bd2b769512e961079ea
Instruction Fuzzy Hash: 3D218135600204AFD714EFA9DD84EAEBBF5EF48710F048069E85A97362DB30AC45CB50

Function 00A3CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A3CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A3CDE9

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A3CE0F
_free.LIBCMT ref: 00A3CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A3CE31

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a3b82a15538bb5bd8d43a4bbf2c5440ea1e86f66b3b0f69b4c42e9ede9afc700
Instruction ID: 50fb3b615565c8cbd430db8defca39829d0824a78bc2a17be3297b72020f22d1
Opcode Fuzzy Hash: a3b82a15538bb5bd8d43a4bbf2c5440ea1e86f66b3b0f69b4c42e9ede9afc700
Instruction Fuzzy Hash: D301F7726016257FA32167B67C8CD7B796DDEC6FB1B25012AFD05E7201EE618D0283B0

Function 00A19639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A19693
SelectObject.GDI32(?,00000000), ref: 00A196A2
BeginPath.GDI32(?), ref: 00A196B9
SelectObject.GDI32(?,00000000), ref: 00A196E2

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 27004e0414888d6abc86530aeb435d834778c0e5e056a9dacce424c35e6e3eb1
Instruction ID: 9c698bfe9f34a13daa270c2dc566a059126c62d7ae6a2cec38a95ba45a29e811
Opcode Fuzzy Hash: 27004e0414888d6abc86530aeb435d834778c0e5e056a9dacce424c35e6e3eb1
Instruction Fuzzy Hash: 16214F70902305FBDB11DFA4EC247EA3BB8BB50365F500217F832A61B1D7705896CBA5

Function 00A1990C Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A198CC
SetTextColor.GDI32(?,?), ref: 00A198D6
SetBkMode.GDI32(?,00000001), ref: 00A198E9
GetStockObject.GDI32(00000005), ref: 00A198F1
GetWindowLongW.USER32(?,000000EB), ref: 00A19952

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 890eb222ffb7741905a9437c7fb39b37de4fe70bcabcd83605233395aeb57fe4
Instruction ID: 2cf01ada42b638b18110af098a933ee82c89fba5cd25244bbde2929007e79930
Opcode Fuzzy Hash: 890eb222ffb7741905a9437c7fb39b37de4fe70bcabcd83605233395aeb57fe4
Instruction Fuzzy Hash: B9212731246250AFCB128F64EC64AEB3B70EF13771B18425EF9928E1B1CB314982CB51

Function 00A65711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A65726
_memcmp.LIBVCRUNTIME ref: 00A65744
_memcmp.LIBVCRUNTIME ref: 00A65757
_memcmp.LIBVCRUNTIME ref: 00A6576F
_memcmp.LIBVCRUNTIME ref: 00A65787

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: bbf89b7803b0ca77f776078dd43f48cb7bf60019f4e54c7fbf6dc8c3a2a0ddb8
Instruction ID: 1ecb057d2465bf82627e3c1dda88e109bf2535628c7c7e6063a767060c298ddc
Opcode Fuzzy Hash: bbf89b7803b0ca77f776078dd43f48cb7bf60019f4e54c7fbf6dc8c3a2a0ddb8
Instruction Fuzzy Hash: 88015271B41619BE96089625AF82EBA63ADAB613A4F004831FD04AE641F661ED2082A5

Function 00A32DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00A2F2DE,00A33863,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6), ref: 00A32DFD
_free.LIBCMT ref: 00A32E32
_free.LIBCMT ref: 00A32E59
SetLastError.KERNEL32(00000000,00A01129), ref: 00A32E66
SetLastError.KERNEL32(00000000,00A01129), ref: 00A32E6F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0bd5591baed54b0841636082d7d9e8b259b4ae17ab2f1a01f9699a4a3b7b4199
Instruction ID: 02732ed2f91cf8ed0c859eac605fe74d289a8f1124a06a4c54ecbbb08dae9366
Opcode Fuzzy Hash: 0bd5591baed54b0841636082d7d9e8b259b4ae17ab2f1a01f9699a4a3b7b4199
Instruction Fuzzy Hash: DA012832205A006BCA12A7B57D47F2B2E6DABD53B1F350129F425A32D2EF748C025320

Function 00A6000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?,?,00A6035E), ref: 00A6002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?), ref: 00A60064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A5FF41,80070057,?,?), ref: 00A60070

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ade3bee65eba24dbd44846da5440b2bf64a49b7cbdae1b46138551cbcfb3d409
Instruction ID: 101e40950ba63da1b79d5fbd3647a978cc2826e6341260cce97b4cc864b4cfe7
Opcode Fuzzy Hash: ade3bee65eba24dbd44846da5440b2bf64a49b7cbdae1b46138551cbcfb3d409
Instruction Fuzzy Hash: E9018B72600604BFDB118FA8DC08FAB7ABDEB447A2F158125F905D6210EBB1DD818BA0

Function 00A6E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00A6E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00A6E9A5
Sleep.KERNEL32(00000000), ref: 00A6E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00A6E9B7
Sleep.KERNEL32 ref: 00A6E9F3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 721ca464ba7b5768199e9da42906bb25c9992d9e4108b1e5ca3136aa799ab292
Instruction ID: 0c535de7a9f2c8124ee1f653b8a194cafd24f80cbc26ccab5b3228fde1841dc2
Opcode Fuzzy Hash: 721ca464ba7b5768199e9da42906bb25c9992d9e4108b1e5ca3136aa799ab292
Instruction Fuzzy Hash: B5015736D01A29DBCF00EFE5DC59AEDFB78FF08B11F100646E502B2241CB3095528BA5

Function 00A610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A61114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A6112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A60B9B,?,?,?), ref: 00A61136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A6114D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 827aad5ce8c368659ac53628999686e074eafdd5bddc494b2b8bf6e231062881
Instruction ID: c93e927c7b119286f0fcf53d5604c6e961f3c4db56427abd5c7b4303fb83be9d
Opcode Fuzzy Hash: 827aad5ce8c368659ac53628999686e074eafdd5bddc494b2b8bf6e231062881
Instruction Fuzzy Hash: 420169B5200605BFDB118FA4DC49A6A3F7EEF8A3A4B64441AFA41C7360DE31DC018A60

Function 00A60FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A60FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A60FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A60FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A60FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A61002

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a5108117ae5c986483bd943b3e472a7c3cea85ce6bc73156cb81550ffced509e
Instruction ID: 48363efb599037a27e54772bcd87541d64c2928b5bd66f3e292d6b60135ae1f5
Opcode Fuzzy Hash: a5108117ae5c986483bd943b3e472a7c3cea85ce6bc73156cb81550ffced509e
Instruction Fuzzy Hash: 70F04935200711ABDB218FA49C49F5A3FADEF89762F654426FA46C6261CE70DC418A70

Function 00A61014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A6102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A61036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A6104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61062

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 28041edd6ed666a572b58a96bd37f3b43cf006ce284cf74b432b86c2f911ea60
Instruction ID: a92120eac476aefc21a70bcefec27f2baab0b663cad73d2c597e6f6adb3cb1ef
Opcode Fuzzy Hash: 28041edd6ed666a572b58a96bd37f3b43cf006ce284cf74b432b86c2f911ea60
Instruction Fuzzy Hash: 58F04935200711ABDF219FA4EC49F5A3FADEF89761F650426FA45C6260CE70D8418AB0

Function 00A7030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70324
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70331
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A7033E
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A7034B
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70358
CloseHandle.KERNEL32(?,?,?,?,00A7017D,?,00A732FC,?,00000001,00A42592,?), ref: 00A70365

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d02aac1378304f555f90b72c956e5890753829a14f5232cb50eec266f908283d
Instruction ID: 2ce346ca514176ba4b860f85a8932369e058d0b492f785948d50bc46c5037c65
Opcode Fuzzy Hash: d02aac1378304f555f90b72c956e5890753829a14f5232cb50eec266f908283d
Instruction Fuzzy Hash: B6019C72800B15DFCB30AF66DC90812FBF9BE60215315CA3FD1AA96931C7B1A959CE80

Function 00A3D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A3D752

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A3D764
_free.LIBCMT ref: 00A3D776
_free.LIBCMT ref: 00A3D788
_free.LIBCMT ref: 00A3D79A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11acaf5b7de7a1653807b6802720db3bffcf7393ae7b1615acbb408d5ea310c9
Instruction ID: 5914ccdffadc1f388180d3b5ec996becf0d32926e5a1719fb72451a6861c34c1
Opcode Fuzzy Hash: 11acaf5b7de7a1653807b6802720db3bffcf7393ae7b1615acbb408d5ea310c9
Instruction Fuzzy Hash: D5F0BD72545218EBC625EBA8FAC6E1A7BDDBB84720FA50C45F049E7552CB30FC818B64

Function 00A65C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A65C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A65C6F
MessageBeep.USER32(00000000), ref: 00A65C87
KillTimer.USER32(?,0000040A), ref: 00A65CA3
EndDialog.USER32(?,00000001), ref: 00A65CBD

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 36935781bf09d89d30cffed909284bd8b1547c3121cd9102e9055c6f75770468
Instruction ID: ad78c37a428a6b9068f2ca7eb53d9d7ab1e74e954ae45a28e89f573b2be2402f
Opcode Fuzzy Hash: 36935781bf09d89d30cffed909284bd8b1547c3121cd9102e9055c6f75770468
Instruction Fuzzy Hash: 1B018B30A00B049FEB245B60DD8EF9577B8BB01705F00155AA643A10E1DFF099458B50

Function 00A322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A322BE

Part of subcall function 00A329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000), ref: 00A329DE
Part of subcall function 00A329C8: GetLastError.KERNEL32(00000000,?,00A3D7D1,00000000,00000000,00000000,00000000,?,00A3D7F8,00000000,00000007,00000000,?,00A3DBF5,00000000,00000000), ref: 00A329F0

_free.LIBCMT ref: 00A322D0
_free.LIBCMT ref: 00A322E3
_free.LIBCMT ref: 00A322F4
_free.LIBCMT ref: 00A32305

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d3250012aabdab070aae5b9ab5debdeb7eee812627d2b8f310b72d8f4079918b
Instruction ID: f02410b43b5178ff8e66c782a0d38d1d91e25e92d5cec12cda54850322e63ad0
Opcode Fuzzy Hash: d3250012aabdab070aae5b9ab5debdeb7eee812627d2b8f310b72d8f4079918b
Instruction Fuzzy Hash: 07F0B7798021209BC612EFD8BD01F893B65F758761F16059BF416D62B1C7310953AFE4

Function 00A195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A195D4
StrokeAndFillPath.GDI32(?,?,00A571F7,00000000,?,?,?), ref: 00A195F0
SelectObject.GDI32(?,00000000), ref: 00A19603
DeleteObject.GDI32 ref: 00A19616
StrokePath.GDI32(?), ref: 00A19631

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d7ffce62a8d8ccbaa6d61a554b0162bb9f2afc585d75de69b4fdda4713e5fe4b
Instruction ID: 2b3669a2b752de7f344ec0c9654288c248786406ab24ab36680bdc36f3c60a3a
Opcode Fuzzy Hash: d7ffce62a8d8ccbaa6d61a554b0162bb9f2afc585d75de69b4fdda4713e5fe4b
Instruction Fuzzy Hash: 7DF0EC31106604EBDB16DFA9ED2C7A53B65AB01332F548216F476550F1CB308997DF34

Function 00A30F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00A310F9
__freea.LIBCMT ref: 00A31117

Part of subcall function 00A31537: _free.LIBCMT ref: 00A3154F

Strings

am/pm, xrefs: 00A3117A
a/p, xrefs: 00A311DE

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 73840406fafde0dc17377e467b0cc9ce364f605d9ad369d8890b804b235c32fb
Instruction ID: cd281fbb3994b15fc40aa4804f9ab34a19ce65af5879f631bf62fd11189109aa
Opcode Fuzzy Hash: 73840406fafde0dc17377e467b0cc9ce364f605d9ad369d8890b804b235c32fb
Instruction Fuzzy Hash: A8D11471900206DBDB689F68C895BFEB7B1FF06700F28426AF941AF651D3759D80CB91

Function 00A87B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00A20242: EnterCriticalSection.KERNEL32(00AD070C,00AD1884,?,?,00A1198B,00AD2518,?,?,?,00A012F9,00000000), ref: 00A2024D
Part of subcall function 00A20242: LeaveCriticalSection.KERNEL32(00AD070C,?,00A1198B,00AD2518,?,?,?,00A012F9,00000000), ref: 00A2028A

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A200A3: __onexit.LIBCMT ref: 00A200A9

__Init_thread_footer.LIBCMT ref: 00A87BFB

Part of subcall function 00A201F8: EnterCriticalSection.KERNEL32(00AD070C,?,?,00A18747,00AD2514), ref: 00A20202
Part of subcall function 00A201F8: LeaveCriticalSection.KERNEL32(00AD070C,?,00A18747,00AD2514), ref: 00A20235

Strings

G, xrefs: 00A87C7F
5, xrefs: 00A87C78
Variable must be of type 'Object'., xrefs: 00A87C3A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: edad525741e7894913fff0eaa77e88d01ac3a20518bf02c898dbb6511f57dbb5
Instruction ID: 2510798b9498510f7d3bf591157fa69323f27f341310f3f2a807cf1c4e80e0b8
Opcode Fuzzy Hash: edad525741e7894913fff0eaa77e88d01ac3a20518bf02c898dbb6511f57dbb5
Instruction Fuzzy Hash: 2B915875A04209EFCB14EF98D991DADB7B2FF48304F248059F806AB292DB71EE45CB51

Function 00A62716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A621D0,?,?,00000034,00000800,?,00000034), ref: 00A6B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A62760

Part of subcall function 00A6B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00A6B3F8

Part of subcall function 00A6B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00A6B355
Part of subcall function 00A6B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A62194,00000034,?,?,00001004,00000000,00000000), ref: 00A6B365
Part of subcall function 00A6B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A62194,00000034,?,?,00001004,00000000,00000000), ref: 00A6B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A6281A

Strings

@, xrefs: 00A62832

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 415b2211b50bcfd51d57b13d73f229afced8b093e7a471f9821b567a52cff02e
Instruction ID: 8a871380b80e17aff9cc5f2d6ea7e1cc2413c2487f95069e100bdf134c96d582
Opcode Fuzzy Hash: 415b2211b50bcfd51d57b13d73f229afced8b093e7a471f9821b567a52cff02e
Instruction Fuzzy Hash: AC41FB76A00218AFDB10DFA4CD46FEEBBB8AF09700F108055FA55B7181DB706E85DBA1

Function 00A3172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00A31769
_free.LIBCMT ref: 00A31834
_free.LIBCMT ref: 00A3183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00A31760, 00A31767, 00A31796, 00A317CE

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 4209abaa02aec1b45911df0bafa7710eb53cebce6109b0f7ef0efc8f6d477051
Instruction ID: 6ed037ce93f42389936c587309eb988de3bad39b56ab3eb5b9e6e1d6778e5b85
Opcode Fuzzy Hash: 4209abaa02aec1b45911df0bafa7710eb53cebce6109b0f7ef0efc8f6d477051
Instruction Fuzzy Hash: 13316975A01218FFDB21DB999D85E9EBBFCEB85310F1441ABF80597211DA708E41CBA4

Function 00A6C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A6C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00A6C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AD1990,014C5730), ref: 00A6C395

Strings

0, xrefs: 00A6C2DF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b87cf487f839a2397bb42db136ba51dcedab373d97ec8ef81d35f193824ada58
Instruction ID: 1d2c24a4f65a41b64c593825230d5596344490ca0b2d25c834dfc2f6f8b770c2
Opcode Fuzzy Hash: b87cf487f839a2397bb42db136ba51dcedab373d97ec8ef81d35f193824ada58
Instruction Fuzzy Hash: 59419E712043019FD720DF29D884B6ABBF8AF85320F148A1EF9A59B3D1D730E904CB62

Function 00A94416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A9CC08,00000000,?,?,?,?), ref: 00A944AA
GetWindowLongW.USER32 ref: 00A944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A944D7

Strings

SysTreeView32, xrefs: 00A9447C

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b85c0681b3afc41f6a6d06a708dd106286bee74302504c58ab522cde607d2c61
Instruction ID: ad98061aa46175b343176c5698db15c4625965c0ffcb8bfea93ea13696cf65b6
Opcode Fuzzy Hash: b85c0681b3afc41f6a6d06a708dd106286bee74302504c58ab522cde607d2c61
Instruction Fuzzy Hash: 58317A32210605ABDF208F78DC45FEA7BE9EB48334F214719F979A21E0DB70AC529B50

Function 00A8304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A83077,?,?), ref: 00A83378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A8307A
_wcslen.LIBCMT ref: 00A8309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00A83106

Strings

255.255.255.255, xrefs: 00A83095, 00A8309A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 2d393be148fdc0cf275aea9f6a43e76078b55b719c9c48449524c4f18f57db1c
Instruction ID: 2fbd8e8bb7806d652f2a0c437a82209548d481bbd0e5c0025a87d3e44a4f4742
Opcode Fuzzy Hash: 2d393be148fdc0cf275aea9f6a43e76078b55b719c9c48449524c4f18f57db1c
Instruction Fuzzy Hash: 4931C1366042059FCF10EF68C585EAA77F0EF14B18F248159E9168B392DB72EE46C761

Function 00A93EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A93F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A93F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A93F78

Strings

SysMonthCal32, xrefs: 00A93F0B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 4b4ce78f02cb80ce3db970d549cff52d4b21e6453a66683d90190058aff6ab92
Instruction ID: 23c7b2c9e904510fe47af9bd59a399524ee5f25fe2873eb90079efc6be6aefb5
Opcode Fuzzy Hash: 4b4ce78f02cb80ce3db970d549cff52d4b21e6453a66683d90190058aff6ab92
Instruction Fuzzy Hash: 72219C33600219BFDF25CF90DC46FEA3BB9EF48724F110215FA156B1D0DAB5A9518BA0

Function 00A94653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A94705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A94713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A9471A

Strings

msctls_updown32, xrefs: 00A94684

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ba5509ccd8293b392ef94c02cb7823784de45c0fddb21ac502a2be9021f5e725
Instruction ID: 70f640599521648f0af704305768db8a84987f178316afef62210d3249cac9a4
Opcode Fuzzy Hash: ba5509ccd8293b392ef94c02cb7823784de45c0fddb21ac502a2be9021f5e725
Instruction Fuzzy Hash: 7E214FB5600208AFEB10DFA4DCD1DBA37EDEB5E3A4B140459F6019B251DB30EC12CA60

Function 00A695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A6961D

Strings

#notrayicon, xrefs: 00A695B7
#OnAutoItStartRegister, xrefs: 00A695F3
#requireadmin, xrefs: 00A695D9

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 28dea58c180112c82652d974421d0f6819417e7a16b9e4e42f256120f9cf0672
Instruction ID: 8a0486762c77c3b463b330839c3a44260908aeaca6540bad24659868cfa8e74c
Opcode Fuzzy Hash: 28dea58c180112c82652d974421d0f6819417e7a16b9e4e42f256120f9cf0672
Instruction Fuzzy Hash: 9B215B722046206AD731AB28ED02FBB73FCAF51300F14443AFA4AD7081EB75ED45C295

Function 00A937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A93840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A93850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A93876

Strings

Listbox, xrefs: 00A9380F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 7ff2a2411d93153ec00a9d30416b5dd6f73762dc9157b0bb352e017942eca107
Instruction ID: dd5a93cb1cbb14b1ffd61714656b4781739701b1cb31cee2af987992adf4a54d
Opcode Fuzzy Hash: 7ff2a2411d93153ec00a9d30416b5dd6f73762dc9157b0bb352e017942eca107
Instruction Fuzzy Hash: D4217C72710218BBEF21CF94DC85EBB37BAEF89764F118125F9059B190CA759C528BA0

Function 00A749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A74A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A74A5C
SetErrorMode.KERNEL32(00000000,?,?,00A9CC08), ref: 00A74AD0

Strings

%lu, xrefs: 00A74A6F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 08a0922a6dbc3fd6b1495173065623087dd19d82ff46ecc6a444b9cfbb7a7b61
Instruction ID: 0e1c3368cdd011cbe6bc4e85aaa4b943d4ac78d0fd99b0fc5fb5dc60358c1776
Opcode Fuzzy Hash: 08a0922a6dbc3fd6b1495173065623087dd19d82ff46ecc6a444b9cfbb7a7b61
Instruction Fuzzy Hash: CA315175A00109AFDB10DF54C985EAA7BF8EF08318F1480A9F909DB252DB71ED46CB61

Function 00A941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A9424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A94264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A94271

Strings

msctls_trackbar32, xrefs: 00A94226

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c0a7ec35a6625d3a2aa8a3945d4016a26ec4aa49ea7284357f69b44ef445ffe8
Instruction ID: 130f0d428032cd200bf0079079ddefeaee6e81916992833f79fa82cb686cdf3f
Opcode Fuzzy Hash: c0a7ec35a6625d3a2aa8a3945d4016a26ec4aa49ea7284357f69b44ef445ffe8
Instruction Fuzzy Hash: C611E332340208BEEF209F69CC06FEB3BECEF89B64F110524FA55E6090D671D8529B20

Function 00A62F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A06B57: _wcslen.LIBCMT ref: 00A06B6A

Part of subcall function 00A62DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A62DC5
Part of subcall function 00A62DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A62DD6
Part of subcall function 00A62DA7: GetCurrentThreadId.KERNEL32 ref: 00A62DDD
Part of subcall function 00A62DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A62DE4

GetFocus.USER32 ref: 00A62F78

Part of subcall function 00A62DEE: GetParent.USER32(00000000), ref: 00A62DF9

GetClassNameW.USER32(?,?,00000100), ref: 00A62FC3
EnumChildWindows.USER32(?,00A6303B), ref: 00A62FEB

Strings

%s%d, xrefs: 00A62FFF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: addf90b2b4ec69954d5e5a0ab61fd31ef51b5ebfff6eba8800cfd01ce1ba8a53
Instruction ID: 1c92905ed93d921659e44adfa316d681e9fa1eeeab33e1723525e6311e2e87e3
Opcode Fuzzy Hash: addf90b2b4ec69954d5e5a0ab61fd31ef51b5ebfff6eba8800cfd01ce1ba8a53
Instruction Fuzzy Hash: DA11A2B6700209ABDF14BF70DD85FED377AAF94314F048075F9099B192DE309A4A8B60

Function 00A6007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad85870cc57afa6e3b587c4744a946066665b0c3e05d7c7101ee776c1de0fd8
Instruction ID: e3892496e0f569dd0b6dc0aa060ca441b1b77012305eb2f02b29669e83064dcf
Opcode Fuzzy Hash: 5ad85870cc57afa6e3b587c4744a946066665b0c3e05d7c7101ee776c1de0fd8
Instruction Fuzzy Hash: 7DC13975A00206AFDB14CFA8C894EAEB7B5FF48705F218598E505EB251D731ED81DB90

Function 00A33E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A33F0B
__alldvrm.LIBCMT ref: 00A3410C
__alldvrm.LIBCMT ref: 00A3412E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: e4ba6f93ce5a0463b3f3cd73c573b03e9f2f1e66cbeff6967112049be19d41cc
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 7DA17B76E047869FEB15CF18C8917AEBBF4EF6A350F14426DF5859B281C238AD81C750

Function 00A8342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A83459
CoUninitialize.OLE32 ref: 00A83463
VariantInit.OLEAUT32(?), ref: 00A8346E
VariantClear.OLEAUT32(?), ref: 00A8371B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 22630a9f0dc749d2b864be1a3f226d664b7215f36acddebfd9dd3cc88d1cc91e
Instruction ID: f9d5b3b2e1ab812649d46dd2993dad83b3175ab8fc03f764c287b3c8ed89c98a
Opcode Fuzzy Hash: 22630a9f0dc749d2b864be1a3f226d664b7215f36acddebfd9dd3cc88d1cc91e
Instruction Fuzzy Hash: 61A12A756046059FCB00EF28D985A6EB7E5FF88714F048859F98A9B3A2DB30FE41CB51

Function 00A60436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A9FC08,?), ref: 00A605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A9FC08,?), ref: 00A60608
CLSIDFromProgID.OLE32(?,?,00000000,00A9CC40,000000FF,?,00000000,00000800,00000000,?,00A9FC08,?), ref: 00A6062D
_memcmp.LIBVCRUNTIME ref: 00A6064E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 93c8cc8a7a66f0ad2cbed3d9a7f84331e6f6a7c1b4f02bc85692fd523e2a884e
Instruction ID: fdbdbfc71cd92c76ff6cc31a4e6030f2eaf5200566bba6b1f5e8d1205842d62b
Opcode Fuzzy Hash: 93c8cc8a7a66f0ad2cbed3d9a7f84331e6f6a7c1b4f02bc85692fd523e2a884e
Instruction Fuzzy Hash: CC81FC75A00109EFCB04DF98C984DEEB7B9FF89315F208558E516EB250DB71AE46CB60

Function 00A8A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A8A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00A8A6BA

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Process32NextW.KERNEL32(00000000,?), ref: 00A8A79C
CloseHandle.KERNEL32(00000000), ref: 00A8A7AB

Part of subcall function 00A1CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00A43303,?), ref: 00A1CE8A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 3e338ea72a3a2bc303a88711c21915d00327d920a97f586e76d288cbf8d51ea4
Instruction ID: 10ded8debbe23b955548c8c944144f0a17a21e55bdefc93f5516a5e096a9d08e
Opcode Fuzzy Hash: 3e338ea72a3a2bc303a88711c21915d00327d920a97f586e76d288cbf8d51ea4
Instruction Fuzzy Hash: FC516E71508304AFD710EF24D986E6BBBE8FF89754F00891DF58597292EB70D904CBA2

Function 00A41391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A414C0

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5b23cb9005090c83e3ae0c1885867e896ca01f2d5016b697edc12af4e81ddf1b
Instruction ID: b3dc3f48c987576ec0cf77331aeabc05e26814b51d638437ed281b6b41237326
Opcode Fuzzy Hash: 5b23cb9005090c83e3ae0c1885867e896ca01f2d5016b697edc12af4e81ddf1b
Instruction Fuzzy Hash: E0412A7DA00610ABDB216BFDAD45AFE3AB4EFC2370F244235F419D6192E77488C15762

Function 00A96278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A962E2
ScreenToClient.USER32(?,?), ref: 00A96315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00A96382

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 9d78816722b908c125012c8e6b3655ebaa1d9ed8a71ea8c86b62eabcd29cc442
Instruction ID: 70dfaea26173251af31a02e06d303e5b4f5766ae706635927f8b01352241a012
Opcode Fuzzy Hash: 9d78816722b908c125012c8e6b3655ebaa1d9ed8a71ea8c86b62eabcd29cc442
Instruction Fuzzy Hash: D0510974A00609AFDF10DF68D990AAE7BF5FF45360F10816AF9159B2A0D730ED81CB50

Function 00A81AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A81AFD
WSAGetLastError.WSOCK32 ref: 00A81B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A81B8A
WSAGetLastError.WSOCK32 ref: 00A81B94

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 85d4b70cfdc19a707b37f65e4eb8aba7b6d3f4ca571e1f1624d9472e9b227834
Instruction ID: 66e92313d8244516832a3bbd82a85fc6ce0e5b3e85214ad6aeb01256e8bbd674
Opcode Fuzzy Hash: 85d4b70cfdc19a707b37f65e4eb8aba7b6d3f4ca571e1f1624d9472e9b227834
Instruction Fuzzy Hash: 7341A374600200AFE720AF24D98AF6977E5AB44718F54C458F91A9F3D2D772ED82CB91

Function 00A3B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae5853dac9e95d8dba1a3276954053d069ccd100ae81bb0eb500e958c948b00
Instruction ID: 56dc2a340804991cb1435386430d439ab64d6a75e7858538af876835d3b737a5
Opcode Fuzzy Hash: 5ae5853dac9e95d8dba1a3276954053d069ccd100ae81bb0eb500e958c948b00
Instruction Fuzzy Hash: 63412B75A10314BFD7249F38CD42BAABBFAEB84710F10853EF252DB281D771994187A0

Function 00A756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A75783
GetLastError.KERNEL32(?,00000000), ref: 00A757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A757FA

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 67428ccb80cc1b630a0ad1f2e2d55bd0a4695794fea8142056791096625c9745
Instruction ID: a536b3671b694a8451a87abbbcdd1527a04bba71a9b952990ec6824adb5ea0d7
Opcode Fuzzy Hash: 67428ccb80cc1b630a0ad1f2e2d55bd0a4695794fea8142056791096625c9745
Instruction Fuzzy Hash: 12414F35A00A14DFCB11EF55D944A5EBBF1EF49720B19C888E84A5B3A2CB70FD41DB91

Function 00A3D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00A26D71,00000000,00000000,00A282D9,?,00A282D9,?,00000001,00A26D71,8BE85006,00000001,00A282D9,00A282D9), ref: 00A3D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A3D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A3D9AB
__freea.LIBCMT ref: 00A3D9B4

Part of subcall function 00A33820: RtlAllocateHeap.NTDLL(00000000,?,00AD1444,?,00A1FDF5,?,?,00A0A976,00000010,00AD1440,00A013FC,?,00A013C6,?,00A01129), ref: 00A33852

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9ade8d59299ca06fc4b628d6080416825238dbcec312a4d1a3f5e323e356929c
Instruction ID: fc7082a5b94228e8965369d3712b9ffd3d0e933645fd8520a3f4cdb8e633796e
Opcode Fuzzy Hash: 9ade8d59299ca06fc4b628d6080416825238dbcec312a4d1a3f5e323e356929c
Instruction Fuzzy Hash: 2F31BC72A0021AEBDF25DFA4EC41EAE7BA5EB44310F154269FC04DB251EB35DD51CBA0

Function 00A952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00A95352
GetWindowLongW.USER32(?,000000F0), ref: 00A95375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A95382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A953A8

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f5be4d647af11bd4e184904dfaf4a463dfbbe3feb550f9cef889f4e482a14a09
Instruction ID: e3eb6a4d2ca9f0860873e324a9ad0f3a28d338196ef315c7bd2515f17310425a
Opcode Fuzzy Hash: f5be4d647af11bd4e184904dfaf4a463dfbbe3feb550f9cef889f4e482a14a09
Instruction Fuzzy Hash: 0B31CF34F55A08EFEF269B74CC27BEA37E1AB05390F584102FA119E1E1C7B49981AB51

Function 00A6AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00A6ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A6AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A6AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00A6ACC6

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d0244d0ac1c2524d6238e54089e4452392770926d5823c0739f04dc9f8fe4c3c
Instruction ID: 62b3a8d7908f202137ecc12ec63a8b297a74949c81760e7e99cee8cccb4bebb2
Opcode Fuzzy Hash: d0244d0ac1c2524d6238e54089e4452392770926d5823c0739f04dc9f8fe4c3c
Instruction Fuzzy Hash: 33310730A407186FEF35CBA58C047FA7BB5ABA9320F04431AE485A21D1C375D9859B62

Function 00A97674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A9769A
GetWindowRect.USER32(?,?), ref: 00A97710
PtInRect.USER32(?,?,00A98B89), ref: 00A97720
MessageBeep.USER32(00000000), ref: 00A9778C

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6642214b9bf0a863595573da8159540885153cf96ed73e229fc873a66d140684
Instruction ID: aa02ba317f2afa804dc0ce849402296cf78eb24336563cf666c9eacb08587e2a
Opcode Fuzzy Hash: 6642214b9bf0a863595573da8159540885153cf96ed73e229fc873a66d140684
Instruction Fuzzy Hash: 35415A38B19214EFCF11CFE8C894EADB7F5BB49314F1541A9E9159B261C730A942CBA0

Function 00A916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A916EB

Part of subcall function 00A63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A63A57
Part of subcall function 00A63A3D: GetCurrentThreadId.KERNEL32 ref: 00A63A5E
Part of subcall function 00A63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A625B3), ref: 00A63A65

GetCaretPos.USER32(?), ref: 00A916FF
ClientToScreen.USER32(00000000,?), ref: 00A9174C
GetForegroundWindow.USER32 ref: 00A91752

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b17ffcd40d5e0f34b1e1b46c16120c911f1217cd1907326e03bc2c10b1a5c514
Instruction ID: b532e3ae10db4b79e6ac1f5954bf4356c2da10468d60f0e269928786ce069e15
Opcode Fuzzy Hash: b17ffcd40d5e0f34b1e1b46c16120c911f1217cd1907326e03bc2c10b1a5c514
Instruction Fuzzy Hash: 6B315275E00249AFDB00EFA9D981CAEB7F9EF48314B5080AAE415E7251DB319E45CFA1

Function 00A98FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

GetCursorPos.USER32(?), ref: 00A99001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A57711,?,?,?,?,?), ref: 00A99016
GetCursorPos.USER32(?), ref: 00A9905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A57711,?,?,?), ref: 00A99094

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 3de18ef9cbff504741503718347bc13af9c2cc1c2b2e97478dd4bf2b97d0e417
Instruction ID: 20aea0447ba11c8277fcae55f73d83dfb352a3388cc37959c0522ef772f00b79
Opcode Fuzzy Hash: 3de18ef9cbff504741503718347bc13af9c2cc1c2b2e97478dd4bf2b97d0e417
Instruction Fuzzy Hash: 9E217C35700018BFCF25CF99C898EEB7BF9EB49360F04405AF9154B261C73299A1DB61

Function 00A6D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A9CB68), ref: 00A6D2FB
GetLastError.KERNEL32 ref: 00A6D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A6D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A9CB68), ref: 00A6D376

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 70d962cad9fcce28acbf39d4243ac63aaa93670cfde9f9e3dd47170efa041a19
Instruction ID: 3c355c4f701615430c84a7ab6e0c834d24d924b7e4d9b138181ce6e82f1f2a6b
Opcode Fuzzy Hash: 70d962cad9fcce28acbf39d4243ac63aaa93670cfde9f9e3dd47170efa041a19
Instruction Fuzzy Hash: 9C219170A042019FC710EF64D9818AB77F4AE553A4F504A1DF499DB3E1EB30D946CB93

Function 00A61571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A6102A
Part of subcall function 00A61014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A61036
Part of subcall function 00A61014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61045
Part of subcall function 00A61014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A6104C
Part of subcall function 00A61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A61062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A615BE
_memcmp.LIBVCRUNTIME ref: 00A615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A61617
HeapFree.KERNEL32(00000000), ref: 00A6161E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 84b9c478402aaa14b5953865d4dfccd14cff27071ffff2a000302e39f034bb9d
Instruction ID: 5b063b117d0ba403d629cc94f3d33bc172f8243844f2574b57cea977cdefa101
Opcode Fuzzy Hash: 84b9c478402aaa14b5953865d4dfccd14cff27071ffff2a000302e39f034bb9d
Instruction Fuzzy Hash: 7F217C75E00109EFDF10DFA8C945BEEBBB8EF44354F194459E441AB241EB70AA05CBA0

Function 00A92782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A9280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A92824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A92832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A92840

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 225e7e0d709b5f5a52ef4be5b39046ab1e296b738a08a15304ee7f3914540e97
Instruction ID: a61e797f736fbd29800a2e60e8ec58d47e1f029baae5308bc3fc4a15cdf40138
Opcode Fuzzy Hash: 225e7e0d709b5f5a52ef4be5b39046ab1e296b738a08a15304ee7f3914540e97
Instruction Fuzzy Hash: A021BD31304511BFDB14DB24CC44FAA7BA5AF85324F148259F42A8B6E2CB71FC82CBA0

Function 00A678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A68D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00A6790A,?,000000FF,?,00A68754,00000000,?,0000001C,?,?), ref: 00A68D8C
Part of subcall function 00A68D7D: lstrcpyW.KERNEL32(00000000,?,?,00A6790A,?,000000FF,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A68DB2
Part of subcall function 00A68D7D: lstrcmpiW.KERNEL32(00000000,?,00A6790A,?,000000FF,?,00A68754,00000000,?,0000001C,?,?), ref: 00A68DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A67923
lstrcpyW.KERNEL32(00000000,?,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A67949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A68754,00000000,?,0000001C,?,?,00000000), ref: 00A67984

Strings

cdecl, xrefs: 00A6797B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 04d78da06604cf1d6a80350a3ede6a42d65c316efef0ca855dc9f2a8fd48fce5
Instruction ID: ded635a6ca30a101a1a784ee240d98b6f22fe1eb600ef95c8d88e2a21a65e8ac
Opcode Fuzzy Hash: 04d78da06604cf1d6a80350a3ede6a42d65c316efef0ca855dc9f2a8fd48fce5
Instruction Fuzzy Hash: 5711003A200242AFCB159F38C844E7A77F9FF85394B50802AF806CB2A4EF319801C7A1

Function 00A97CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A97D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00A97D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A97D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A7B7AD,00000000), ref: 00A97D6B

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4a750c39ef7c5e49b809463c7a6a83ee08ec36413fa036fad23b41d4a56adf6d
Instruction ID: c1f45890f2c7300521bf29f303e43146e691e7c5002edcaa4059b94f0a99286f
Opcode Fuzzy Hash: 4a750c39ef7c5e49b809463c7a6a83ee08ec36413fa036fad23b41d4a56adf6d
Instruction Fuzzy Hash: DA118C71629615AFCF10DFA8DC04AAA3BA5AF45360F154725F83AC72E0DB309D52CB60

Function 00A31D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422f839d58cf928504e5c119601f870ffc4af8993c7e7c20811dbf1e65bbcd2f
Instruction ID: 704e0c0c1b95bbc3082a5883ac81292c889c59924bde492f772cd57c1869fcb2
Opcode Fuzzy Hash: 422f839d58cf928504e5c119601f870ffc4af8993c7e7c20811dbf1e65bbcd2f
Instruction Fuzzy Hash: DD0181B2209A167EF6212BB87CC1F67676DDF867F8F340326F521A11D2DB609C015170

Function 00A61A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A61A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A61A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A61A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A61A8A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a5c3c5ba7c4403a3a18d071a11db5d69cd89882d12b41d7b47c4bee37e627cd1
Instruction ID: 0838ec502c51af8115628b08a327a16e43c778add029afcf7191a5d863c3aab1
Opcode Fuzzy Hash: a5c3c5ba7c4403a3a18d071a11db5d69cd89882d12b41d7b47c4bee37e627cd1
Instruction Fuzzy Hash: 9E11393AD01219FFEB11DBE4CD85FADBB78EB18750F240492EA04B7290D6716E50DB94

Function 00A6E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A6E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00A6E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A6E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A6E24D

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b81b14355c4ea47698bb2db0ab543e830cbb9c1cf786af9b638cfb671b4eb106
Instruction ID: bad64b993f77ba0c665a92f7932e90dff94dc29d8516185a4c777fba1e08d44f
Opcode Fuzzy Hash: b81b14355c4ea47698bb2db0ab543e830cbb9c1cf786af9b638cfb671b4eb106
Instruction Fuzzy Hash: 2711C876A04254BBCB01DBF89C09ADE7FBDAB45320F144256F915D7291D6708A0587A0

Function 00A2D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00A2CFF9,00000000,00000004,00000000), ref: 00A2D218
GetLastError.KERNEL32 ref: 00A2D224
__dosmaperr.LIBCMT ref: 00A2D22B
ResumeThread.KERNEL32(00000000), ref: 00A2D249

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ccdcfb598d3d85f1f526ed754ff33a381746c55d24537d5f1cf410e15142eccf
Instruction ID: d516fa80b8a16416c6d950ec6e02992b4ac817a143e477a42a7a65731d95630d
Opcode Fuzzy Hash: ccdcfb598d3d85f1f526ed754ff33a381746c55d24537d5f1cf410e15142eccf
Instruction Fuzzy Hash: 5F01C436505224BBDB115BA9EC09BEE7A69EF81730F100239F925961D1CF708901C7A0

Function 00A99EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00A19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A19BB2

GetClientRect.USER32(?,?), ref: 00A99F31
GetCursorPos.USER32(?), ref: 00A99F3B
ScreenToClient.USER32(?,?), ref: 00A99F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00A99F7A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 297db2bf5a6fd24f7e61036112a50c94e252e99ec44eccb9a654a0bca11998d1
Instruction ID: bb887d0305ca1a4610ff749f6a2a801d5ae562f3a2e04cd9e9b0e6ee01c40eb3
Opcode Fuzzy Hash: 297db2bf5a6fd24f7e61036112a50c94e252e99ec44eccb9a654a0bca11998d1
Instruction Fuzzy Hash: D0111532A0051ABBDF10DFA8D9899EFB7B9FB45311F40045AF912E7150D730BA82CBA1

Function 00A0600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A0604C
GetStockObject.GDI32(00000011), ref: 00A06060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A0606A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 9f271e7405eabcd8c9c018798e264111ceccc90dec8a77450d4ad7a3142d8c87
Instruction ID: c5f4279b20ae61f99206132607e56f8a80bd990dfca8606b35ab37651e7c6e33
Opcode Fuzzy Hash: 9f271e7405eabcd8c9c018798e264111ceccc90dec8a77450d4ad7a3142d8c87
Instruction Fuzzy Hash: B611A17250150CBFEF128FD4DC44EEA7B69EF08369F044202FA0452050DB329C60DBA0

Function 00A23B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00A23B56

Part of subcall function 00A23AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00A23AD2
Part of subcall function 00A23AA3: ___AdjustPointer.LIBCMT ref: 00A23AED

_UnwindNestedFrames.LIBCMT ref: 00A23B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00A23B7C
CallCatchBlock.LIBVCRUNTIME ref: 00A23BA4

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 8004581a8a9123efcf5f816695b88dba15a0dd6c0c554cb52267a06c14b5db80
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D4012933100158BBDF126F9AED42EEB3F6AEF49754F044024FE4856121C736E961DBA0

Function 00A33073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00A013C6,00000000,00000000,?,00A3301A,00A013C6,00000000,00000000,00000000,?,00A3328B,00000006,FlsSetValue), ref: 00A330A5
GetLastError.KERNEL32(?,00A3301A,00A013C6,00000000,00000000,00000000,?,00A3328B,00000006,FlsSetValue,00AA2290,FlsSetValue,00000000,00000364,?,00A32E46), ref: 00A330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A3301A,00A013C6,00000000,00000000,00000000,?,00A3328B,00000006,FlsSetValue,00AA2290,FlsSetValue,00000000), ref: 00A330BF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 69c24edae25213b735c8e73c2e25fe67b29fd1645ffae57cc23df21de1963667
Instruction ID: 0714ef217ff92d95fd1d19af37316fa52c361908b8511d39bd83cf447ce1d3ed
Opcode Fuzzy Hash: 69c24edae25213b735c8e73c2e25fe67b29fd1645ffae57cc23df21de1963667
Instruction Fuzzy Hash: 1D01AC33749732ABCF358BB9AC44A5777989F46771F210621F946D7150DB21DD02C6E0

Function 00A67464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00A6747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A67497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A674CA

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fc35bb38a3aa17799cb01d62a7b6048f27c3cd8c397f2ef1c52a048bdf77661b
Instruction ID: 90c771b78e7ce0899cde014d71f0f44e07800f7a6eb94408b58b6216158c01e4
Opcode Fuzzy Hash: fc35bb38a3aa17799cb01d62a7b6048f27c3cd8c397f2ef1c52a048bdf77661b
Instruction Fuzzy Hash: C811ADB5315710ABE720CF58DD0CB9A7BFCEB40B18F50856AA616D6191DFB0E904DBA0

Function 00A6B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A6ACD3,?,00008000), ref: 00A6B126

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7b4d088afe67b7d8c12160c2682d7c80211dd9bd61a39ef893efbcf1e9f76515
Instruction ID: 0fcfb8a4cc998fc8076b8e1f7e8717cff5ae32edb75e2586e34758037ad78b86
Opcode Fuzzy Hash: 7b4d088afe67b7d8c12160c2682d7c80211dd9bd61a39ef893efbcf1e9f76515
Instruction Fuzzy Hash: 42115E31D1192CE7CF00DFE4E9586EEBF78FF0A711F114286D941B2145CB3095918B65

Function 00A97E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A97E33
ScreenToClient.USER32(?,?), ref: 00A97E4B
ScreenToClient.USER32(?,?), ref: 00A97E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A97E8A

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 44b2ac7f83054980735b29488f5d1408f9723742174eb7d79f16d0e6c14737c1
Instruction ID: 0b2d943428e43dd30e7579cb9bf1e45f71ca076d47c2f88ee15a50dbdf42b462
Opcode Fuzzy Hash: 44b2ac7f83054980735b29488f5d1408f9723742174eb7d79f16d0e6c14737c1
Instruction Fuzzy Hash: 771113B9E0064AAFDB41DF98C9849EEBBF5FB08310F505056E915E2210D735AA55CF50

Function 00A62DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A62DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A62DD6
GetCurrentThreadId.KERNEL32 ref: 00A62DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A62DE4

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 66c96867295f95b4dbb3b43bdc1db020072f4fa9b88bbb3b4a47b4daaa9b62ad
Instruction ID: d94925ae98c8d83358e8d5adf6638b604c7ccdc006ac0e40c0cc92d42c0acfe8
Opcode Fuzzy Hash: 66c96867295f95b4dbb3b43bdc1db020072f4fa9b88bbb3b4a47b4daaa9b62ad
Instruction Fuzzy Hash: 8AE06D71201A24BADB205BA29C0DFEB7E7CEB42BB1F401516B205D10909AA18942C7B0

Function 00A98863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A19693
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196A2
Part of subcall function 00A19639: BeginPath.GDI32(?), ref: 00A196B9
Part of subcall function 00A19639: SelectObject.GDI32(?,00000000), ref: 00A196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A98887
LineTo.GDI32(?,?,?), ref: 00A98894
EndPath.GDI32(?), ref: 00A988A4
StrokePath.GDI32(?), ref: 00A988B2

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9cceb47d378750a699f9f5a36f28c881cb2ed7cf87484565d61bee2ce40b2cff
Instruction ID: 4a12b9ed25d50a4cc5ca1cc45ed1cb64edc5094f3b32dd897e75ae30934ee5d0
Opcode Fuzzy Hash: 9cceb47d378750a699f9f5a36f28c881cb2ed7cf87484565d61bee2ce40b2cff
Instruction Fuzzy Hash: B1F05E36242658FADB12AFD4AC09FCE3F59AF06320F448102FA22650E1CB795552CFF9

Function 00A198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A198CC
SetTextColor.GDI32(?,?), ref: 00A198D6
SetBkMode.GDI32(?,00000001), ref: 00A198E9
GetStockObject.GDI32(00000005), ref: 00A198F1

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 6618d8c72677d3248620b20b706915db92149d8f97ed64017c6e199632c20255
Instruction ID: 336d1b6b52ae8ee8871438488a279aec7ab6e39e8be4cca7ed37e5830c49f7fe
Opcode Fuzzy Hash: 6618d8c72677d3248620b20b706915db92149d8f97ed64017c6e199632c20255
Instruction Fuzzy Hash: 62E06D31344A80ABDB219BB4BC09BED3F20AB12336F14831AFAFA580E1CB714645DB10

Function 00A6162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A61634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A611D9), ref: 00A6163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A611D9), ref: 00A61648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A611D9), ref: 00A6164F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9bbbcbe536ac788a8dd2efc6440e5fe4955c6176c30f99b7ac82b2cd95ece48e
Instruction ID: f453d45511f0c8f242a4706b57a3a5b35dff982aa5d4f7edd42acad5e2e6327f
Opcode Fuzzy Hash: 9bbbcbe536ac788a8dd2efc6440e5fe4955c6176c30f99b7ac82b2cd95ece48e
Instruction Fuzzy Hash: D0E08639701211EBDB205FE09E0DB873F7CAF447A5F188809F345C9080DE344542C760

Function 00A5D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A5D858
GetDC.USER32(00000000), ref: 00A5D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A5D882
ReleaseDC.USER32(?), ref: 00A5D8A3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7f80aaa12568f6ffb2b3c2c46206e9578ccc07d36732f9430c679d7f1dc07f64
Instruction ID: 00058388e89d7c65f40bedddc94778b8f70bfe0eb390d37e7b2c53c2a31cc2fc
Opcode Fuzzy Hash: 7f80aaa12568f6ffb2b3c2c46206e9578ccc07d36732f9430c679d7f1dc07f64
Instruction Fuzzy Hash: 23E01AB5900605DFCF41DFE0D90866DBBB1FB08321F14900AE906E7250CF399942AF50

Function 00A5D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A5D86C
GetDC.USER32(00000000), ref: 00A5D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A5D882
ReleaseDC.USER32(?), ref: 00A5D8A3

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1495102c1b1bdd16c5b7aba3e3eb1988a735c57864ab18454a228c1d03615e8d
Instruction ID: d40fef7d361b3529daaf0ad96b7e0d9fb2f5cc6aaca4b6da5d8ef6500cf65010
Opcode Fuzzy Hash: 1495102c1b1bdd16c5b7aba3e3eb1988a735c57864ab18454a228c1d03615e8d
Instruction Fuzzy Hash: 92E092B5A00605EFCF51EFE0D90866DBBB5BB08321F14944AEA4AE7250CF399942AF50

Function 00A74D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07620: _wcslen.LIBCMT ref: 00A07625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00A74ED4

Strings

LPT, xrefs: 00A74DFB
*, xrefs: 00A74E10

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 5ff2e561a3028f6e1db1e986a99fa42bc3a72ec90b49a81b2b46fb83141070ea
Instruction ID: ef5dd510de09d9257f930336a2aa8c8056de670c53ed8c799a3611e432d53d83
Opcode Fuzzy Hash: 5ff2e561a3028f6e1db1e986a99fa42bc3a72ec90b49a81b2b46fb83141070ea
Instruction Fuzzy Hash: 94917175A002049FCB14DF58C984EAABBF5BF48714F19C099E80A9F3A2D735ED85CB91

Function 00A2E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A2E30D

Strings

pow, xrefs: 00A2E2E5, 00A2E302

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 07cf807acd2faf2c17c1ace3afd170985e647aabca7694275ee0280ff1be65bc
Instruction ID: d33295125624fcdd27119aa13e877883a3bc95a1f52810c47212f7505e96e20c
Opcode Fuzzy Hash: 07cf807acd2faf2c17c1ace3afd170985e647aabca7694275ee0280ff1be65bc
Instruction Fuzzy Hash: F5513DB1A0C20296CB35F71CEA417BD3BA4AF40781F344978F496462E9DB358CD59B86

Function 00A1F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A1F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A1F2BB

Strings

@, xrefs: 00A1F2AF

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f29423f939949d273c7f298400a7bafc329ec4bee7e7a2d80d12c3c92546a9b6
Instruction ID: 26807b64d2219ab06e36f5f3728af13ad3466ce93afc334501c5622e396cdca6
Opcode Fuzzy Hash: f29423f939949d273c7f298400a7bafc329ec4bee7e7a2d80d12c3c92546a9b6
Instruction Fuzzy Hash: EC5155718087499BD320EF50E986BAFBBF8FB84310F81894DF199411A5EB309529CB67

Function 00A85745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00A857E0
_wcslen.LIBCMT ref: 00A857EC

Strings

CALLARGARRAY, xrefs: 00A857E6, 00A857EB

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b28258e866c05381723c8d37f4ba79795568d9e68ad6e702ee5312efe8fa1815
Instruction ID: 0b33954887aeb35f64a227650a85cbdffd8dfd0cc1dde1f77adff6bba2103099
Opcode Fuzzy Hash: b28258e866c05381723c8d37f4ba79795568d9e68ad6e702ee5312efe8fa1815
Instruction Fuzzy Hash: 29419171E006099FCB14EFB9C9819EEBBF5FF59324F10406AE905A7291EB709D81DB90

Function 00A7D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A7D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A7D13A

Strings

|, xrefs: 00A7D10B

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 210e42364f57ffc6f1fbbf6141389d8b5e810312160121f54f3eb640bdf2ca6b
Instruction ID: 12dc46bab57ad61784c3c6d67ee5dcc54c3c0784e829cbe282ae3cd1283c433c
Opcode Fuzzy Hash: 210e42364f57ffc6f1fbbf6141389d8b5e810312160121f54f3eb640bdf2ca6b
Instruction Fuzzy Hash: 41313E71D00219ABCF15EFA4DD85AEE7FB9FF04304F404119F819A61A2E731AA56CB60

Function 00A9356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A93621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A9365C

Strings

static, xrefs: 00A935BC

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: cf0f7d31f64eaf9a42c6c2c0f3abe98ceb95d29e8ae244dc4d384e48f92fd138
Instruction ID: 96e33243aec671736260ef21c1838102a60d82f92288871578335fcb330dfe75
Opcode Fuzzy Hash: cf0f7d31f64eaf9a42c6c2c0f3abe98ceb95d29e8ae244dc4d384e48f92fd138
Instruction Fuzzy Hash: 65317872200604AEDF10DF68D880ABB73F9FF88724F10961AF9A5D7280DA31A991D760

Function 00A94537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00A9461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A94634

Strings

', xrefs: 00A9458E

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: fd9c074450b10d11fba2c59e99b83a2890921231802a22793039397e4f12c24b
Instruction ID: 269388906a6dedbcd9c95cc0bfd3702ffafd4eb116cca13f3626ba5f826cfa6a
Opcode Fuzzy Hash: fd9c074450b10d11fba2c59e99b83a2890921231802a22793039397e4f12c24b
Instruction Fuzzy Hash: 933117B4B012099FDF14CFA9C990BDA7BF5FB09300F11416AE905AB341E770A942CF90

Function 00A931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A9327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A93287

Strings

Combobox, xrefs: 00A93249

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: c6e68b2a2555fd126bb945860717103d74d6b46e9c9c519b30106dfc6bab8ad3
Instruction ID: 11c632a20383bf9c9d4b01bb3de57714fb1e4906af9c0af2b131c3ad2aae1aee
Opcode Fuzzy Hash: c6e68b2a2555fd126bb945860717103d74d6b46e9c9c519b30106dfc6bab8ad3
Instruction Fuzzy Hash: 6E11B2723002087FFF25DF94DC84EFB37AAEBA4364F104529FA1997290D6759D518760

Function 00A93710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A0604C
Part of subcall function 00A0600E: GetStockObject.GDI32(00000011), ref: 00A06060
Part of subcall function 00A0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A0606A

GetWindowRect.USER32(00000000,?), ref: 00A9377A
GetSysColor.USER32(00000012), ref: 00A93794

Strings

static, xrefs: 00A93757

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 78dfec82e00f8f1153ee8554d507b9d059f6704e19639f3e10b5a103d5597bda
Instruction ID: 84fd2f1f3e58e4b4d46d79d237f8f9e89d4af875594c2dc666693165b21bf15a
Opcode Fuzzy Hash: 78dfec82e00f8f1153ee8554d507b9d059f6704e19639f3e10b5a103d5597bda
Instruction Fuzzy Hash: 1C1126B2610209AFDF00DFA8CD46AEA7BF8FB08314F004915F956E2250EB35E8619B60

Function 00A7CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A7CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A7CDA6

Strings

<local>, xrefs: 00A7CD66

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7aa1dab7c6af8b39940f21187559a9cd9a29af724f5b9a9c0daa4bc3cd8a465e
Instruction ID: 71b0468a880698e8d54a4d3d45984c1a02041f194db0d2a94abb5086abc31c92
Opcode Fuzzy Hash: 7aa1dab7c6af8b39940f21187559a9cd9a29af724f5b9a9c0daa4bc3cd8a465e
Instruction Fuzzy Hash: 3811A071205631BAD7384BA68C49EE7BEACEB127B4F00C22EB10D82181D6649941D6F0

Function 00A93429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A934BA

Strings

edit, xrefs: 00A9348F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 708c1ca1fb7f08657bf83b1d52244d77f08c5b27e6d3ce502109816d465ccb8c
Instruction ID: bf4a69558cf6e653c9994751061732d187c06cbf149c6ebc4f8e0e86cdeeb3c3
Opcode Fuzzy Hash: 708c1ca1fb7f08657bf83b1d52244d77f08c5b27e6d3ce502109816d465ccb8c
Instruction Fuzzy Hash: 10116D72200108AAEF118F64DC44AAA37FAEB85779F514724F965931D0C775EC519760

Function 00A66C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

CharUpperBuffW.USER32(?,?,?), ref: 00A66CB6
_wcslen.LIBCMT ref: 00A66CC2

Strings

STOP, xrefs: 00A66CBC, 00A66CC1

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e55d6c521c93dfc3ce420039c12320caa43d08512263e75b1e3fa4ccb889c48b
Instruction ID: 0483fe8beeea1c490312d422be816918011758a0765de8fa254b286b9757ef5f
Opcode Fuzzy Hash: e55d6c521c93dfc3ce420039c12320caa43d08512263e75b1e3fa4ccb889c48b
Instruction Fuzzy Hash: DB01D232A0092ACBCB20AFFDDD809BF77B5EF65714B100538E862971D1EB31D940C650

Function 00A61CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A61D4C

Strings

ComboBox, xrefs: 00A61CEB
ListBox, xrefs: 00A61D16

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bc2c67483f60637f693a848ba33419c4a34c4c6469c193e45598e00d60a27c42
Instruction ID: 8e97d3ff186cf048b9a5b82b0da644b35bab70cef61432584fcb7577cda5287a
Opcode Fuzzy Hash: bc2c67483f60637f693a848ba33419c4a34c4c6469c193e45598e00d60a27c42
Instruction Fuzzy Hash: 5901B571A01218ABCF04EBA4DD51DFF7BB8FB56350F040919F822573C2EA30590D8660

Function 00A61BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A61C46

Strings

ComboBox, xrefs: 00A61BE5
ListBox, xrefs: 00A61C10

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 61e1d128858cadce18ed9d9c21db7954dcc60a6d8b06696efcd70f21c1d672e0
Instruction ID: 96226f7fbc310f41266a0850a1c11d24c6549d7863831fb2a139ab1d3b126bd0
Opcode Fuzzy Hash: 61e1d128858cadce18ed9d9c21db7954dcc60a6d8b06696efcd70f21c1d672e0
Instruction Fuzzy Hash: 3401A775B811086ADF04EBA0DA52EFF7BB89B11340F140019B506672C2EA249E1C96B1

Function 00A61C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A61CC8

Strings

ComboBox, xrefs: 00A61C69
ListBox, xrefs: 00A61C94

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b9af66f8b79b8936aa32efa03d4b5fb65b993f5a429a042932c012f9bfb0b9d7
Instruction ID: 8479dc9130bec1a25188bfed30bfdd4c03b488b0160afea70ab57714eb6d1e6c
Opcode Fuzzy Hash: b9af66f8b79b8936aa32efa03d4b5fb65b993f5a429a042932c012f9bfb0b9d7
Instruction Fuzzy Hash: 5001A7B1A4011866DB04E7A0DB01EFF7BB89B11340F140415B801732C2EA209F19D671

Function 00A61D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09CB3: _wcslen.LIBCMT ref: 00A09CBD

Part of subcall function 00A63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A63CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00A61DD3

Strings

ComboBox, xrefs: 00A61D75
ListBox, xrefs: 00A61DA0

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: eb45d6d24d7f5784d4f75fe895e73ece3ff2c144db775e0ba0f7d42ab0f5f1f8
Instruction ID: 18ce55277a2d09eae34cea6aa43c87883eda6bebbd93d858ba585232b96d280a
Opcode Fuzzy Hash: eb45d6d24d7f5784d4f75fe895e73ece3ff2c144db775e0ba0f7d42ab0f5f1f8
Instruction Fuzzy Hash: 89F0A471F41218AADB04E7A4DE52FFF7BB8AB01350F080D19B922632C2EA60690D8261

Function 00A8747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A87493
_wcslen.LIBCMT ref: 00A874B9

Strings

3, 3, 16, 1, xrefs: 00A87483

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 70370a97feae3e58f5f5a4493f2a5b81c52e819972f3e6f01f6475343c416291
Instruction ID: 9de4e2a349c86fd234508ce4d8daffe07d0b342fe07db665cc48fa9670e3e31d
Opcode Fuzzy Hash: 70370a97feae3e58f5f5a4493f2a5b81c52e819972f3e6f01f6475343c416291
Instruction Fuzzy Hash: 01E02B02204230209331337DADC1A7F5689DFC9750734183BF995C2266EAD4CDD193A0

Function 00A20D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A1F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A20D71,?,?,?,00A0100A), ref: 00A1F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00A0100A), ref: 00A20D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A0100A), ref: 00A20D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A20D7F

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 53dd62170cced23a14f53385aec95f9c5834fd91c2c27f195576ab0523766aa1
Instruction ID: 67f0bf4e16775ebfc0e97c3fb8f8cad2ff48c7b11f48e0443f2adc59cd76bc39
Opcode Fuzzy Hash: 53dd62170cced23a14f53385aec95f9c5834fd91c2c27f195576ab0523766aa1
Instruction Fuzzy Hash: E1E06D743017518FD760EFBCE504B827BE0AB00740F00493EE482C6652EBB0E4458B91

Function 00A73017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00A7302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00A73044

Strings

aut, xrefs: 00A73038

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 9088b4043ecaf5b7cbca19888d8380a5fe2fc5ec2ff23b2b65581c4244ee73d0
Instruction ID: 13400c0573b0a0ffcbd287b31fccd0de9e3735fe772184fe63c3982df145f9e0
Opcode Fuzzy Hash: 9088b4043ecaf5b7cbca19888d8380a5fe2fc5ec2ff23b2b65581c4244ee73d0
Instruction Fuzzy Hash: 24D05B7150031477DA20E7D89C0DFC73A6CD704760F0005527655D2091DEB09545CAD0

Function 00A3BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00A3BE93
GetLastError.KERNEL32 ref: 00A3BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A3BEFC

Memory Dump Source

Source File: 00000000.00000002.1779645910.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1779615246.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000A9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779763379.0000000000AC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779844921.0000000000ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1779879003.0000000000AD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f30803284fcd569138ebfe137607432e2cc720968c0e6c88609b75d8cc9aeec9
Instruction ID: 6f7f2c627aea8653ff983b9fd4818989a63c0e088727f41d39dfaf026117f52a
Opcode Fuzzy Hash: f30803284fcd569138ebfe137607432e2cc720968c0e6c88609b75d8cc9aeec9
Instruction Fuzzy Hash: 3241D734615216AFCF21CFA8DD54ABABBB6AF41320F245169FA599B1A1DB30CD01CB70

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1846399519.000002339C60A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1893104328.00000233928EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835000711.000002339ABFE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841766007.0000023393636000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1893104328.00000233928EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835000711.000002339ABFE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841766007.0000023393636000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1846399519.000002339C60A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845076294.00000233923A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1893104328.00000233928EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835000711.000002339ABFE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841766007.0000023393636000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1893104328.00000233928EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835000711.000002339ABFE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841766007.0000023393636000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3560930647.000002732C90A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561770678.0000025CF7E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3560930647.000002732C90A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561770678.0000025CF7E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3560930647.000002732C90A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3561770678.0000025CF7E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3561770678.0000025CF7E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3561770678.0000025CF7E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3561770678.0000025CF7E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1936868939.000002339CBC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1833852960.000002339CBC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1944738775.000002339CE39000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846399519.000002339C60A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1933496359.000002339CE39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1846225969.000002339C627000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1844546819.0000023392836000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49820 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3e6453eb-fe91-4e4f-b261-d752867c9b5f.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3e6453eb-fe91-4e4f-b261-d752867c9b5f.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\87RHNY87CGJKH62829IA.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LHA9JGIFIOCWQA2TI73Y.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre