Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574370
MD5:	a42c2512c7c450e1f1be312fbd38ac1b
SHA1:	830655bc2ae30b03b1b6f31f1f8229c15a9c712b
SHA256:	f4eecef17c99bb3d44793ec672f3c26c4cc2972578a95d7c1afc4945aa43b0f2
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A42C2512C7C450E1F1BE312FBD38AC1B)

taskkill.exe (PID: 7612 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7720 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7776 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7844 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7908 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7968 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8004 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8028 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7368 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2136 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e928bcec-b32f-4554-bc25-89a7cd56218c} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 1923b56fd10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7864 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3888 -parentBuildID 20230927232528 -prefsHandle 4116 -prefMapHandle 4112 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d93f274-4bb2-4abb-9c9a-6812da0dd9e8} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 1923b541a10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7360 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a3a19f4-2490-4aad-97e4-8967fb44e0cf} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 192599d9910 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7596	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00A3EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A3EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A3ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00A3EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A2AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00A2AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A59576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A59576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9e6e9d3e-0
Source: file.exe, 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_51a63e9b-4
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7b88fb26-5
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f0efe52e-9

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F032C996B7 NtQuerySystemInformation,		16_2_000001F032C996B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F032CBA172 NtQuerySystemInformation,		16_2_000001F032CBA172

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A2D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00A2D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A21201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A21201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A2E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A2E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32046	0_2_00A32046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C8060	0_2_009C8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A28298	0_2_00A28298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FE4FF	0_2_009FE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F676B	0_2_009F676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A54873	0_2_00A54873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009ECAA0	0_2_009ECAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CCAF0	0_2_009CCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DCC39	0_2_009DCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F6DD9	0_2_009F6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C91C0	0_2_009C91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DB119	0_2_009DB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E1394	0_2_009E1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E1706	0_2_009E1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E781B	0_2_009E781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E19B0	0_2_009E19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C7920	0_2_009C7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D997D	0_2_009D997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E7A4A	0_2_009E7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E7CA7	0_2_009E7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E1C77	0_2_009E1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F9EEE	0_2_009F9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4BE44	0_2_00A4BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E1F32	0_2_009E1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F032C996B7	16_2_000001F032C996B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F032CBA172	16_2_000001F032CBA172
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F032CBA89C	16_2_000001F032CBA89C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001F032CBA1B2	16_2_000001F032CBA1B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 009DF9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 009E0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/36@65/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A337B5 GetLastError,FormatMessageW,

0_2_00A337B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A210BF AdjustTokenPrivileges,CloseHandle,		0_2_00A210BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A216C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A351CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A2D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A2D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00A3648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009C42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1883913387.00000192599DE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2136 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e928bcec-b32f-4554-bc25-89a7cd56218c} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 1923b56fd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3888 -parentBuildID 20230927232528 -prefsHandle 4116 -prefMapHandle 4112 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d93f274-4bb2-4abb-9c9a-6812da0dd9e8} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 1923b541a10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a3a19f4-2490-4aad-97e4-8967fb44e0cf} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 192599d9910 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2136 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e928bcec-b32f-4554-bc25-89a7cd56218c} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 1923b56fd10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3888 -parentBuildID 20230927232528 -prefsHandle 4116 -prefMapHandle 4112 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d93f274-4bb2-4abb-9c9a-6812da0dd9e8} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 1923b541a10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a3a19f4-2490-4aad-97e4-8967fb44e0cf} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 192599d9910 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000D.00000003.1912695500.000001924DC6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929306178.000001924DC6C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdbP4O source: firefox.exe, 0000000D.00000003.1941329667.000001924C7CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000D.00000003.1936963194.00000192533DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946511724.0000019253763000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906470139.0000019253760000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdb source: firefox.exe, 0000000D.00000003.1915580980.000001924ACB3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 0000000D.00000003.1932265074.000001924CCCE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939595690.000001924CCCE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930816904.000001924CCCE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930405130.000001924CCF8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdbvendor-short-name source: firefox.exe, 0000000D.00000003.1941329667.000001924C7CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000D.00000003.1932203813.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930208207.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939250804.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdb source: firefox.exe, 0000000D.00000003.1941329667.000001924C7CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000D.00000003.1938513371.000001924D88E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1934688593.000001924ACDF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdbP4O source: firefox.exe, 0000000D.00000003.1939307168.000001924D776000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1924158224.00000192531EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906602409.00000192531EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000D.00000003.1939307168.000001924D78B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000D.00000003.1939307168.000001924D78B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000D.00000003.1932203813.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930208207.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939250804.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdbP4O source: firefox.exe, 0000000D.00000003.1912695500.000001924DC6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929306178.000001924DC6C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000D.00000003.1912695500.000001924DC6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929306178.000001924DC6C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdbGCTL source: firefox.exe, 0000000D.00000003.1915580980.000001924ACB3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000D.00000003.1932203813.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929928142.000001924D7D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930208207.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939250804.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 0000000D.00000003.1940512047.000001924C94F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1933309683.000001924C94F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb^/js/apis/geoip2/.*/geoip2\.js$ source: firefox.exe, 0000000D.00000003.1941329667.000001924C7F8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000D.00000003.1941329667.000001924C7CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000D.00000003.1939307168.000001924D78B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 0000000D.00000003.1939307168.000001924D776000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000D.00000003.1929802325.000001924D8D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938513371.000001924D88E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1934688593.000001924ACDF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000D.00000003.1929928142.000001924D7D2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 0000000D.00000003.1941329667.000001924C7CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000D.00000003.1932203813.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930208207.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939250804.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000D.00000003.1939307168.000001924D78B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000D.00000003.1929928142.000001924D7D2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000D.00000003.1932203813.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930208207.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939250804.000001924D7B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000D.00000003.1929802325.000001924D8D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000D.00000003.1941921998.000001924C7A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941329667.000001924C7CB000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009C42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009E0A76 push ecx; ret

0_2_009E0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_009DF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A51C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A51C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96231

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F032C996B7 rdtsc

16_2_000001F032C996B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A2DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A368EE FindFirstFileW,FindClose,	0_2_00A368EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00A3698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A2D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A2D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A39642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A39642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A3979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A39B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00A39B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A35C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00A35C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009C42DE

Source: firefox.exe, 0000000F.00000002.2941411991.000002469F112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllcmuy
Source: firefox.exe, 00000011.00000002.2939693519.0000020AEAD00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.
Source: firefox.exe, 0000000F.00000002.2935348431.000002469EC2A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2932422104.000001F0329FA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2939971167.000001F033190000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2932421048.0000020AEA88A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2940572937.000002469F011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: file.exe, 00000000.00000003.1721069112.000000000104B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1684263229.000000000104B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1687714728.000000000104B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1684468359.000000000104B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1720803720.000000000104B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1686692715.000000000104B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1688110443.000000000104B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1684639673.000000000104B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1683424663.0000000001048000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1687911401.000000000104B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1686025978.000000000104B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_
Source: firefox.exe, 00000010.00000002.2939971167.000001F033190000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: firefox.exe, 0000000F.00000002.2941411991.000002469F108000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2941411991.000002469F112000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2939971167.000001F033190000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001F032C996B7 rdtsc

16_2_000001F032C996B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3EAA2 BlockInput,

0_2_00A3EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009F2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009C42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009E4CE8 mov eax, dword ptr fs:[00000030h]

0_2_009E4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A20B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00A20B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009F2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009E083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E09D5 SetUnhandledExceptionFilter,	0_2_009E09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009E0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00A21201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A02BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A02BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A2B226 SendInput,keybd_event,

0_2_00A2B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00A422DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00A20B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A21663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A21663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1897086287.0000019258D07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009E0698 cpuid

0_2_009E0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A1D21C GetLocalTime,

0_2_00A1D21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A1D27A GetUserNameW,

0_2_00A1D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009FBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_009FBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009C42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7596, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7596, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A41204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00A41204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A41806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00A41806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	32%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://firefox.settings.services.mozilla.comSO	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.1.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.181.110	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.193.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.2935390514.0000020AEACC4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2936056062.000002469EFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2935896638.000001F032DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2939974322.0000020AEAE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1864384205.000001925389E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1852340257.000001925389E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914857522.00000192538A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781297338.00000192538B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873263942.000001925389E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 0000000F.00000002.2936056062.000002469EF72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2935896638.000001F032D86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2935390514.0000020AEAC8F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1941921998.000001924C79A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1792295721.000001924BC6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1934061776.000001924C93E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1741424481.000001924B03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741652264.000001924B077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741164829.000001924AE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741531654.000001924B05A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741308632.000001924B01F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1941921998.000001924C7A8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1901330963.0000019257F6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1783631198.0000019257F6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886286875.0000019257F6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1741424481.000001924B03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741652264.000001924B077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741164829.000001924AE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792295721.000001924BC6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741531654.000001924B05A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741308632.000001924B01F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941628658.000001924C7B5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000D.00000003.1783631198.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919848519.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886286875.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901330963.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1741424481.000001924B03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741652264.000001924B077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741164829.000001924AE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741531654.000001924B05A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741308632.000001924B01F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000D.00000003.1936032196.0000019257F4C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1941921998.000001924C79A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2936056062.000002469EFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2935896638.000001F032DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2939974322.0000020AEAE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2https:	firefox.exe, 0000000D.00000003.1792249975.000001924BC7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1903189823.0000019254DDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2936056062.000002469EFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2935896638.000001F032DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2939974322.0000020AEAE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1903189823.0000019254DDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2935896638.000001F032D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2935390514.0000020AEAC0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1818019748.000001924D02D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818844435.000001924D04E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1938054486.000001924D8C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.2935390514.0000020AEACC4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1818019748.000001924D02D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818844435.000001924D04E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1793363206.000001924CA3A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1890420076.000001924DBE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		high
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1934061776.000001924C93E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931246358.00000192553C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1902358684.00000192553C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1945092511.00000192553D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2935896638.000001F032D12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2935390514.0000020AEAC13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 0000000F.00000002.2936056062.000002469EF72000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1901330963.0000019257F6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1783631198.0000019257F6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886286875.0000019257F6D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1792295721.000001924BC6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1926033504.000001924E851000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881629511.0000019253840000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1801198534.000001924C2C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894446544.000001924B5DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1746872336.000001924C2DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904477095.0000019253952000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903471683.000001925399A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1813112575.000001924C2C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887784507.000001924E87F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1852015636.000001924C3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916924761.000001924CA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1798304976.000001924BBF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865129353.000001924C2C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1801667154.000001924C2C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1806237439.000001924C2C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892106277.000001924BBA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1810248364.000001924C2D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872775632.000001924C2C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848742677.0000019257EAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908003555.000001924BBF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921541419.0000019254CD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1783631198.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919848519.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886286875.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901330963.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1783631198.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901330963.0000019257F98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919848519.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919848519.0000019257F98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886286875.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886286875.0000019257F98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1783631198.0000019257F98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901330963.0000019257FA9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false		high
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1886773648.0000019253774000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946511724.0000019253774000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906470139.0000019253774000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1787056875.0000019253774000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1792295721.000001924BC6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1864384205.000001925389E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1852340257.000001925389E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914857522.00000192538A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781297338.00000192538B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873263942.000001925389E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1792295721.000001924BC6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1742637947.0000019248C33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1742836002.0000019248C22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849146873.0000019248C39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1743086007.0000019248C33000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1890614769.000001924DBA3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1887497649.000001924E8C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924776943.000001924E8C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910370646.000001924E8C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937866993.000001924E8D7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1818019748.000001924D02D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818844435.000001924D04E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1742637947.0000019248C33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1742836002.0000019248C22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849146873.0000019248C39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1743086007.0000019248C33000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2936056062.000002469EFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2935896638.000001F032DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2939974322.0000020AEAE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1786934679.0000019254CA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1936905781.0000019254C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1792295721.000001924BC6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1883913387.00000192599CC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1741308632.000001924B01F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000000D.00000003.1903189823.0000019254DDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1901330963.0000019257F6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1783631198.0000019257F6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886286875.0000019257F6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.comSO	firefox.exe, 0000000D.00000003.1883700609.0000019259F42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942922094.0000019259F44000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.1941921998.000001924C79A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2935039687.000002469EBD0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2933757761.000001F032C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2934402999.0000020AEAB00000.00000002.10000000.00040000.00000000.sdmp	false		high
https://twitter.com/	firefox.exe, 0000000D.00000003.1903189823.0000019254DDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1886773648.0000019253774000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1946511724.0000019253774000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906470139.0000019253774000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1787056875.0000019253774000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1818019748.000001924D02D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818844435.000001924D04E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000D.00000003.1742637947.0000019248C33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1742836002.0000019248C22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849146873.0000019248C39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1743086007.0000019248C33000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/complete/search	firefox.exe, 0000000D.00000003.1781864370.0000019253A92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781221259.0000019253AA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792295721.000001924BC6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schemaresource://gre/modules/JsonSchema.sys.mjs_RemoteSettings	firefox.exe, 0000000D.00000003.1792295721.000001924BC6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://watch.sling.com/	firefox.exe, 0000000D.00000003.1941628658.000001924C7B5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	firefox.exe, 0000000F.00000002.2936056062.000002469EFCB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2935896638.000001F032DE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2939974322.0000020AEAE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://github.com/google/closure-compiler/issues/3177	firefox.exe, 0000000D.00000003.1864384205.000001925389E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1852340257.000001925389E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914857522.00000192538A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781297338.00000192538B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873263942.000001925389E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/complete/	firefox.exe, 0000000D.00000003.1945731494.00000192539C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921879942.00000192539C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903471683.00000192539C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema./	firefox.exe, 0000000D.00000003.1941921998.000001924C79A000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574370
Start date and time:	2024-12-13 09:55:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/36@65/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 47 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 44.228.225.150, 35.85.93.176, 54.213.181.160, 142.250.181.138, 142.250.181.74, 172.217.17.46, 88.221.134.155, 88.221.134.209, 23.218.208.109, 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
03:56:09	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	151.101.66.137
	Uniswap Sniper Bot With GUI.exe	Get hash	malicious	Unknown	Browse	151.101.0.223
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	secure.htm	Get hash	malicious	HTMLPhisher	Browse	185.199.110.153
	archive.htm	Get hash	malicious	HTMLPhisher	Browse	185.199.111.153
	in.exe	Get hash	malicious	Babadeda, HTMLPhisher	Browse	185.199.108.153
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	https://tanvu4275q8.wixsite.com/so/8cPEz8Djt/c?w=bJAUesZ8eZ2xWNc0NTHHsU2Nmh3l2WncU6sGxbkep9U.eyJ1IjoiaHR0cHM6Ly9mc2RqZmllZmlqcy5zaXRlLyIsInIiOiI0ODEzNDVjNy1iNDE0LTQwZDAtYjVlOS02NTQxMmJkNjgzMjAiLCJtIjoibWFpbCIsImMiOiJjYmUwODBjMy03ZjVkLTQxMDctOWFhMC05NGMxMmQzNGZhMGEifQ	Get hash	malicious	Unknown	Browse	34.144.206.118
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.0.41.226
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	51.92.80.67
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0c85571a-b00f-4e52-8f7a-ad8de11b9487.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177305619904871
Encrypted:	false
SSDEEP:	192:UQjMXzP4cbhbVbTbfbRbObtbyEl7nAruJA6WnSrDtTUd/SkDru:hYUcNhnzFSJgrNBnSrDhUd/0
MD5:	C10BB898EC81999C827166C05920ACDC
SHA1:	DDAF90B2FCA73F2334969E5ACFC192063D5D3CB6
SHA-256:	54FA7C32ADA60C5790ABC62A50FC8DDC3B9D263999F5ADD363407A4ED5D51E05
SHA-512:	098EC4A0B6ABE2E526C0A61700A974147402CBE74CFC47F0CE5C66C4A907D51CDB8F92647348276CF151BB7789BFF43360AC010ADA4B19691EEF611544B47DE1
Malicious:	false
Preview:	{"type":"uninstall","id":"0c85571a-b00f-4e52-8f7a-ad8de11b9487","creationDate":"2024-12-13T10:30:42.889Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0c85571a-b00f-4e52-8f7a-ad8de11b9487.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177305619904871
Encrypted:	false
SSDEEP:	192:UQjMXzP4cbhbVbTbfbRbObtbyEl7nAruJA6WnSrDtTUd/SkDru:hYUcNhnzFSJgrNBnSrDhUd/0
MD5:	C10BB898EC81999C827166C05920ACDC
SHA1:	DDAF90B2FCA73F2334969E5ACFC192063D5D3CB6
SHA-256:	54FA7C32ADA60C5790ABC62A50FC8DDC3B9D263999F5ADD363407A4ED5D51E05
SHA-512:	098EC4A0B6ABE2E526C0A61700A974147402CBE74CFC47F0CE5C66C4A907D51CDB8F92647348276CF151BB7789BFF43360AC010ADA4B19691EEF611544B47DE1
Malicious:	false
Preview:	{"type":"uninstall","id":"0c85571a-b00f-4e52-8f7a-ad8de11b9487","creationDate":"2024-12-13T10:30:42.889Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929266502969028
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNDcC:8S+OfJQPUFpOdwNIOdYVjvYcXaNL9f8P
MD5:	EAC8F4AC7250DA5CFC4BEDB25209F6EE
SHA1:	F388E92E8B1255E6BDD5D102D630513733F60154
SHA-256:	701CA38C66663F4CBA070CC496B59D92D7B50ACD18301584FEA428DA15E50990
SHA-512:	EBF3F1A87D628815A837710F52AC46D6674FEDD32B756A47D21F9CC7C9EFCA63B1EC32814F17BB8A59BAF100269938E18BA8FA1FC6FFD85FFB2CCBBB2252CBCD
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929266502969028
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNDcC:8S+OfJQPUFpOdwNIOdYVjvYcXaNL9f8P
MD5:	EAC8F4AC7250DA5CFC4BEDB25209F6EE
SHA1:	F388E92E8B1255E6BDD5D102D630513733F60154
SHA-256:	701CA38C66663F4CBA070CC496B59D92D7B50ACD18301584FEA428DA15E50990
SHA-512:	EBF3F1A87D628815A837710F52AC46D6674FEDD32B756A47D21F9CC7C9EFCA63B1EC32814F17BB8A59BAF100269938E18BA8FA1FC6FFD85FFB2CCBBB2252CBCD
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07338695179673393
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiM:DLhesh7Owd4+ji
MD5:	D036EF681D901D92CA0CC5E714C17922
SHA1:	1EBED38AF3CAE0536978E057EF911ABF2AFE299D
SHA-256:	E50E6EAD4C094925240B2AE73125065BE8FB01D62DF830FACFECAC21E244BDDB
SHA-512:	A8FF386E01E547799F0F133560C63445006F48581791A39343B69E0C0BD5B729855041577A932D991028A137A8C52150315EAC7D08F92A2935D88610CD1DE54F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035737944707653645
Encrypted:	false
SSDEEP:	3:GtlstFTWlkq/3lstFTWlkltT89//alEl:GtWtQWqPWtQWD89XuM
MD5:	66D5813F96D6D5D6DA507EC7F7583B71
SHA1:	E54FB79CEC469CE0C22888D3BE690C68B056EA51
SHA-256:	C6E280442ABEB5ADA6AD0A22CEA2DF86C97CBC4FBF78B646C18A33A876DD2D43
SHA-512:	44807AC4B23010A07B373B23D6F06005AE09FF51BB4D8B5C5CE3580CA2D5A0D86C011DA7DF340DE8B311CB08D3F15F79C869759F3B9C6068F558FA842E317198
Malicious:	false
Preview:	..-.....................DZ6..<.b....l..EJ.W&O~7...-.....................DZ6..<.b....l..EJ.W&O~7.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.04004211531425465
Encrypted:	false
SSDEEP:	3:Ol1kOr8lIudURoHl57l8rEXsxdwhml8XW3R2:KSAJOHrl8dMhm93w
MD5:	E56C2704A7F1ECBA5A86B0CC4B897538
SHA1:	65954AA60ECEE95F34309B5C5C266A1C75B16871
SHA-256:	8D96EBCC8D3F7878761327490B8C8834D1E43D5017A0A00761857A1219E57F4D
SHA-512:	7193C06ECEC70C563328394F31BE89BEE1AA727194C36F7F7F779F40F3DD4AD73E6A596335B4224AFE228453FA387F203A90DBAE7DEF79EEE4562DB945FF97C4
Malicious:	false
Preview:	7....-..............l..Ec{..a.;.............l..E.6ZDb.<.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495437732280204
Encrypted:	false
SSDEEP:	192:/naRtLYbBp6fhj4qyaaXp6K6hNNi5RfGNBw8d0Sl:qeRqzJrUcwn0
MD5:	A57802C4B1D2364C727478BE60CC83EC
SHA1:	FBE97FD80E701A9792F31D247F67051F12523B25
SHA-256:	9DC7F680C7B6D98181C8BBD8A464F8BCE96E890A99E9734D2A8DE5A306147843
SHA-512:	77FCC5DD714256523A23CE8D10A7DBBB214D6AAFF2B99CD4B0F4A73018B3C0B0849B03A7A1788393D0B1659B3D2F4A562293711AC29960BA363EEE80614C57D2
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734085813);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734085813);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734085813);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173408

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495437732280204
Encrypted:	false
SSDEEP:	192:/naRtLYbBp6fhj4qyaaXp6K6hNNi5RfGNBw8d0Sl:qeRqzJrUcwn0
MD5:	A57802C4B1D2364C727478BE60CC83EC
SHA1:	FBE97FD80E701A9792F31D247F67051F12523B25
SHA-256:	9DC7F680C7B6D98181C8BBD8A464F8BCE96E890A99E9734D2A8DE5A306147843
SHA-512:	77FCC5DD714256523A23CE8D10A7DBBB214D6AAFF2B99CD4B0F4A73018B3C0B0849B03A7A1788393D0B1659B3D2F4A562293711AC29960BA363EEE80614C57D2
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734085813);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734085813);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734085813);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173408

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1607
Entropy (8bit):	6.363708908081782
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSNLXnIgG/pnxQwRlsAspHoVGH3j6xiMutdL/5QH2oXpCurD/I0Dge4:cpOxwmnRtYpGxHu5kpCgwcR4
MD5:	5A629B41EB3E672E61A7BB8D2E477C55
SHA1:	097FE171ABF7172AA8FB58A21478B9F8EE284248
SHA-256:	8FB3814E580844A2518FB4A27C57B686271932F8FA62EB3F3AB3599D2E977D28
SHA-512:	C8E292066D2F53C2CAC9458F8BDC1B9131FD6EA0654B26119ED1D6AD1B6023054D82F027A09BA7AD6D41740EF5CF099D9E66884B1464795E77DC9492C63B3963
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{adcf5c20-3208-4fb2-81c3-703ba99be5d2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734085818624,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":10..qscreenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...5,"startTim..`782812...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..eexpiry....787994,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1607
Entropy (8bit):	6.363708908081782
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSNLXnIgG/pnxQwRlsAspHoVGH3j6xiMutdL/5QH2oXpCurD/I0Dge4:cpOxwmnRtYpGxHu5kpCgwcR4
MD5:	5A629B41EB3E672E61A7BB8D2E477C55
SHA1:	097FE171ABF7172AA8FB58A21478B9F8EE284248
SHA-256:	8FB3814E580844A2518FB4A27C57B686271932F8FA62EB3F3AB3599D2E977D28
SHA-512:	C8E292066D2F53C2CAC9458F8BDC1B9131FD6EA0654B26119ED1D6AD1B6023054D82F027A09BA7AD6D41740EF5CF099D9E66884B1464795E77DC9492C63B3963
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{adcf5c20-3208-4fb2-81c3-703ba99be5d2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734085818624,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":10..qscreenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...5,"startTim..`782812...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..eexpiry....787994,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1607
Entropy (8bit):	6.363708908081782
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSNLXnIgG/pnxQwRlsAspHoVGH3j6xiMutdL/5QH2oXpCurD/I0Dge4:cpOxwmnRtYpGxHu5kpCgwcR4
MD5:	5A629B41EB3E672E61A7BB8D2E477C55
SHA1:	097FE171ABF7172AA8FB58A21478B9F8EE284248
SHA-256:	8FB3814E580844A2518FB4A27C57B686271932F8FA62EB3F3AB3599D2E977D28
SHA-512:	C8E292066D2F53C2CAC9458F8BDC1B9131FD6EA0654B26119ED1D6AD1B6023054D82F027A09BA7AD6D41740EF5CF099D9E66884B1464795E77DC9492C63B3963
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{adcf5c20-3208-4fb2-81c3-703ba99be5d2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734085818624,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":10..qscreenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...5,"startTim..`782812...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..eexpiry....787994,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033024942266115
Encrypted:	false
SSDEEP:	48:YrSAYa36UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yca3yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	78DE683331ACB337AA8BA0CEB0452A27
SHA1:	89B5AC3DD090AA06A5347881593A4188A7BFCFBC
SHA-256:	7D7A5DBC4716CBBD064E09C33E4696050C1D654945133FC286623D6A91A353EE
SHA-512:	2471168B372A07288A6AC3A241288F078DE59556ECD0B6C3A76317EF79E34A01564A93551B743C1E0ABAA44863E60A1B064405C9160FCAFFE94E03A940EF838B
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T10:30:00.596Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033024942266115
Encrypted:	false
SSDEEP:	48:YrSAYa36UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yca3yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	78DE683331ACB337AA8BA0CEB0452A27
SHA1:	89B5AC3DD090AA06A5347881593A4188A7BFCFBC
SHA-256:	7D7A5DBC4716CBBD064E09C33E4696050C1D654945133FC286623D6A91A353EE
SHA-512:	2471168B372A07288A6AC3A241288F078DE59556ECD0B6C3A76317EF79E34A01564A93551B743C1E0ABAA44863E60A1B064405C9160FCAFFE94E03A940EF838B
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T10:30:00.596Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.701800982201782
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	969'728 bytes
MD5:	a42c2512c7c450e1f1be312fbd38ac1b
SHA1:	830655bc2ae30b03b1b6f31f1f8229c15a9c712b
SHA256:	f4eecef17c99bb3d44793ec672f3c26c4cc2972578a95d7c1afc4945aa43b0f2
SHA512:	c464eb64bcd3813f8db5c1a0edf696e39674279b5270cb2f8a6100df5dce6ae3f25df6833f2bc8ca7ff4b926427d2f190af414c5e06b9f1bda846d0d882de71a
SSDEEP:	24576:dqDEvCTbMWu7rQYlBQcBiT6rprG8ah6m:dTvC/MTQYxsWR7ah6
TLSH:	38259E0273D1C062FFAB92334B5AF6515BBC69260123E61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675BF085 [Fri Dec 13 08:29:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F3F0C7C9D93h
jmp 00007F3F0C7C969Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3F0C7C987Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3F0C7C984Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F3F0C7CC43Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3F0C7CC488h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3F0C7CC471h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x16088	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x16088	0x16200	d5c297ea466026a8d617539d3be2eccc	False	0.6985897775423728	data	7.165799427962069	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xd20c	data			1.0004835230231348
RT_GROUP_ICON	0xe9b08	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe9b80	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe9b94	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe9ba8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe9bbc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe9c98	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 09:56:06.712513924 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:06.712580919 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 09:56:06.712693930 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:06.717401028 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:06.717437983 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 09:56:07.946221113 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 09:56:07.946413994 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:07.953911066 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:07.953963041 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 09:56:07.954022884 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:07.954201937 CET	443	49736	35.190.72.216	192.168.2.4
Dec 13, 2024 09:56:07.954271078 CET	49736	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:09.755347013 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:09.755397081 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:09.755455971 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:09.755496979 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:09.755618095 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:09.755907059 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:09.755908966 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:09.757179976 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:09.757198095 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:09.758415937 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:09.758428097 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:09.875524998 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:09.879465103 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:09.879678011 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:09.999522924 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:10.540929079 CET	49741	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:10.540971994 CET	443	49741	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:10.542642117 CET	49741	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:10.542642117 CET	49741	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:10.542686939 CET	443	49741	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:10.682055950 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:10.682102919 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:10.683270931 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:10.684571028 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:10.684587955 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:10.709556103 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:10.709645033 CET	443	49744	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:10.709908962 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:10.711191893 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:10.711226940 CET	443	49744	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:10.809943914 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 09:56:10.810053110 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 09:56:10.812336922 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 09:56:10.819578886 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 09:56:10.819622040 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 09:56:10.965331078 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:11.012862921 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:11.458235979 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:11.458610058 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:11.459232092 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:11.459299088 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:11.463669062 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:11.463669062 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:11.463690042 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:11.464010000 CET	443	49738	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:11.464082003 CET	49738	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:11.466212034 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:11.466273069 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:11.467641115 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:11.469978094 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:11.473881960 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:11.473887920 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:11.473962069 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:11.474134922 CET	443	49739	142.250.181.110	192.168.2.4
Dec 13, 2024 09:56:11.474180937 CET	49739	443	192.168.2.4	142.250.181.110
Dec 13, 2024 09:56:11.580503941 CET	49747	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:11.580542088 CET	443	49747	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:11.580576897 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:11.582494020 CET	49747	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:11.584157944 CET	49747	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:11.584175110 CET	443	49747	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:11.670777082 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:11.700397968 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:11.764740944 CET	443	49741	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:11.764813900 CET	49741	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:11.768053055 CET	49741	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:11.768075943 CET	443	49741	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:11.768480062 CET	443	49741	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:11.770950079 CET	49741	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:11.771039963 CET	49741	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:11.771130085 CET	443	49741	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:11.771255016 CET	49741	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:11.790705919 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:11.790797949 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:11.790924072 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:11.895453930 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:11.899368048 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:11.910600901 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:11.911926985 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:11.912023067 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:11.917931080 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:11.917994976 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:11.918045044 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:11.918268919 CET	443	49743	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:11.918406010 CET	49743	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:11.922648907 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:11.939054012 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:11.952323914 CET	443	49744	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:11.952529907 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:11.957489967 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:11.957520962 CET	443	49744	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:11.957613945 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:11.957767963 CET	443	49744	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:11.958115101 CET	49744	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:12.019526005 CET	80	49740	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:12.031446934 CET	49740	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:12.035305023 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 09:56:12.036106110 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 09:56:12.040174961 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 09:56:12.040190935 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 09:56:12.040451050 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 09:56:12.042803049 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 09:56:12.042889118 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 09:56:12.042943001 CET	443	49745	34.160.144.191	192.168.2.4
Dec 13, 2024 09:56:12.043083906 CET	49745	443	192.168.2.4	34.160.144.191
Dec 13, 2024 09:56:12.058763981 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:12.058840036 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:12.059030056 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:12.083168030 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:12.178750038 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:12.254581928 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:12.374449015 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:12.374942064 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:12.375046015 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:12.495511055 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:12.682666063 CET	80	49748	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:12.687402010 CET	49748	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:12.804183960 CET	443	49747	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:12.806370020 CET	49747	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:12.817203045 CET	49747	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:12.817203045 CET	49747	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:12.817217112 CET	443	49747	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:12.817449093 CET	443	49747	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:12.828809023 CET	49747	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:12.862796068 CET	49752	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:12.862888098 CET	443	49752	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:12.863151073 CET	49752	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:12.864340067 CET	49752	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:12.864378929 CET	443	49752	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:13.144709110 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:13.192754984 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:13.462483883 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:13.509224892 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:14.083203077 CET	443	49752	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:14.083292961 CET	49752	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:14.088251114 CET	49752	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:14.088264942 CET	443	49752	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:14.088361025 CET	49752	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:14.088397980 CET	443	49752	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:14.088509083 CET	49752	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:14.088723898 CET	49753	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:14.088820934 CET	443	49753	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:14.088920116 CET	49753	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:14.090162992 CET	49753	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:14.090205908 CET	443	49753	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:15.307904959 CET	443	49753	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:15.312175989 CET	49753	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:15.317349911 CET	49753	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:15.317401886 CET	443	49753	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:15.317441940 CET	49753	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:15.317946911 CET	443	49753	34.117.188.166	192.168.2.4
Dec 13, 2024 09:56:15.318516970 CET	49753	443	192.168.2.4	34.117.188.166
Dec 13, 2024 09:56:15.753288984 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:15.770240068 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:15.869184971 CET	49754	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:15.869242907 CET	443	49754	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:15.873126030 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:15.888643026 CET	49754	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:15.888935089 CET	49754	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:15.888945103 CET	443	49754	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:15.890119076 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:15.933687925 CET	49755	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:15.933731079 CET	443	49755	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:15.940330029 CET	49755	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:15.942307949 CET	49755	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:15.942318916 CET	443	49755	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:15.943722963 CET	49756	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:15.943730116 CET	443	49756	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:15.944175005 CET	49756	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:15.946139097 CET	49756	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:15.946146965 CET	443	49756	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:16.068346977 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:16.085356951 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:16.110963106 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:16.136579990 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:17.103296995 CET	443	49754	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:17.103346109 CET	443	49754	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:17.117482901 CET	49754	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:17.121407032 CET	49754	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:17.121422052 CET	443	49754	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:17.121747017 CET	443	49754	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:17.124490023 CET	49754	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:17.124583960 CET	49754	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:17.124655962 CET	443	49754	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:17.124969959 CET	49754	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:17.125003099 CET	49754	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:17.171459913 CET	443	49755	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:17.171474934 CET	443	49755	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:17.171890020 CET	443	49756	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:17.179356098 CET	443	49756	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:17.182507038 CET	49756	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:17.182507038 CET	49755	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:17.191242933 CET	49755	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:17.191257954 CET	443	49755	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:17.191364050 CET	49755	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:17.191775084 CET	443	49755	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:17.194046021 CET	49756	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:17.194051027 CET	443	49756	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:17.194128990 CET	49756	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:17.194323063 CET	49755	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:17.194523096 CET	443	49756	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:17.197680950 CET	49756	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:20.710201025 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:20.725862026 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:20.728173971 CET	49761	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:20.728221893 CET	443	49761	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:20.729234934 CET	49761	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:20.731334925 CET	49761	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:20.731350899 CET	443	49761	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:20.742274046 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:20.742314100 CET	443	49762	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:20.742912054 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:20.743268013 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:20.743282080 CET	443	49762	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:20.830156088 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:20.845710039 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:20.865029097 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:20.865072012 CET	443	49763	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:20.865113974 CET	49764	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:20.865180016 CET	443	49764	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:20.865400076 CET	49764	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:20.865446091 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:20.866765976 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:20.866780043 CET	443	49763	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:20.866873026 CET	49764	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:20.866894007 CET	443	49764	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:21.025216103 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:21.040934086 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:21.067627907 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:21.083247900 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:21.951360941 CET	443	49761	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:21.952789068 CET	49761	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:21.954736948 CET	443	49762	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:21.954811096 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.079946995 CET	443	49764	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:22.080018044 CET	49764	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.081554890 CET	443	49763	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:22.081624031 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.386967897 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:22.390818119 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.390839100 CET	443	49762	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:22.391860962 CET	443	49762	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:22.424724102 CET	49764	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.424806118 CET	443	49764	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:22.425107002 CET	443	49764	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:22.430507898 CET	49761	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:22.430507898 CET	49761	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:22.430527925 CET	443	49761	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:22.430699110 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.430843115 CET	49764	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.430857897 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.430919886 CET	49764	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.431097031 CET	443	49764	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:22.431107044 CET	443	49761	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:22.431165934 CET	49764	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.431179047 CET	443	49762	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:22.431210041 CET	49761	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:22.431267977 CET	49762	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.431813955 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.431813955 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.431832075 CET	443	49763	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:22.432387114 CET	443	49763	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:22.432465076 CET	49763	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:22.507679939 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:22.703152895 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:22.757026911 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:22.975781918 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:23.025583029 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:23.025629997 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:23.028625011 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:23.030014038 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:23.030033112 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:23.095755100 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:23.292874098 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:23.336483955 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:23.546900988 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:23.666831017 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:23.861650944 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:23.906903982 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:24.247749090 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:24.247833967 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:24.715979099 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:24.716034889 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:24.716054916 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:24.716451883 CET	443	49766	34.120.208.123	192.168.2.4
Dec 13, 2024 09:56:24.716547966 CET	49766	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:56:25.162060022 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:25.281975031 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:25.477207899 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:25.527132034 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:26.303710938 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:26.424187899 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:26.619128942 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:26.668366909 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:31.570612907 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:31.778532028 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:31.885902882 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:31.889256954 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:31.930051088 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:32.009140968 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:32.204916954 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:32.246654034 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:32.993683100 CET	49769	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:32.993729115 CET	443	49769	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:32.993840933 CET	49769	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:32.995578051 CET	49769	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:32.995594978 CET	443	49769	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:34.217222929 CET	443	49769	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:34.217319965 CET	49769	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:34.223905087 CET	49769	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:34.223927975 CET	443	49769	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:34.224015951 CET	49769	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:34.224276066 CET	443	49769	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:34.224483013 CET	49769	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:34.227065086 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:34.347198963 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:34.542731047 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:34.546602011 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:34.591077089 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:34.666615963 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:34.861823082 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:34.907613993 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:35.675031900 CET	49770	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:35.675131083 CET	443	49770	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:35.690560102 CET	49770	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:35.690812111 CET	49770	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:35.690856934 CET	443	49770	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:35.759537935 CET	49771	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:35.759572029 CET	443	49771	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:35.759949923 CET	49772	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:35.759985924 CET	443	49772	35.190.72.216	192.168.2.4
Dec 13, 2024 09:56:35.765274048 CET	49771	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:35.765366077 CET	49772	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:35.765419006 CET	49771	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:35.765429020 CET	443	49771	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:35.767594099 CET	49772	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:35.767611980 CET	443	49772	35.190.72.216	192.168.2.4
Dec 13, 2024 09:56:35.920113087 CET	49773	443	192.168.2.4	35.201.103.21
Dec 13, 2024 09:56:35.920203924 CET	443	49773	35.201.103.21	192.168.2.4
Dec 13, 2024 09:56:35.920816898 CET	49773	443	192.168.2.4	35.201.103.21
Dec 13, 2024 09:56:35.922395945 CET	49773	443	192.168.2.4	35.201.103.21
Dec 13, 2024 09:56:35.922436953 CET	443	49773	35.201.103.21	192.168.2.4
Dec 13, 2024 09:56:35.954992056 CET	49774	443	192.168.2.4	151.101.1.91
Dec 13, 2024 09:56:35.955039024 CET	443	49774	151.101.1.91	192.168.2.4
Dec 13, 2024 09:56:35.955447912 CET	49774	443	192.168.2.4	151.101.1.91
Dec 13, 2024 09:56:35.955570936 CET	49774	443	192.168.2.4	151.101.1.91
Dec 13, 2024 09:56:35.955580950 CET	443	49774	151.101.1.91	192.168.2.4
Dec 13, 2024 09:56:36.909151077 CET	443	49770	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:36.909167051 CET	443	49770	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:36.909231901 CET	49770	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:36.912348032 CET	49770	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:36.912358999 CET	443	49770	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:36.912688971 CET	443	49770	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:36.914797068 CET	49770	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:36.914875984 CET	49770	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:36.915004969 CET	443	49770	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:36.917840004 CET	49770	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:36.918277979 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:36.980669022 CET	443	49771	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:36.980756998 CET	49771	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:36.981290102 CET	443	49772	35.190.72.216	192.168.2.4
Dec 13, 2024 09:56:36.981708050 CET	49772	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:36.983880997 CET	49771	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:36.983889103 CET	443	49771	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:36.984198093 CET	443	49771	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:36.988805056 CET	49771	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:36.988893986 CET	49771	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:36.989067078 CET	443	49771	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:36.989136934 CET	49772	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:36.989147902 CET	443	49772	35.190.72.216	192.168.2.4
Dec 13, 2024 09:56:36.989239931 CET	49772	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:36.989322901 CET	49771	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:36.989351988 CET	443	49772	35.190.72.216	192.168.2.4
Dec 13, 2024 09:56:36.991341114 CET	49772	443	192.168.2.4	35.190.72.216
Dec 13, 2024 09:56:37.038100958 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:37.145750046 CET	443	49773	35.201.103.21	192.168.2.4
Dec 13, 2024 09:56:37.146689892 CET	49773	443	192.168.2.4	35.201.103.21
Dec 13, 2024 09:56:37.151779890 CET	49773	443	192.168.2.4	35.201.103.21
Dec 13, 2024 09:56:37.151861906 CET	443	49773	35.201.103.21	192.168.2.4
Dec 13, 2024 09:56:37.151895046 CET	49773	443	192.168.2.4	35.201.103.21
Dec 13, 2024 09:56:37.152096033 CET	443	49773	35.201.103.21	192.168.2.4
Dec 13, 2024 09:56:37.152401924 CET	49773	443	192.168.2.4	35.201.103.21
Dec 13, 2024 09:56:37.164237022 CET	49775	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:37.164305925 CET	443	49775	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:37.165086985 CET	49775	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:37.165237904 CET	49775	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:37.165256977 CET	443	49775	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:37.182482958 CET	443	49774	151.101.1.91	192.168.2.4
Dec 13, 2024 09:56:37.182583094 CET	49774	443	192.168.2.4	151.101.1.91
Dec 13, 2024 09:56:37.186204910 CET	49774	443	192.168.2.4	151.101.1.91
Dec 13, 2024 09:56:37.186218023 CET	443	49774	151.101.1.91	192.168.2.4
Dec 13, 2024 09:56:37.186625004 CET	443	49774	151.101.1.91	192.168.2.4
Dec 13, 2024 09:56:37.188400984 CET	49774	443	192.168.2.4	151.101.1.91
Dec 13, 2024 09:56:37.188605070 CET	443	49774	151.101.1.91	192.168.2.4
Dec 13, 2024 09:56:37.188618898 CET	49774	443	192.168.2.4	151.101.1.91
Dec 13, 2024 09:56:37.188627958 CET	443	49774	151.101.1.91	192.168.2.4
Dec 13, 2024 09:56:37.194300890 CET	49774	443	192.168.2.4	151.101.1.91
Dec 13, 2024 09:56:37.195657015 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:37.195713997 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:37.195888042 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:37.196017981 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:37.196028948 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:37.198388100 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:37.198429108 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:37.198512077 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:37.198705912 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:37.198720932 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:37.201373100 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:37.201395988 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:37.201848030 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:37.201955080 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:37.201973915 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:37.400983095 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:37.404628038 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:37.446058989 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:37.525758982 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:37.720396042 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:37.778337955 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:38.380850077 CET	443	49775	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:38.381736040 CET	49775	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:38.386667013 CET	49775	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:38.386667013 CET	49775	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:38.386677980 CET	443	49775	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:38.386698961 CET	443	49775	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:38.386753082 CET	49775	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:38.387002945 CET	443	49775	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:38.387217045 CET	443	49775	34.149.100.209	192.168.2.4
Dec 13, 2024 09:56:38.388072968 CET	49775	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:38.388072968 CET	49775	443	192.168.2.4	34.149.100.209
Dec 13, 2024 09:56:38.396456957 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:38.410813093 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.410873890 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.413713932 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.413726091 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.413992882 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.414622068 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.414839029 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.417171955 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.417202950 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.417932034 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.419481039 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.419572115 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.419610023 CET	443	49777	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.420264959 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.420722008 CET	49777	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.420752048 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.420752048 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.420818090 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.420928001 CET	443	49776	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.421662092 CET	49776	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.423651934 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.423664093 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.424426079 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.425637960 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.425707102 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.426027060 CET	443	49778	35.244.181.201	192.168.2.4
Dec 13, 2024 09:56:38.428222895 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.428224087 CET	49778	443	192.168.2.4	35.244.181.201
Dec 13, 2024 09:56:38.516937017 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:38.712042093 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:38.714735031 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:38.765431881 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:38.834774971 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:39.029921055 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:39.082076073 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:48.712052107 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:48.831844091 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:49.044246912 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:49.164323092 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:55.672945023 CET	49780	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:55.673017025 CET	443	49780	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:55.673501968 CET	49780	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:55.675508976 CET	49780	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:55.675527096 CET	443	49780	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:56.888324022 CET	443	49780	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:56.888488054 CET	49780	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:56.893399954 CET	49780	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:56.893409014 CET	443	49780	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:56.893486023 CET	49780	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:56.893580914 CET	443	49780	34.107.243.93	192.168.2.4
Dec 13, 2024 09:56:56.894319057 CET	49780	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:56:56.896280050 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:57.016073942 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:57.211384058 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:57.214747906 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:57.252372026 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:56:57.334609032 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:57.529654026 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:56:57.568866014 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:05.736733913 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:05.736772060 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:05.737082005 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:05.737123966 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:05.737469912 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:05.737565041 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:05.738924026 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:05.738940001 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:05.738955021 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:05.739058971 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:05.739069939 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:05.739200115 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:05.739217043 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:05.739279032 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:05.739320040 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.956299067 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.956473112 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.959935904 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.959954023 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.960272074 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.962618113 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.962753057 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.962754965 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.962769032 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.966551065 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.966900110 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:06.967771053 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.967925072 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.968067884 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.970767021 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.970783949 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.971194983 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.972868919 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.972899914 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.973198891 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.975914955 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.976002932 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.976070881 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.976104975 CET	443	49798	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.976147890 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.976257086 CET	443	49800	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:06.976264954 CET	49798	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:06.976306915 CET	49800	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:07.086663008 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:07.167351961 CET	443	49799	34.120.208.123	192.168.2.4
Dec 13, 2024 09:57:07.169861078 CET	49799	443	192.168.2.4	34.120.208.123
Dec 13, 2024 09:57:07.281941891 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:07.285058975 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:07.328036070 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:07.404966116 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:07.599644899 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:07.644408941 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:17.292937994 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:17.412761927 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:17.609396935 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:17.729337931 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:27.422414064 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:27.542795897 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:27.738909006 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:27.858885050 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:37.551554918 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:37.657035112 CET	49875	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:57:37.657138109 CET	443	49875	34.107.243.93	192.168.2.4
Dec 13, 2024 09:57:37.657830000 CET	49875	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:57:37.659782887 CET	49875	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:57:37.659818888 CET	443	49875	34.107.243.93	192.168.2.4
Dec 13, 2024 09:57:37.672707081 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:37.868305922 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:37.988076925 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:38.879700899 CET	443	49875	34.107.243.93	192.168.2.4
Dec 13, 2024 09:57:38.879790068 CET	49875	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:57:38.886035919 CET	49875	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:57:38.886063099 CET	443	49875	34.107.243.93	192.168.2.4
Dec 13, 2024 09:57:38.886127949 CET	49875	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:57:38.886487007 CET	443	49875	34.107.243.93	192.168.2.4
Dec 13, 2024 09:57:38.886544943 CET	49875	443	192.168.2.4	34.107.243.93
Dec 13, 2024 09:57:38.889048100 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:39.008837938 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:39.203741074 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:39.215009928 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:39.256557941 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:39.334785938 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:39.529582977 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:39.573138952 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:49.217664003 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:49.337565899 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:49.534235001 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:49.655225992 CET	80	49749	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:59.346812010 CET	49750	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:59.466969967 CET	80	49750	34.107.221.82	192.168.2.4
Dec 13, 2024 09:57:59.663374901 CET	49749	80	192.168.2.4	34.107.221.82
Dec 13, 2024 09:57:59.783246994 CET	80	49749	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 09:56:06.712980986 CET	55962	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:06.850645065 CET	53	55962	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:06.851337910 CET	65445	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:06.992327929 CET	53	65445	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:09.615187883 CET	62038	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:09.615823030 CET	49878	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:09.754484892 CET	53	62038	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:09.755867004 CET	60212	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:09.756752968 CET	57003	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:09.893629074 CET	53	60212	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:09.894747972 CET	53	57003	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:09.929918051 CET	57298	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:09.930201054 CET	60968	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.066914082 CET	53	57298	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:10.072968006 CET	53	60968	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:10.540854931 CET	56081	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.541594028 CET	64060	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.568500996 CET	59927	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.664119959 CET	55611	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.679919958 CET	53	56081	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:10.680644989 CET	53	64060	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:10.681551933 CET	56765	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.682203054 CET	61864	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.708354950 CET	53	59927	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:10.709850073 CET	55471	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.712404966 CET	54543	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.805614948 CET	53	55611	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:10.819926023 CET	53	56765	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:10.820028067 CET	53	61864	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:10.824913979 CET	58470	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.825042963 CET	52761	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.849163055 CET	53	55471	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:10.854856968 CET	54289	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.858464956 CET	50039	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.962168932 CET	53	58470	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:10.962419987 CET	53	52761	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:10.963063002 CET	55452	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:10.996969938 CET	53	50039	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:11.000746012 CET	53	54289	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:11.001589060 CET	49736	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:11.100655079 CET	53	55452	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:11.139146090 CET	53	49736	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:11.139610052 CET	55336	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:11.277218103 CET	53	55336	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:11.301433086 CET	53	56483	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:11.474729061 CET	54500	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:11.475403070 CET	61196	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:11.530915976 CET	60338	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:11.612042904 CET	53	54500	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:11.613683939 CET	53	61196	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:15.728804111 CET	63619	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:15.787966013 CET	58299	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:15.925443888 CET	53	58299	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:15.934032917 CET	58266	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:15.944189072 CET	60430	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:16.072973013 CET	53	58266	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:16.080893040 CET	51827	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:16.081837893 CET	53	60430	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:16.083069086 CET	63300	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:16.193504095 CET	53	63619	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:16.194399118 CET	63719	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:16.220056057 CET	53	51827	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:16.220273972 CET	53	63300	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:16.333616018 CET	53	63719	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:16.334783077 CET	49825	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:16.471947908 CET	53	49825	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:20.731925011 CET	56952	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:20.869585037 CET	53	56952	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:23.026626110 CET	65229	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:23.166702032 CET	53	65229	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:26.747026920 CET	62358	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:26.747158051 CET	59164	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:26.747474909 CET	49332	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:26.886224985 CET	53	59164	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:26.886276007 CET	53	62358	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:26.887224913 CET	51304	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:26.887268066 CET	53	49332	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:26.887357950 CET	59444	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:26.888016939 CET	57911	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:27.027501106 CET	53	59444	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:27.028505087 CET	52332	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:27.028621912 CET	53	51304	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:27.029246092 CET	55313	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:27.166336060 CET	53	52332	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:27.167504072 CET	49272	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:27.167643070 CET	53	55313	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:27.168397903 CET	57373	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:27.203928947 CET	53	57911	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:27.211935043 CET	59231	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:27.306180000 CET	53	57373	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:27.307272911 CET	53	49272	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:27.307348013 CET	61471	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:27.307991982 CET	49339	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:27.420413017 CET	53	59231	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:27.444771051 CET	53	61471	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:27.445400953 CET	56293	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:27.524719954 CET	53	49339	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:27.525609970 CET	60110	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:27.583677053 CET	53	56293	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:27.663896084 CET	53	60110	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:32.992264032 CET	54807	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:33.135282040 CET	53	54807	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:33.136905909 CET	62688	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:33.276290894 CET	53	62688	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:35.687747955 CET	51484	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:35.713651896 CET	51688	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:35.770325899 CET	61890	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:35.825238943 CET	53	51484	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:35.910377026 CET	53	61890	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:35.920804024 CET	57725	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:35.953896046 CET	53	51688	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:35.955462933 CET	54195	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:36.094121933 CET	53	54195	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:36.094892025 CET	54090	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:36.142990112 CET	53	57725	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:36.143686056 CET	65413	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:36.232804060 CET	53	54090	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:36.280855894 CET	53	65413	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:55.673413038 CET	60097	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:56:55.813564062 CET	53	60097	1.1.1.1	192.168.2.4
Dec 13, 2024 09:56:56.896549940 CET	63777	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:57:05.735693932 CET	59046	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:57:05.935997963 CET	53	59046	1.1.1.1	192.168.2.4
Dec 13, 2024 09:57:37.516720057 CET	55815	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:57:37.655365944 CET	53	55815	1.1.1.1	192.168.2.4
Dec 13, 2024 09:57:37.657130003 CET	64876	53	192.168.2.4	1.1.1.1
Dec 13, 2024 09:57:37.796066046 CET	53	64876	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 09:56:06.712980986 CET	192.168.2.4	1.1.1.1	0xe29a	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:06.851337910 CET	192.168.2.4	1.1.1.1	0x84e1	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 09:56:09.615187883 CET	192.168.2.4	1.1.1.1	0x15f3	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:09.615823030 CET	192.168.2.4	1.1.1.1	0xb37f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:09.755867004 CET	192.168.2.4	1.1.1.1	0x9223	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:09.756752968 CET	192.168.2.4	1.1.1.1	0x8774	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:09.929918051 CET	192.168.2.4	1.1.1.1	0x85e4	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:09.930201054 CET	192.168.2.4	1.1.1.1	0xc106	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 09:56:10.540854931 CET	192.168.2.4	1.1.1.1	0x2335	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.541594028 CET	192.168.2.4	1.1.1.1	0x1dfc	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.568500996 CET	192.168.2.4	1.1.1.1	0x1baf	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.664119959 CET	192.168.2.4	1.1.1.1	0x1ae0	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.681551933 CET	192.168.2.4	1.1.1.1	0xb31	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 09:56:10.682203054 CET	192.168.2.4	1.1.1.1	0xd211	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.709850073 CET	192.168.2.4	1.1.1.1	0xf88b	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.712404966 CET	192.168.2.4	1.1.1.1	0x914	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.824913979 CET	192.168.2.4	1.1.1.1	0xeff6	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:10.825042963 CET	192.168.2.4	1.1.1.1	0xf6bb	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.854856968 CET	192.168.2.4	1.1.1.1	0x2c9d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.858464956 CET	192.168.2.4	1.1.1.1	0x14f8	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 09:56:10.963063002 CET	192.168.2.4	1.1.1.1	0xe758	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 09:56:11.001589060 CET	192.168.2.4	1.1.1.1	0x2872	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:11.139610052 CET	192.168.2.4	1.1.1.1	0xd1b6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:11.474729061 CET	192.168.2.4	1.1.1.1	0x46ef	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:11.475403070 CET	192.168.2.4	1.1.1.1	0x8175	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:11.530915976 CET	192.168.2.4	1.1.1.1	0xf47a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:15.728804111 CET	192.168.2.4	1.1.1.1	0x3b6	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:15.787966013 CET	192.168.2.4	1.1.1.1	0xb87b	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:15.934032917 CET	192.168.2.4	1.1.1.1	0x19f4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:15.944189072 CET	192.168.2.4	1.1.1.1	0x708f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:16.080893040 CET	192.168.2.4	1.1.1.1	0xf831	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:16.083069086 CET	192.168.2.4	1.1.1.1	0xe142	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 09:56:16.194399118 CET	192.168.2.4	1.1.1.1	0xe80d	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:16.334783077 CET	192.168.2.4	1.1.1.1	0x60c4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 09:56:20.731925011 CET	192.168.2.4	1.1.1.1	0x81a8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:23.026626110 CET	192.168.2.4	1.1.1.1	0xd4d9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:26.747026920 CET	192.168.2.4	1.1.1.1	0xb65f	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.747158051 CET	192.168.2.4	1.1.1.1	0x2a24	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.747474909 CET	192.168.2.4	1.1.1.1	0x3913	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.887224913 CET	192.168.2.4	1.1.1.1	0xbf65	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.887357950 CET	192.168.2.4	1.1.1.1	0xba1d	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.888016939 CET	192.168.2.4	1.1.1.1	0xe371	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.028505087 CET	192.168.2.4	1.1.1.1	0xa869	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:27.029246092 CET	192.168.2.4	1.1.1.1	0x833	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:27.167504072 CET	192.168.2.4	1.1.1.1	0x81f9	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.168397903 CET	192.168.2.4	1.1.1.1	0xd4cc	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.211935043 CET	192.168.2.4	1.1.1.1	0xe24b	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 09:56:27.307348013 CET	192.168.2.4	1.1.1.1	0xdcb0	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.307991982 CET	192.168.2.4	1.1.1.1	0xc377	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.445400953 CET	192.168.2.4	1.1.1.1	0x2bd5	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:27.525609970 CET	192.168.2.4	1.1.1.1	0x6dbe	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 09:56:32.992264032 CET	192.168.2.4	1.1.1.1	0xcd8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:33.136905909 CET	192.168.2.4	1.1.1.1	0xc1fc	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:35.687747955 CET	192.168.2.4	1.1.1.1	0xcb9d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 09:56:35.713651896 CET	192.168.2.4	1.1.1.1	0xd7cf	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:35.770325899 CET	192.168.2.4	1.1.1.1	0xfa77	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:35.920804024 CET	192.168.2.4	1.1.1.1	0x4f86	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:35.955462933 CET	192.168.2.4	1.1.1.1	0x9d51	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:36.094892025 CET	192.168.2.4	1.1.1.1	0xbdb5	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 09:56:36.143686056 CET	192.168.2.4	1.1.1.1	0xde40	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:55.673413038 CET	192.168.2.4	1.1.1.1	0xf09e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 09:56:56.896549940 CET	192.168.2.4	1.1.1.1	0xc51	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:57:05.735693932 CET	192.168.2.4	1.1.1.1	0xb650	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 09:57:37.516720057 CET	192.168.2.4	1.1.1.1	0xffad	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:57:37.657130003 CET	192.168.2.4	1.1.1.1	0x28d5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 09:56:06.710570097 CET	1.1.1.1	192.168.2.4	0x570a	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:06.850645065 CET	1.1.1.1	192.168.2.4	0xe29a	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:09.754465103 CET	1.1.1.1	192.168.2.4	0xb37f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:09.754465103 CET	1.1.1.1	192.168.2.4	0xb37f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:09.754484892 CET	1.1.1.1	192.168.2.4	0x15f3	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:09.893629074 CET	1.1.1.1	192.168.2.4	0x9223	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:09.894747972 CET	1.1.1.1	192.168.2.4	0x8774	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.049365997 CET	1.1.1.1	192.168.2.4	0xd2fd	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:10.049365997 CET	1.1.1.1	192.168.2.4	0xd2fd	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.066914082 CET	1.1.1.1	192.168.2.4	0x85e4	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 09:56:10.072968006 CET	1.1.1.1	192.168.2.4	0xc106	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 09:56:10.679919958 CET	1.1.1.1	192.168.2.4	0x2335	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.680644989 CET	1.1.1.1	192.168.2.4	0x1dfc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.708354950 CET	1.1.1.1	192.168.2.4	0x1baf	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:10.708354950 CET	1.1.1.1	192.168.2.4	0x1baf	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.805614948 CET	1.1.1.1	192.168.2.4	0x1ae0	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:10.805614948 CET	1.1.1.1	192.168.2.4	0x1ae0	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:10.805614948 CET	1.1.1.1	192.168.2.4	0x1ae0	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.820028067 CET	1.1.1.1	192.168.2.4	0xd211	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.849163055 CET	1.1.1.1	192.168.2.4	0xf88b	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:10.943597078 CET	1.1.1.1	192.168.2.4	0x914	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:10.962419987 CET	1.1.1.1	192.168.2.4	0xf6bb	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:11.000746012 CET	1.1.1.1	192.168.2.4	0x2c9d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:11.100655079 CET	1.1.1.1	192.168.2.4	0xe758	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 09:56:11.139146090 CET	1.1.1.1	192.168.2.4	0x2872	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:11.612042904 CET	1.1.1.1	192.168.2.4	0x46ef	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:11.613683939 CET	1.1.1.1	192.168.2.4	0x8175	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:11.613683939 CET	1.1.1.1	192.168.2.4	0x8175	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:11.669883966 CET	1.1.1.1	192.168.2.4	0xf47a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:11.669883966 CET	1.1.1.1	192.168.2.4	0xf47a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:15.860945940 CET	1.1.1.1	192.168.2.4	0xb14f	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:15.860945940 CET	1.1.1.1	192.168.2.4	0xb14f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:15.909105062 CET	1.1.1.1	192.168.2.4	0xd21b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:15.925443888 CET	1.1.1.1	192.168.2.4	0xb87b	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:15.925443888 CET	1.1.1.1	192.168.2.4	0xb87b	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:16.072973013 CET	1.1.1.1	192.168.2.4	0x19f4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:16.081837893 CET	1.1.1.1	192.168.2.4	0x708f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:16.193504095 CET	1.1.1.1	192.168.2.4	0x3b6	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:16.193504095 CET	1.1.1.1	192.168.2.4	0x3b6	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:16.193504095 CET	1.1.1.1	192.168.2.4	0x3b6	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:16.333616018 CET	1.1.1.1	192.168.2.4	0xe80d	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:20.863981009 CET	1.1.1.1	192.168.2.4	0xbf1e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.886224985 CET	1.1.1.1	192.168.2.4	0x2a24	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:26.886224985 CET	1.1.1.1	192.168.2.4	0x2a24	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.886276007 CET	1.1.1.1	192.168.2.4	0xb65f	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:26.886276007 CET	1.1.1.1	192.168.2.4	0xb65f	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.886276007 CET	1.1.1.1	192.168.2.4	0xb65f	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.886276007 CET	1.1.1.1	192.168.2.4	0xb65f	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.886276007 CET	1.1.1.1	192.168.2.4	0xb65f	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.886276007 CET	1.1.1.1	192.168.2.4	0xb65f	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.886276007 CET	1.1.1.1	192.168.2.4	0xb65f	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.886276007 CET	1.1.1.1	192.168.2.4	0xb65f	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.886276007 CET	1.1.1.1	192.168.2.4	0xb65f	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:26.887268066 CET	1.1.1.1	192.168.2.4	0x3913	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:26.887268066 CET	1.1.1.1	192.168.2.4	0x3913	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.027501106 CET	1.1.1.1	192.168.2.4	0xba1d	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.027501106 CET	1.1.1.1	192.168.2.4	0xba1d	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.027501106 CET	1.1.1.1	192.168.2.4	0xba1d	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.027501106 CET	1.1.1.1	192.168.2.4	0xba1d	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.027501106 CET	1.1.1.1	192.168.2.4	0xba1d	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.027501106 CET	1.1.1.1	192.168.2.4	0xba1d	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.027501106 CET	1.1.1.1	192.168.2.4	0xba1d	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.027501106 CET	1.1.1.1	192.168.2.4	0xba1d	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.027501106 CET	1.1.1.1	192.168.2.4	0xba1d	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.027501106 CET	1.1.1.1	192.168.2.4	0xba1d	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.028621912 CET	1.1.1.1	192.168.2.4	0xbf65	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.166336060 CET	1.1.1.1	192.168.2.4	0xa869	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 09:56:27.166336060 CET	1.1.1.1	192.168.2.4	0xa869	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 09:56:27.166336060 CET	1.1.1.1	192.168.2.4	0xa869	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 09:56:27.166336060 CET	1.1.1.1	192.168.2.4	0xa869	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 09:56:27.167643070 CET	1.1.1.1	192.168.2.4	0x833	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 09:56:27.203928947 CET	1.1.1.1	192.168.2.4	0xe371	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.306180000 CET	1.1.1.1	192.168.2.4	0xd4cc	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.307272911 CET	1.1.1.1	192.168.2.4	0x81f9	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:27.307272911 CET	1.1.1.1	192.168.2.4	0x81f9	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.307272911 CET	1.1.1.1	192.168.2.4	0x81f9	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.307272911 CET	1.1.1.1	192.168.2.4	0x81f9	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.307272911 CET	1.1.1.1	192.168.2.4	0x81f9	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.420413017 CET	1.1.1.1	192.168.2.4	0xe24b	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 09:56:27.444771051 CET	1.1.1.1	192.168.2.4	0xdcb0	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.524719954 CET	1.1.1.1	192.168.2.4	0xc377	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.524719954 CET	1.1.1.1	192.168.2.4	0xc377	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.524719954 CET	1.1.1.1	192.168.2.4	0xc377	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:27.524719954 CET	1.1.1.1	192.168.2.4	0xc377	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:33.135282040 CET	1.1.1.1	192.168.2.4	0xcd8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:35.910377026 CET	1.1.1.1	192.168.2.4	0xfa77	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:35.910377026 CET	1.1.1.1	192.168.2.4	0xfa77	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:35.953896046 CET	1.1.1.1	192.168.2.4	0xd7cf	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:35.953896046 CET	1.1.1.1	192.168.2.4	0xd7cf	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:35.953896046 CET	1.1.1.1	192.168.2.4	0xd7cf	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:35.953896046 CET	1.1.1.1	192.168.2.4	0xd7cf	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:36.094121933 CET	1.1.1.1	192.168.2.4	0x9d51	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:36.094121933 CET	1.1.1.1	192.168.2.4	0x9d51	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:36.094121933 CET	1.1.1.1	192.168.2.4	0x9d51	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:36.094121933 CET	1.1.1.1	192.168.2.4	0x9d51	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:36.142990112 CET	1.1.1.1	192.168.2.4	0x4f86	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:56:36.232804060 CET	1.1.1.1	192.168.2.4	0xbdb5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 09:56:36.232804060 CET	1.1.1.1	192.168.2.4	0xbdb5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 09:56:36.232804060 CET	1.1.1.1	192.168.2.4	0xbdb5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 09:56:36.232804060 CET	1.1.1.1	192.168.2.4	0xbdb5	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 09:56:39.313940048 CET	1.1.1.1	192.168.2.4	0xdea9	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:39.313940048 CET	1.1.1.1	192.168.2.4	0xdea9	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:57.033526897 CET	1.1.1.1	192.168.2.4	0xc51	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 09:56:57.033526897 CET	1.1.1.1	192.168.2.4	0xc51	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:57:05.733951092 CET	1.1.1.1	192.168.2.4	0xcd6b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 09:57:37.655365944 CET	1.1.1.1	192.168.2.4	0xffad	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	8028	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 09:56:09.879678011 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:10.965331078 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82005 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:56:11.580576897 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:11.895453930 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82006 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49748	34.107.221.82	80	8028	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 09:56:11.790924072 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	8028	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 09:56:12.059030056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:56:13.144709110 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82064 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:56:15.753288984 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:56:16.068346977 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82067 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:56:20.710201025 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:56:21.025216103 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82072 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:56:22.386967897 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:56:22.703152895 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82074 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:56:23.546900988 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:56:23.861650944 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82075 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:56:26.303710938 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:56:26.619128942 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82078 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:56:31.889256954 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:56:32.204916954 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82084 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:56:34.546602011 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:56:34.861823082 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82086 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:56:37.404628038 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:56:37.720396042 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82089 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:56:38.714735031 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:56:39.029921055 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82090 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:56:49.044246912 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 09:56:57.214747906 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:56:57.529654026 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82109 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:57:07.285058975 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:57:07.599644899 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82119 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:57:17.609396935 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 09:57:27.738909006 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 09:57:37.868305922 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 09:57:39.215009928 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 09:57:39.529582977 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 10:08:28 GMT Age: 82151 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 09:57:49.534235001 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 09:57:59.663374901 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49750	34.107.221.82	80	8028	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 09:56:12.375046015 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:13.462483883 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82008 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:56:15.770240068 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:16.085356951 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82010 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:56:20.725862026 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:21.040934086 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82015 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:56:22.975781918 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:23.292874098 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82018 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:56:25.162060022 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:25.477207899 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82020 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:56:31.570612907 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:31.885902882 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82026 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:56:34.227065086 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:34.542731047 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82029 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:56:36.918277979 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:37.400983095 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82032 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:56:38.396456957 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:38.712042093 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82033 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:56:48.712052107 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 09:56:56.896280050 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:56:57.211384058 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82052 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:57:06.966900110 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:57:07.281941891 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82062 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:57:17.292937994 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 09:57:27.422414064 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 09:57:37.551554918 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 09:57:38.889048100 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 09:57:39.203741074 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 82094 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 09:57:49.217664003 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 09:57:59.346812010 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	03:55:58
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x9c0000
File size:	969'728 bytes
MD5 hash:	A42C2512C7C450E1F1BE312FBD38AC1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:55:59
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xe40000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:55:59
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:56:01
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xe40000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:56:01
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:56:01
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xe40000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:56:01
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:56:01
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xe40000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:56:01
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:56:02
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xe40000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:56:02
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:56:02
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:56:02
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:56:02
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	03:56:04
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2136 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e928bcec-b32f-4554-bc25-89a7cd56218c} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 1923b56fd10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	03:56:06
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3888 -parentBuildID 20230927232528 -prefsHandle 4116 -prefMapHandle 4112 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d93f274-4bb2-4abb-9c9a-6812da0dd9e8} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 1923b541a10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	03:56:14
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a3a19f4-2490-4aad-97e4-8967fb44e0cf} 8028 "\\.\pipe\gecko-crash-server-pipe.8028" 192599d9910 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.8%
Total number of Nodes:	1689
Total number of Limit Nodes:	56

Executed Functions

Function 009C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 009C430D

Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A

GetCurrentProcess.KERNEL32(?,00A5CB64,00000000,?,?), ref: 009C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 009C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 009C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 009C4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 009C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 009C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009C44A0

Strings

kernel32.dll, xrefs: 009C444F
|O, xrefs: 00A036F8
GetNativeSystemInfo, xrefs: 009C4460

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: d2a72cfbed6f9d14d1d21903f07271370642fa1c7e60aeb8772afc9451a8713e
Instruction ID: a7d4be8bbca8dca57b9309f072e7228d715272c3326e8eb40ae4b410bfbbb0ae
Opcode Fuzzy Hash: d2a72cfbed6f9d14d1d21903f07271370642fa1c7e60aeb8772afc9451a8713e
Instruction Fuzzy Hash: 5FA1B466F0A3C6DFCB95C7E978806A77FF87B26300B14489ED4419BA71DA24450BDB22

Function 009C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,009C50AA,?,?,00000000,00000000), ref: 009C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009C50AA,?,?,00000000,00000000), ref: 009C42C9
LoadResource.KERNEL32(?,00000000,?,?,009C50AA,?,?,00000000,00000000,?,?,?,?,?,?,009C4F20), ref: 00A035BE
SizeofResource.KERNEL32(?,00000000,?,?,009C50AA,?,?,00000000,00000000,?,?,?,?,?,?,009C4F20), ref: 00A035D3
LockResource.KERNEL32(009C50AA,?,?,009C50AA,?,?,00000000,00000000,?,?,?,?,?,?,009C4F20,?), ref: 00A035E6

Strings

SCRIPT, xrefs: 009C42BF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ff2143145e0d47e7ac1c75860672269faa2e69361ee972beb8c8972febe3365b
Instruction ID: 4c1a8b181437c45f63cf26ed396b4920e7fdb6f5d6c858f8ae4ee4006c987952
Opcode Fuzzy Hash: ff2143145e0d47e7ac1c75860672269faa2e69361ee972beb8c8972febe3365b
Instruction Fuzzy Hash: 1F11AC70600300BFEB219BA5EC49F6B7BBDFBC5B62F20416DF812862A0DB71D800D621

Function 00A02BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 009C2B6B

Part of subcall function 009C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A91418,?,009C2E7F,?,?,?,00000000), ref: 009C3A78

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00A82224), ref: 00A02C10
ShellExecuteW.SHELL32(00000000,?,?,00A82224), ref: 00A02C17

Strings

runas, xrefs: 00A02C0B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: d161c010ed7c8396cc179b52d32132fe820569fc973e7e07b53e66cbe6df9b20
Instruction ID: 9c533f37d38da4fd23e9cb970d3b50e5db09e89bbfc565c7d8836f1a930c0773
Opcode Fuzzy Hash: d161c010ed7c8396cc179b52d32132fe820569fc973e7e07b53e66cbe6df9b20
Instruction Fuzzy Hash: 2F11B471A083456AC714FF70E855FBEBBA4ABD6310F44842DF082520A2DF20894AC713

Function 00A2D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A2D501
Process32FirstW.KERNEL32(00000000,?), ref: 00A2D50F
Process32NextW.KERNEL32(00000000,?), ref: 00A2D52F
CloseHandle.KERNEL32(00000000), ref: 00A2D5DC

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 0f034640380c3adda2fbab2dd8dad698e8c3b85023d77b249b12342ad3fbbea8
Instruction ID: 56528ebedd2d4a22d77aacb92059b198267474063702cf83c45c0d292a782dc8
Opcode Fuzzy Hash: 0f034640380c3adda2fbab2dd8dad698e8c3b85023d77b249b12342ad3fbbea8
Instruction Fuzzy Hash: BE314B715083009FD301EF64D885FAABBE8EFD9354F14092DF586861A2EB719949CBA3

Function 00A2DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00A05222), ref: 00A2DBCE
GetFileAttributesW.KERNEL32(?), ref: 00A2DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00A2DBEE
FindClose.KERNEL32(00000000), ref: 00A2DBFA

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 7f4bd370aad110f1053809aa16aede7ef7b10ddc4b8b5111761c91639fdbd277
Instruction ID: bc931b951e21ddb5f2d829da2ecda9c42bc82696dba2f77b6af81fca00cfc9a1
Opcode Fuzzy Hash: 7f4bd370aad110f1053809aa16aede7ef7b10ddc4b8b5111761c91639fdbd277
Instruction Fuzzy Hash: 84F0A030810B206BC220BBBCAC0D8AE376CAE01336B104712F836D24E1FBB05956C696

Function 00A1D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A1D220

Strings

%.3d, xrefs: 00A1D22B
X64, xrefs: 00A1D2A8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 6d7addf51120e9b79eb79124a2af4703b31f33bb097497a187d48aa0a2fc4c34
Instruction ID: d5b19dab9205145a19cf498dd37776c0f830b82df140e1c0b224945ffe48b304
Opcode Fuzzy Hash: 6d7addf51120e9b79eb79124a2af4703b31f33bb097497a187d48aa0a2fc4c34
Instruction Fuzzy Hash: DFD012B1849218F9CF50A6D0DC459FDB37CFB59301F608453F816A1040D638D5886761

Function 009E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009F28E9,?,009E4CBE,009F28E9,00A888B8,0000000C,009E4E15,009F28E9,00000002,00000000,?,009F28E9), ref: 009E4D09
TerminateProcess.KERNEL32(00000000,?,009E4CBE,009F28E9,00A888B8,0000000C,009E4E15,009F28E9,00000002,00000000,?,009F28E9), ref: 009E4D10
ExitProcess.KERNEL32 ref: 009E4D22

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 12579284f3c9ec7c83ffbe7afb4c6a51bc1ee7b6917c32a84e51c403b1412226
Instruction ID: 4ad03534369f76da276148f9964563616d9b58fb31af7a4e5f86cb81b9197d33
Opcode Fuzzy Hash: 12579284f3c9ec7c83ffbe7afb4c6a51bc1ee7b6917c32a84e51c403b1412226
Instruction Fuzzy Hash: FAE0BF71000748AFCF12AF55DD09A587F69FF81762B104054FD09CA267CB35ED82CB40

Function 00A1D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A1D28C

Strings

X64, xrefs: 00A1D2A8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 1695578db9da8f503b07b48ff042c5e48742d2765c31d035f6a8c4e640f9a57c
Instruction ID: acc0a2373ce9dacb34697a30922ab8c4afe4373b2d53525d0dcee5f080c44333
Opcode Fuzzy Hash: 1695578db9da8f503b07b48ff042c5e48742d2765c31d035f6a8c4e640f9a57c
Instruction Fuzzy Hash: A7D0C9B480122DEECF90CB90DC88DD9B3BCBB04306F104552F106A2140D77495498F10

Function 00A4AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00A4B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A4B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A4B1D4
_wcslen.LIBCMT ref: 00A4B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A4B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A4B236
_wcslen.LIBCMT ref: 00A4B332

Part of subcall function 00A305A7: GetStdHandle.KERNEL32(000000F6), ref: 00A305C6

_wcslen.LIBCMT ref: 00A4B34B
_wcslen.LIBCMT ref: 00A4B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A4B3B6
GetLastError.KERNEL32(00000000), ref: 00A4B407
CloseHandle.KERNEL32(?), ref: 00A4B439
CloseHandle.KERNEL32(00000000), ref: 00A4B44A
CloseHandle.KERNEL32(00000000), ref: 00A4B45C
CloseHandle.KERNEL32(00000000), ref: 00A4B46E
CloseHandle.KERNEL32(?), ref: 00A4B4E3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 6f0d70b6d2e7598b53664053a823573a053abd3dda8aa45defb8880d80618908
Instruction ID: 6c26bff94c08d091aef4a70341c4f3f02f36ad61ebfc1392c16832ab546faed9
Opcode Fuzzy Hash: 6f0d70b6d2e7598b53664053a823573a053abd3dda8aa45defb8880d80618908
Instruction Fuzzy Hash: 75F1AB356183409FC724EF24C891B6EBBE5AFC5710F14895DF8999B2A2CB31EC41CB62

Function 009CD730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009CD807
timeGetTime.WINMM ref: 009CDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009CDB28
TranslateMessage.USER32(?), ref: 009CDB7B
DispatchMessageW.USER32(?), ref: 009CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009CDB9F
Sleep.KERNEL32(0000000A), ref: 009CDBB1

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 43775ebcb0c876b7ad30aef32a0f705af37d17178e7c0add5ba0ff454401d1ff
Instruction ID: 2ff8e69507bb01f7135346101a1455a69dad54af49fc6834cc46cd269a111c88
Opcode Fuzzy Hash: 43775ebcb0c876b7ad30aef32a0f705af37d17178e7c0add5ba0ff454401d1ff
Instruction Fuzzy Hash: AA420330A09341EFD728CF24C885FAAB7E5BF85304F14892EE59687291D774E895CB93

Function 009C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 009C2D07
RegisterClassExW.USER32(00000030), ref: 009C2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009C2D42
InitCommonControlsEx.COMCTL32(?), ref: 009C2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009C2D6F
LoadIconW.USER32(000000A9), ref: 009C2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009C2D94

Strings

0, xrefs: 009C2CE9
+, xrefs: 009C2CF0
TaskbarCreated, xrefs: 009C2D37
AutoIt v3 GUI, xrefs: 009C2D23

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 28e8af5f8401d5d756560afd03ddc77ac7a352efc39e26336d46f93dfe80f958
Instruction ID: 03080dfd5ba79f26170511d9389803a6b9aaf6c618df5b30eafcb27fd074d97c
Opcode Fuzzy Hash: 28e8af5f8401d5d756560afd03ddc77ac7a352efc39e26336d46f93dfe80f958
Instruction Fuzzy Hash: 4521B2B5A01319AFDB00DFE4EC49B9DBBB4FB08B15F10811AF911A62A4DBB14545CF91

Function 00A0065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A0039A: CreateFileW.KERNEL32(00000000,00000000,?,00A00704,?,?,00000000,?,00A00704,00000000,0000000C), ref: 00A003B7

GetLastError.KERNEL32 ref: 00A0076F
__dosmaperr.LIBCMT ref: 00A00776
GetFileType.KERNEL32(00000000), ref: 00A00782
GetLastError.KERNEL32 ref: 00A0078C
__dosmaperr.LIBCMT ref: 00A00795
CloseHandle.KERNEL32(00000000), ref: 00A007B5
CloseHandle.KERNEL32(?), ref: 00A008FF
GetLastError.KERNEL32 ref: 00A00931
__dosmaperr.LIBCMT ref: 00A00938

Strings

H, xrefs: 00A008BD

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: eb78b18d240d2fcff98fff7a36e27a6acf7643858501b22ca381d61826df7c77
Instruction ID: b2ac5b674ec2303699e7b87b71a110627bf8a0834f5a138eaa30ed7a405af2f6
Opcode Fuzzy Hash: eb78b18d240d2fcff98fff7a36e27a6acf7643858501b22ca381d61826df7c77
Instruction Fuzzy Hash: 1DA10432A046488FDF19EFA8E851FAE7BA0AB46320F14415AF8159F3D1DB359D13CB91

Function 009C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A91418,?,009C2E7F,?,?,?,00000000), ref: 009C3A78

Part of subcall function 009C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009C3379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A0318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A031CE
RegCloseKey.ADVAPI32(?), ref: 00A03210
_wcslen.LIBCMT ref: 00A03277
_wcslen.LIBCMT ref: 00A03286

Strings

Include, xrefs: 00A03184, 00A031C5
\Include\, xrefs: 009C3527
Software\AutoIt v3\AutoIt, xrefs: 009C3560
\, xrefs: 00A0328C

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 9d4f9cbe9f3ec14ebf4b1c181b60524cbe419013f43d95ac898ab44220c1b3ef
Instruction ID: 3937417975c95bbd9ec0434c62c63d44db5579fdc9c47508e4b2e3f4a50d1f27
Opcode Fuzzy Hash: 9d4f9cbe9f3ec14ebf4b1c181b60524cbe419013f43d95ac898ab44220c1b3ef
Instruction Fuzzy Hash: 5E71B271A05304AEC704DF65EC82FABB7E8FF99340F40492EF5458B1A1EB309A49CB52

Function 009C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 009C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 009C2B9D
LoadIconW.USER32(00000063), ref: 009C2BB3
LoadIconW.USER32(000000A4), ref: 009C2BC5
LoadIconW.USER32(000000A2), ref: 009C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 009C2BEF
RegisterClassExW.USER32(?), ref: 009C2C40

Part of subcall function 009C2CD4: GetSysColorBrush.USER32(0000000F), ref: 009C2D07
Part of subcall function 009C2CD4: RegisterClassExW.USER32(00000030), ref: 009C2D31
Part of subcall function 009C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009C2D42
Part of subcall function 009C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 009C2D5F
Part of subcall function 009C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009C2D6F
Part of subcall function 009C2CD4: LoadIconW.USER32(000000A9), ref: 009C2D85
Part of subcall function 009C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009C2D94

Strings

AutoIt v3, xrefs: 009C2C2F
0, xrefs: 009C2C0F
#, xrefs: 009C2C16

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: bc4bb7acc0b0f08076a2d8346beff001b3d8028e513ea97d692c51245a9d24f1
Instruction ID: caeeffcd1ddca7914bdec013dd3f19b0c7493b051738430e9f271f9cafab4426
Opcode Fuzzy Hash: bc4bb7acc0b0f08076a2d8346beff001b3d8028e513ea97d692c51245a9d24f1
Instruction Fuzzy Hash: 05211874E00319AFDB50DFE5EC59BAA7FB4FB48B54F04411BE504AA6A0DBB10542CF90

Function 009C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,009C316A,?,?), ref: 009C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,009C316A,?,?), ref: 009C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009C3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,009C316A,?,?), ref: 009C3232
CreatePopupMenu.USER32 ref: 009C3246
PostQuitMessage.USER32(00000000), ref: 009C3267

Strings

TaskbarCreated, xrefs: 009C322D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: dbae2ee44acd819631e4d49ff3b5ee60d2c112044c2e83d70ac0680f06915e97
Instruction ID: fe431e987f915b205d3ae3295ae452bb5b31e242d1e35ab0b1e4e29186f5bdc8
Opcode Fuzzy Hash: dbae2ee44acd819631e4d49ff3b5ee60d2c112044c2e83d70ac0680f06915e97
Instruction Fuzzy Hash: ED415731B44305AFDF159BB89D0DFB93A68E749350F08C12EF5128A5A1DB648E029B63

Function 009C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009C1459
CoUninitialize.COMBASE ref: 009C14F8
UnregisterHotKey.USER32(?), ref: 009C16DD
DestroyWindow.USER32(?), ref: 00A024B9
FreeLibrary.KERNEL32(?), ref: 00A0251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A0254B

Strings

close all, xrefs: 009C1454

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 57117440391bb73924fcf11c4d9a635e47b0f3db6c24d073bd419debdc6e5f28
Instruction ID: 5d1e7840eb4240213c6f89b4bf5d3e9225d7c50f6209b6974d8739cc19d4aba9
Opcode Fuzzy Hash: 57117440391bb73924fcf11c4d9a635e47b0f3db6c24d073bd419debdc6e5f28
Instruction Fuzzy Hash: C9D17931B012128FCB19EF14D999F29F7A4BF45710F1442ADE84A6B2A2CB31AD12CF59

Function 00A2DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00A2DE42
gethostname.WS2_32(?,00000100), ref: 00A2DE5C
gethostbyname.WS2_32(?), ref: 00A2DE69
inet_ntoa.WSOCK32(?), ref: 00A2DEAB
_strcat.LIBCMT ref: 00A2DEB9
WSACleanup.WSOCK32 ref: 00A2DEDE

Strings

0.0.0.0, xrefs: 00A2DE87

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 82a7644c59fbf5031ca9c8a4ef2349adc94c7c0b9d352ea91effe73240bad8fe
Instruction ID: 2f9c5bb764a0f4b043f0a818372042fc2b25458079fab589c0830df5940517ca
Opcode Fuzzy Hash: 82a7644c59fbf5031ca9c8a4ef2349adc94c7c0b9d352ea91effe73240bad8fe
Instruction Fuzzy Hash: AF110A71504314BFDB20BB64AC0AEEE777CEF54721F010179F445A6096EF708E818A60

Function 009C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 009C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,009C1CAD,?), ref: 009C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,009C1CAD,?), ref: 009C2CCF

Strings

edit, xrefs: 009C2CAC
AutoIt v3, xrefs: 009C2C89, 009C2C8E, 009C2C8F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b7ebb9e1295f56ac226fa5d3f28befc96cff2ab1765730697186208e386fe01e
Instruction ID: 4205bcda65233e9c7467a8dc28363b28e06f32d5dd2f9027d6208ab620615b63
Opcode Fuzzy Hash: b7ebb9e1295f56ac226fa5d3f28befc96cff2ab1765730697186208e386fe01e
Instruction Fuzzy Hash: 00F030796403917EE77087636C0CE772E7DE7CAF61B00005AF9049A560DA710842DA70

Function 009C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,009C3B0F,SwapMouseButtons,00000004,?), ref: 009C3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,009C3B0F,SwapMouseButtons,00000004,?), ref: 009C3B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,009C3B0F,SwapMouseButtons,00000004,?), ref: 009C3B83

Strings

Control Panel\Mouse, xrefs: 009C3B3E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8a8bbd11ad7162330bbcfb3443677db4000455e3f46034f9cc8a57e1ec6e6317
Instruction ID: 7f09e8edf4a8ae40774efe0cc17b512861e79363942806c819e001347f767d6d
Opcode Fuzzy Hash: 8a8bbd11ad7162330bbcfb3443677db4000455e3f46034f9cc8a57e1ec6e6317
Instruction Fuzzy Hash: D51118B5910208FFDB20CFA5DC44EBEB7BCEF04755B10C959B805D7110E2319E419B61

Function 00A1D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00A1D3BF
FreeLibrary.KERNEL32 ref: 00A1D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00A1D3B9
X64, xrefs: 00A1D2A8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 6a396d6a5b26453a36f50472caf2aae31605f5f931c5dbaf3d81aa473da1a0e4
Instruction ID: c2a471305657d6a5b16def19cbcb9296a9004daf02dc00dc6693cbc1e39e80be
Opcode Fuzzy Hash: 6a396d6a5b26453a36f50472caf2aae31605f5f931c5dbaf3d81aa473da1a0e4
Instruction Fuzzy Hash: 07F05571802B319FC73553208C949EE3334BF02B02B588616E812FE208EB34CCC48292

Function 009CDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00A132B7

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: dc35815a5ac0d33e6578b22550510ecf8af57443bc81bf8cce896f1fd6b99782
Instruction ID: 7d3e22112da04de7bfd9211ec53615c2d92cd360715034017d2caf42183119c0
Opcode Fuzzy Hash: dc35815a5ac0d33e6578b22550510ecf8af57443bc81bf8cce896f1fd6b99782
Instruction Fuzzy Hash: 12C27771E00205DFCB24CF98C881FADB7B5BF48310F24856AE916AB391D775AD81CB92

Function 009CEC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009CFE66

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 21d2ffec1f565fea500269b2ef12425f304ff1fd690857e0b801cb7a023d95df
Instruction ID: 38d021a3232ff0ca2cbdabc17812b4efc4512970fd531d7a360ebaf84eaf90a0
Opcode Fuzzy Hash: 21d2ffec1f565fea500269b2ef12425f304ff1fd690857e0b801cb7a023d95df
Instruction Fuzzy Hash: ACB26B74A08341DFCB14CF18C4A0B2AB7E6BF89314F24886EE8969B391D775ED45CB52

Function 009C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A033A2

Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 009C3A04

Strings

Line: , xrefs: 00A033EB

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: a8c2c7f2497f04185e4584463ccdc47b59d082f614850a77b0689b9a9cc6c339
Instruction ID: 27333771386d2bc410d8f6d40a991f6bef282e351eac3c12073b3dff2627b4f2
Opcode Fuzzy Hash: a8c2c7f2497f04185e4584463ccdc47b59d082f614850a77b0689b9a9cc6c339
Instruction Fuzzy Hash: 4731C071908305AAD721EB60DC46FEBB7ECAB80714F00892EF59997191DF749A49C7C3

Function 009DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 009E0668

Part of subcall function 009E32A4: RaiseException.KERNEL32(?,?,?,009E068A,?,00A91444,?,?,?,?,?,?,009E068A,009C1129,00A88738,009C1129), ref: 009E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 009E0685

Strings

Unknown exception, xrefs: 009E0692

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 39e8fbc6c7b0b0e82ec29ba59dc7864deefbb49a56a23c057a86be3386080285
Instruction ID: 137093a958c5f914c5338f368356304a1a709730c713746eb289a178aeaa35e2
Opcode Fuzzy Hash: 39e8fbc6c7b0b0e82ec29ba59dc7864deefbb49a56a23c057a86be3386080285
Instruction Fuzzy Hash: 83F04C3080028C77CB01B666D84AE5E777D6EC0300BA08531B924D66D1EFB0DE55C6C0

Function 009C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009C1BF4
Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 009C1BFC
Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009C1C07
Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009C1C12
Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 009C1C1A
Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 009C1C22

Part of subcall function 009C1B4A: RegisterWindowMessageW.USER32(00000004,?,009C12C4), ref: 009C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009C136A
OleInitialize.OLE32 ref: 009C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00A024AB

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 592fd95126df036db7e835284fa16e137ef21b2736e0e0fa5c3e9ef6628fe7ae
Instruction ID: 19d93293cb378d88740374891ddc31cba75a4104c8ea034c7c1ed5fe33a96816
Opcode Fuzzy Hash: 592fd95126df036db7e835284fa16e137ef21b2736e0e0fa5c3e9ef6628fe7ae
Instruction Fuzzy Hash: 097189B8F113028FCB85DFB9A985A593AE0BB89394756862FD41AC7362EF304447CF45

Function 00A2C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 009C3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A2C259
KillTimer.USER32(?,00000001,?,?), ref: 00A2C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A2C270

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 6112d1d990dd097c51598e95e4e363a38d855cb4028cabb5f837a010893dbcb3
Instruction ID: 0a9ea362b9d27e57b9a7b5b4b7a942af0b49a4864b2e6db1717acede21b163fe
Opcode Fuzzy Hash: 6112d1d990dd097c51598e95e4e363a38d855cb4028cabb5f837a010893dbcb3
Instruction Fuzzy Hash: 5131D570904364AFEB32DF689855BEBBBFCAF06318F0004AED1DA97241CB745A85CB51

Function 009F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,009F85CC,?,00A88CC8,0000000C), ref: 009F8704
GetLastError.KERNEL32(?,009F85CC,?,00A88CC8,0000000C), ref: 009F870E
__dosmaperr.LIBCMT ref: 009F8739

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: ba5afb7bdac6359c3b09d6ba4d76e312840b291c57dc1b30742355806877df7b
Instruction ID: 13335ff76112f6b14670ae1cb9be19b3c59bdfcc823687c8a235a5fae3f84ce5
Opcode Fuzzy Hash: ba5afb7bdac6359c3b09d6ba4d76e312840b291c57dc1b30742355806877df7b
Instruction Fuzzy Hash: 8E012B33605A685AD6A4A2786849B7F678D8BC2779F3A0119FB14CB1D2DEA18C818350

Function 009CDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 009CDB7B
DispatchMessageW.USER32(?), ref: 009CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009CDB9F
Sleep.KERNEL32(0000000A), ref: 009CDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00A11CC9

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 3df22c0ecb970f7a3f05dc52401d7abdac4eef02bb4d3fc85a7b4dd86dbe206f
Instruction ID: 4b3671e511ba00a70c0c34fff66ab3d3b0c5cfc94404a4c6076d155ed81c37c1
Opcode Fuzzy Hash: 3df22c0ecb970f7a3f05dc52401d7abdac4eef02bb4d3fc85a7b4dd86dbe206f
Instruction Fuzzy Hash: BFF082306453419BEB30CBA0CC89FEA73ECFB88311F104929E60AC30C0EB309489DB26

Function 009D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009D17F6

Strings

CALL, xrefs: 009D17C6

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f7ad8052674fa150fa06a07aed2c76bf402faa8c49660976881d3b547d83973b
Instruction ID: c1564ff5f33f168bca3b73131b74399b2e26cf0f78ec93fe25311ccf483399da
Opcode Fuzzy Hash: f7ad8052674fa150fa06a07aed2c76bf402faa8c49660976881d3b547d83973b
Instruction Fuzzy Hash: 5D229B71648301AFC714CF14C490B6ABBF6BF89314F14895EF4968B3A2D735E985CB92

Function 009D01E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078b8a16f62e83a208105eead30e7a1c498c04a261678c77950129bd891c8f47
Instruction ID: c15c3523cb83bdeee23e3ffb0ea70a465aff77c9ccee64f1b3dd29ec8a040d4a
Opcode Fuzzy Hash: 078b8a16f62e83a208105eead30e7a1c498c04a261678c77950129bd891c8f47
Instruction Fuzzy Hash: 5632C030E40605DFCB14DF64C885BEEB7B5AF95310F14896AE926AB3A1D731ED80CB91

Function 009C2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00A02C8C

Part of subcall function 009C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C3A97,?,?,009C2E7F,?,?,?,00000000), ref: 009C3AC2

Part of subcall function 009C2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 009C2DC4

Strings

X, xrefs: 00A02C5A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: b5e32256e58901fbbfca2730ab8a60b8803fd73b625c3cdda3e0ddd7c039e5ec
Instruction ID: 5cf84e9fec912dccb0c2e769cf5d1a96a75b27dd680d000daca89c2ec6c5b0bf
Opcode Fuzzy Hash: b5e32256e58901fbbfca2730ab8a60b8803fd73b625c3cdda3e0ddd7c039e5ec
Instruction Fuzzy Hash: A5219671E102589FDB01EF94D845BDE7BFCAF88314F008059E405BB281DBB45A498F61

Function 00A1D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 00A1D375

Strings

X64, xrefs: 00A1D2A8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: a6c2ca59db6d1a0566fb257c3d80fcb596d2b6b70e46e142a99087bf006c8744
Instruction ID: 0e563f3671787b7a904fc91f5fa53a0ba995ebfec9b06e919c73196421a89eaa
Opcode Fuzzy Hash: a6c2ca59db6d1a0566fb257c3d80fcb596d2b6b70e46e142a99087bf006c8744
Instruction Fuzzy Hash: DDD0C9B580522CEECB94CB80DCC8DD9B37CBF04311F508552F002B2100D77495889B10

Function 009C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 009C3908

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: eff77fbd59e18a862af87746cafd0db0f3d2ff0cfbd3932d521ea456bfd8a445
Instruction ID: 775183347b8a54b40707d88113cf1a84e95a447bd016aab4c72917cf44e92bfe
Opcode Fuzzy Hash: eff77fbd59e18a862af87746cafd0db0f3d2ff0cfbd3932d521ea456bfd8a445
Instruction Fuzzy Hash: CC31A270A04301DFD761DF64D885B97BBF8FB49758F00492EF59987240E7B1AA44CB52

Function 009DF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009DF661

Part of subcall function 009CD730: GetInputState.USER32 ref: 009CD807

Sleep.KERNEL32(00000000), ref: 00A1F2DE

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: e2e42ae0b12e012c3a674cb61b6acabcff099bffd8274f0c756d154aff63d91e
Instruction ID: 52fc4924e447b38e5ec19e41534dfca781e4d3d363de6c1213ecda77fff9287c
Opcode Fuzzy Hash: e2e42ae0b12e012c3a674cb61b6acabcff099bffd8274f0c756d154aff63d91e
Instruction Fuzzy Hash: C5F08C712407059FD310EF69D44AFAAB7E8FF99761F00402AF85AC7361DB70A800CB91

Function 009CB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009CBB4E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 3deb531e77d905bbd9809eb45cbecc1bc7434af6ac1e94938d1e6a8e04fca2a0
Instruction ID: b635df9d833d12f77c00529528e7192ab7ec2c4e0f2bf7c288e20a1567fd8566
Opcode Fuzzy Hash: 3deb531e77d905bbd9809eb45cbecc1bc7434af6ac1e94938d1e6a8e04fca2a0
Instruction Fuzzy Hash: C0329B35E00209EFDB24CF54C896FBEB7B9EF44354F14805AE915AB251C7B8AD81CB92

Function 009C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,009C4EDD,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E9C
Part of subcall function 009C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009C4EAE
Part of subcall function 009C4E90: FreeLibrary.KERNEL32(00000000,?,?,009C4EDD,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4EFD

Part of subcall function 009C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A03CDE,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E62
Part of subcall function 009C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009C4E74
Part of subcall function 009C4E59: FreeLibrary.KERNEL32(00000000,?,?,00A03CDE,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E87

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7a4e36e821045d67a10ff3c0d01e909f090d76d65ac509e414f098afcbf10a0b
Instruction ID: a4d26a936b433b35caf3809a28a05c1141e6f4e8b18bfe53bf5b7e0ed8c420f3
Opcode Fuzzy Hash: 7a4e36e821045d67a10ff3c0d01e909f090d76d65ac509e414f098afcbf10a0b
Instruction Fuzzy Hash: 29112332B00305AADF10FB60DC22FAD77A5AF84710F10882EF442A71C1EEB0AE459B52

Function 009F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 009F8440

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 89e349211f01354c326f8efc4dd79caca478ceb319e9648ca1544029531616e2
Instruction ID: 82d3bca0dc393ade09d53a9b32633d88d2bc5ad3f946b72b3696235e033f9e74
Opcode Fuzzy Hash: 89e349211f01354c326f8efc4dd79caca478ceb319e9648ca1544029531616e2
Instruction Fuzzy Hash: 6C111875A0410EAFCB05DF58E941AAF7BF9EF48314F144059F908AB312DB31DA21CBA5

Function 009EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 81f59679942a3fff2f9ba1dd77d2ad901eec2066ac72931f9ab5e44b76e656f4
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 6DF0F432511A5896CA333B6B9C05B6B339C9FD2734F100B15F620932D2DB74EC0187A9

Function 009F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6,?,009C1129), ref: 009F3852

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cd67f8e9986730b79ee94305c1bee205a2a22169bc943e2d65795282f100027c
Instruction ID: cb60bbcab20059ec9b8df8cb91c5259969e833fd63556daf0c4e4cf28b020ab2
Opcode Fuzzy Hash: cd67f8e9986730b79ee94305c1bee205a2a22169bc943e2d65795282f100027c
Instruction Fuzzy Hash: C9E0E53110026CA6D62226B79D00BBB365CAB827F0F158121BE1596A80DB1DDD0183E0

Function 009C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4F6D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 734f272513166dd754053473eb022c1d18a7f268d14e1e6ad919cd3c52e5f2fd
Instruction ID: f9085a4249be326744c756c956ca2bc74e24a8c5f72a646d65238c5a49f00eeb
Opcode Fuzzy Hash: 734f272513166dd754053473eb022c1d18a7f268d14e1e6ad919cd3c52e5f2fd
Instruction Fuzzy Hash: B5F03971A05752CFDB349F65D4A0E22BBE8BF143293208E7EE1EA82621CB359844DF51

Function 00A52A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A52A66

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 371eff0ae9444942cc16f4080506bc6099eeee66ed85438a153ff412d31f7ad1
Instruction ID: a6ce592ac73bd3c0d289b4446a5992c7a7f29d39c36bca9d9e929e4a8534ee2e
Opcode Fuzzy Hash: 371eff0ae9444942cc16f4080506bc6099eeee66ed85438a153ff412d31f7ad1
Instruction Fuzzy Hash: DDE04F76354226AAC714EB34EC809FA735CFF563D6B104536FD16C2140DB349A9987A0

Function 009C30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 009C314E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: fca6e1c10751dfa2302a612fdd8fe49d255dec5d748ad0cead084a5770e903e8
Instruction ID: 0740edab926c6d15ca5e89acdf8811ca9a760ce7fdce8b1840edc4ce723f8374
Opcode Fuzzy Hash: fca6e1c10751dfa2302a612fdd8fe49d255dec5d748ad0cead084a5770e903e8
Instruction Fuzzy Hash: 27F0A770A043049FEB92DB64DC4ABD67BBCA70170CF0001EAA1489A181DB704B89CF41

Function 009C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 009C2DC4

Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 7c62105417c82fff15a050078eda3bab117e9eca0e75e385ce54907635e8a4e2
Instruction ID: 81130d36e5d43e7e52ed32135abf5e128a5d4c67661a296463a33e8f790c9176
Opcode Fuzzy Hash: 7c62105417c82fff15a050078eda3bab117e9eca0e75e385ce54907635e8a4e2
Instruction Fuzzy Hash: FDE0CD72A042245BC710E2989C05FDA77DDDFC8790F040075FD09E7248D960AD808551

Function 009C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 009C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009C3908

Part of subcall function 009CD730: GetInputState.USER32 ref: 009CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 009C2B6B

Part of subcall function 009C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 009C314E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: c42347b8b25ee0003d0baab31cc883565933c102867a7261f4e24492463d8b0c
Instruction ID: d913f56003291fc7e0c99b96b4fe698ec79b30a8eba331cec3b9b7051e3104a5
Opcode Fuzzy Hash: c42347b8b25ee0003d0baab31cc883565933c102867a7261f4e24492463d8b0c
Instruction Fuzzy Hash: 38E08662B0434507CA04FB749856F7DB7599BD9361F40953EF146871A2CE2449478253

Function 00A2DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00A2DF40

Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 17fa874a84124deb41adf0dc6c19273d7c098d1410ed7aa2fb86cf0751d50b49
Instruction ID: ecfa9dbefbd24088043687a590a8a406a4835788df87fad392619bf5e7dd057b
Opcode Fuzzy Hash: 17fa874a84124deb41adf0dc6c19273d7c098d1410ed7aa2fb86cf0751d50b49
Instruction Fuzzy Hash: 64D05EA2A003282FDF60E6749C0DEF73AACD780220F0006A0786DD3152E920DD4586B0

Function 00A0039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00A00704,?,?,00000000,?,00A00704,00000000,0000000C), ref: 00A003B7

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d0c96af602b3b42ea21f0b8b123e19a5e449e28ad2fcd324ef9661b22758d50e
Instruction ID: 7a7013bd8e8619ee63f63d5531ea2acce1084ae0fbf575596ee8625fcdae9d2c
Opcode Fuzzy Hash: d0c96af602b3b42ea21f0b8b123e19a5e449e28ad2fcd324ef9661b22758d50e
Instruction Fuzzy Hash: D8D06C3204020DBFDF028F84DD06EDA3BAAFB48714F014100BE1856020C732E822AB90

Function 009C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 009C1CBC

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 52f3d63a0d82a3faf12fbe9cc7ac3ab51eb14286f90a340735dc5b676afb160c
Instruction ID: 8cf4dc8ad14e8c34ca6b48680a8c39a5f4434255fa68067e5bf8a86622928850
Opcode Fuzzy Hash: 52f3d63a0d82a3faf12fbe9cc7ac3ab51eb14286f90a340735dc5b676afb160c
Instruction Fuzzy Hash: 58C0483A3C0305AEE214CBD0AC4AF117764A348B15F448002F609A95E39AA22822EA50

Non-executed Functions

Function 00A59576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A5961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A5965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A5969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A596C9
SendMessageW.USER32 ref: 00A596F2
GetKeyState.USER32(00000011), ref: 00A5978B
GetKeyState.USER32(00000009), ref: 00A59798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A597AE
GetKeyState.USER32(00000010), ref: 00A597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A597E9
SendMessageW.USER32 ref: 00A59810
SendMessageW.USER32(?,00001030,?,00A57E95), ref: 00A59918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A5992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A59941
SetCapture.USER32(?), ref: 00A5994A
ClientToScreen.USER32(?,?), ref: 00A599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A599D6
ReleaseCapture.USER32 ref: 00A599E1
GetCursorPos.USER32(?), ref: 00A59A19
ScreenToClient.USER32(?,?), ref: 00A59A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A59A80
SendMessageW.USER32 ref: 00A59AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A59AEB
SendMessageW.USER32 ref: 00A59B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A59B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A59B4A
GetCursorPos.USER32(?), ref: 00A59B68
ScreenToClient.USER32(?,?), ref: 00A59B75
GetParent.USER32(?), ref: 00A59B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A59BFA
SendMessageW.USER32 ref: 00A59C2B
ClientToScreen.USER32(?,?), ref: 00A59C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A59CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A59CDE
SendMessageW.USER32 ref: 00A59D01
ClientToScreen.USER32(?,?), ref: 00A59D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A59D82

Part of subcall function 009D9944: GetWindowLongW.USER32(?,000000EB), ref: 009D9952

GetWindowLongW.USER32(?,000000F0), ref: 00A59E05

Strings

F, xrefs: 00A59D07
@GUI_DRAGID, xrefs: 00A5997D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 4d625834d86e6307222d683a0d2d043641c38992f9329f66ddeac9f65158ff2b
Instruction ID: b157d48536fc23fac54bba36084730a8d08485f4d1c636a8a5795a0f34f45155
Opcode Fuzzy Hash: 4d625834d86e6307222d683a0d2d043641c38992f9329f66ddeac9f65158ff2b
Instruction Fuzzy Hash: 7C429C70204301EFDB21CF64CD44BABBBE5FF48321F100A1AFA998B6A1D731A959DB41

Function 00A54873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00A548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00A54908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00A54927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00A5494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00A5495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00A5497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00A549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00A549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00A54A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A54A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A54A7E
IsMenu.USER32(?), ref: 00A54A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A54AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A54B20
GetWindowLongW.USER32(?,000000F0), ref: 00A54B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00A54BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00A54C82
wsprintfW.USER32 ref: 00A54CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A54CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A54CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A54D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A54D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A54D5A

Strings

%d/%02d/%02d, xrefs: 00A54CA8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 4e8343ec3e8017464b5429544bfe61a23eeee82a34d61ffb874f59191e9c77df
Instruction ID: 6d011859bd0b53c2d17dc7a7f11ac9e86c2b4ff32689212c8a93c7d54847fcf3
Opcode Fuzzy Hash: 4e8343ec3e8017464b5429544bfe61a23eeee82a34d61ffb874f59191e9c77df
Instruction Fuzzy Hash: 9612FF71600304ABEB248F68CC49FAE7BB8FF89715F104119F916DA2A1D7789A89CB50

Function 009DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 009DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A1F474
IsIconic.USER32(00000000), ref: 00A1F47D
ShowWindow.USER32(00000000,00000009), ref: 00A1F48A
SetForegroundWindow.USER32(00000000), ref: 00A1F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A1F4AA
GetCurrentThreadId.KERNEL32 ref: 00A1F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A1F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A1F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A1F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00A1F4DE
SetForegroundWindow.USER32(00000000), ref: 00A1F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A1F4F6
keybd_event.USER32(00000012,00000000), ref: 00A1F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A1F50B
keybd_event.USER32(00000012,00000000), ref: 00A1F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A1F519
keybd_event.USER32(00000012,00000000), ref: 00A1F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A1F528
keybd_event.USER32(00000012,00000000), ref: 00A1F52D
SetForegroundWindow.USER32(00000000), ref: 00A1F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00A1F557

Strings

Shell_TrayWnd, xrefs: 00A1F46F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 30fda21bc841c4dd628ed4c0504131f45447746d4ab5e16c0f8f4c4313af71a9
Instruction ID: ef30cebe8fa36e606d331dd529870a0ab961f8863b57b734cac50489cc8a7c1f
Opcode Fuzzy Hash: 30fda21bc841c4dd628ed4c0504131f45447746d4ab5e16c0f8f4c4313af71a9
Instruction Fuzzy Hash: 6F317271A80318BFEB21ABF55C4AFBF7E6DFB44B61F100065FA01E61D1D6B05D41AAA0

Function 00A21201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00A216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A2170D
Part of subcall function 00A216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A2173A
Part of subcall function 00A216C3: GetLastError.KERNEL32 ref: 00A2174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00A21286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00A212A8
CloseHandle.KERNEL32(?), ref: 00A212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A212D1
GetProcessWindowStation.USER32 ref: 00A212EA
SetProcessWindowStation.USER32(00000000), ref: 00A212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A21310

Part of subcall function 00A210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A211FC), ref: 00A210D4
Part of subcall function 00A210BF: CloseHandle.KERNEL32(?,?,00A211FC), ref: 00A210E9

Strings

default, xrefs: 00A2130B
winsta0, xrefs: 00A212CC
, xrefs: 00A2125A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 8d15d21dbd07d7a34746acb7ec4ace08c659aab33cb99cdea7efd99d88e10fd5
Instruction ID: b89935e611fceeba11749a2de2f3141587dced50b2e2dddd547148f0d481bf5e
Opcode Fuzzy Hash: 8d15d21dbd07d7a34746acb7ec4ace08c659aab33cb99cdea7efd99d88e10fd5
Instruction Fuzzy Hash: 46817BB1A00319AFDF21EFA8EC49BEE7BB9FF04715F144129F915A61A0D7318A45CB60

Function 00A20B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A21114
Part of subcall function 00A210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21120
Part of subcall function 00A210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A2112F
Part of subcall function 00A210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21136
Part of subcall function 00A210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A2114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A20BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A20C00
GetLengthSid.ADVAPI32(?), ref: 00A20C17
GetAce.ADVAPI32(?,00000000,?), ref: 00A20C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A20C6D
GetLengthSid.ADVAPI32(?), ref: 00A20C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A20C8C
HeapAlloc.KERNEL32(00000000), ref: 00A20C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A20CB4
CopySid.ADVAPI32(00000000), ref: 00A20CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A20CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A20D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A20D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20D45
HeapFree.KERNEL32(00000000), ref: 00A20D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20D55
HeapFree.KERNEL32(00000000), ref: 00A20D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20D65
HeapFree.KERNEL32(00000000), ref: 00A20D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A20D78
HeapFree.KERNEL32(00000000), ref: 00A20D7F

Part of subcall function 00A21193: GetProcessHeap.KERNEL32(00000008,00A20BB1,?,00000000,?,00A20BB1,?), ref: 00A211A1
Part of subcall function 00A21193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A20BB1,?), ref: 00A211A8
Part of subcall function 00A21193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A20BB1,?), ref: 00A211B7

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 142d8ee716ac113be4dd55da1619efa903a442f0d406013106387ebf4ce7b07c
Instruction ID: 654301a1b1cdf3eee7568b1f6d23c56689028ffb2af4688341c5b2a38ecb1819
Opcode Fuzzy Hash: 142d8ee716ac113be4dd55da1619efa903a442f0d406013106387ebf4ce7b07c
Instruction Fuzzy Hash: 73713A7190132AAFDF10DFE8EC44FAEBBB8BF04311F144625E915A6192D771A906CF60

Function 00A3EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00A5CC08), ref: 00A3EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A3EB37
GetClipboardData.USER32(0000000D), ref: 00A3EB43
CloseClipboard.USER32 ref: 00A3EB4F
GlobalLock.KERNEL32(00000000), ref: 00A3EB87
CloseClipboard.USER32 ref: 00A3EB91
GlobalUnlock.KERNEL32(00000000), ref: 00A3EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00A3EBC9
GetClipboardData.USER32(00000001), ref: 00A3EBD1
GlobalLock.KERNEL32(00000000), ref: 00A3EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00A3EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00A3EC38
GetClipboardData.USER32(0000000F), ref: 00A3EC44
GlobalLock.KERNEL32(00000000), ref: 00A3EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00A3EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A3EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A3ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00A3ECF3
CountClipboardFormats.USER32 ref: 00A3ED14
CloseClipboard.USER32 ref: 00A3ED59

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 7f09664d53b06bb57596f25074de3dcb31f44b2466a778c3e23657aa398be18b
Instruction ID: 34fbf24ac82c78d024f983d4842a55e289694efd628580e6f56d50aacbe297aa
Opcode Fuzzy Hash: 7f09664d53b06bb57596f25074de3dcb31f44b2466a778c3e23657aa398be18b
Instruction Fuzzy Hash: 6561AB34204301AFD300EF64D899F6AB7A8BF84764F14855DF4569B2E2CB31ED46CBA2

Function 00A3698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A369BE
FindClose.KERNEL32(00000000), ref: 00A36A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A36A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A36A75

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00A36AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A36ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A36B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00A36B32
%02d, xrefs: 00A36C00, 00A36C0A, 00A36C5A, 00A36CAA, 00A36CFA, 00A36D4A
%03d, xrefs: 00A36DA2
%4d, xrefs: 00A36BB1

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f1919c74aa35926b86e6ac5bbb146c618d6dd47ab191c8be71689ae2954283ec
Instruction ID: ae8354c9fda06661d9ea636d026f3aac5514afe73d5f45d82bd1aa5c43c55f3b
Opcode Fuzzy Hash: f1919c74aa35926b86e6ac5bbb146c618d6dd47ab191c8be71689ae2954283ec
Instruction Fuzzy Hash: 28D13E72908340AFC710EBA4D996FABB7E8AF88704F04491DF589D6191EB74DA44CB62

Function 00A39642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A39663
GetFileAttributesW.KERNEL32(?), ref: 00A396A1
SetFileAttributesW.KERNEL32(?,?), ref: 00A396BB
FindNextFileW.KERNEL32(00000000,?), ref: 00A396D3
FindClose.KERNEL32(00000000), ref: 00A396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00A396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00A3974A
SetCurrentDirectoryW.KERNEL32(00A86B7C), ref: 00A39768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A39772
FindClose.KERNEL32(00000000), ref: 00A3977F
FindClose.KERNEL32(00000000), ref: 00A3978F

Strings

*.*, xrefs: 00A396F5

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2d821c0f5210965fa5a034f7c4c69c74bf00a524e1ae152af65fee6c58ac1c8a
Instruction ID: 69f828b8d6d81c4963f436a04e0a295d3a66f88f9f83bd74bb2bcfebcdad8f15
Opcode Fuzzy Hash: 2d821c0f5210965fa5a034f7c4c69c74bf00a524e1ae152af65fee6c58ac1c8a
Instruction Fuzzy Hash: 9C31AB3264171A7EDB10EFB4DC49AEF77ACAF49331F104166F915E21A0EBB4DE458A20

Function 00A3979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00A39819
FindClose.KERNEL32(00000000), ref: 00A39824
FindFirstFileW.KERNEL32(*.*,?), ref: 00A39840
SetCurrentDirectoryW.KERNEL32(?), ref: 00A39890
SetCurrentDirectoryW.KERNEL32(00A86B7C), ref: 00A398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A398B8
FindClose.KERNEL32(00000000), ref: 00A398C5
FindClose.KERNEL32(00000000), ref: 00A398D5

Part of subcall function 00A2DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A2DB00

Strings

*.*, xrefs: 00A3983B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 4f4445430a492298e637714712c12b56a80b962a1c0a3201ee452b95e0cb8608
Instruction ID: 45cdfbd4729cf8a604bcc75ab81d94b60a348eb46ef99db182f7c547fa5e59ed
Opcode Fuzzy Hash: 4f4445430a492298e637714712c12b56a80b962a1c0a3201ee452b95e0cb8608
Instruction Fuzzy Hash: CA31AE3254071A7EEB10EFA4EC48ADF77ACAF86335F104565F914A21A1DBB0DE85CA60

Function 00A4BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A4B6AE,?,?), ref: 00A4C9B5
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4C9F1
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA68
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A4BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00A4BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00A4BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A4C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A4C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A4C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A4C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00A4C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A4C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A4C382
RegCloseKey.ADVAPI32(00000000), ref: 00A4C38F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: d066613a4fa147b1948223ad8328696e4f6a4d12a78ddc596d168117f6f30f52
Instruction ID: 26a2c96a4f5b2df3bc26be2df63831ec85392f9520ea3bdb2b7e455de6f94859
Opcode Fuzzy Hash: d066613a4fa147b1948223ad8328696e4f6a4d12a78ddc596d168117f6f30f52
Instruction Fuzzy Hash: DA023C75604200AFD754DF28C895F2ABBE5AF89314F18C49DF84ACB2A2D731ED46CB52

Function 00A2D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C3A97,?,?,009C2E7F,?,?,?,00000000), ref: 009C3AC2

Part of subcall function 00A2E199: GetFileAttributesW.KERNEL32(?,00A2CF95), ref: 00A2E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A2D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00A2D1DD
MoveFileW.KERNEL32(?,?), ref: 00A2D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A2D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A2D237

Part of subcall function 00A2D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00A2D21C,?,?), ref: 00A2D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00A2D253
FindClose.KERNEL32(00000000), ref: 00A2D264

Strings

\*.*, xrefs: 00A2D0CD, 00A2D0D6, 00A2D0EB

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: e632d758b5a0515c4e3596fc33c41b25d1500136faa36ff364f4ea37d694de42
Instruction ID: a8152690841d442b4e9df22ddbc56aebf67652ce227d7a30c24faef213853fa4
Opcode Fuzzy Hash: e632d758b5a0515c4e3596fc33c41b25d1500136faa36ff364f4ea37d694de42
Instruction Fuzzy Hash: E8611931C0125DAECF05EBA4EA52EEDB7B5AF55300F248169E40277192EB30AF09CB61

Function 00A3ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A3ED91
EmptyClipboard.USER32 ref: 00A3ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00A3EDAC
CloseClipboard.USER32 ref: 00A3EEA3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ac0692ea9c6c9f34ef0616cae4c8ee075f1f754e4f32c581b25ca5969bbf1e7c
Instruction ID: 07336cedf468108a8d49b9222a29bc719c4a4e6c5a821ae80ebaff27cfd72392
Opcode Fuzzy Hash: ac0692ea9c6c9f34ef0616cae4c8ee075f1f754e4f32c581b25ca5969bbf1e7c
Instruction Fuzzy Hash: AA418935604611AFE320DF55D888F2ABBA5FF44329F148099F4198BAA2C735ED42CB91

Function 00A2E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A2170D
Part of subcall function 00A216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A2173A
Part of subcall function 00A216C3: GetLastError.KERNEL32 ref: 00A2174A

ExitWindowsEx.USER32(?,00000000), ref: 00A2E932

Strings

, xrefs: 00A2E920
@, xrefs: 00A2E925
SeShutdownPrivilege, xrefs: 00A2E902
, xrefs: 00A2E95C

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 9d2664f8931109b18d803261d7bd68069d11dec6121d4c785357c3cfa4c08c4b
Instruction ID: a097e4ba8196377d7b2abc43ca4cce4ed92629b4b8ef590321bcb9c40e60ae1f
Opcode Fuzzy Hash: 9d2664f8931109b18d803261d7bd68069d11dec6121d4c785357c3cfa4c08c4b
Instruction Fuzzy Hash: 7E01D672610331AFEB54A7BCBC8ABBFB26CA714751F150833F812E21D1E5A05CC48294

Function 00A41204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A41276
WSAGetLastError.WSOCK32 ref: 00A41283
bind.WSOCK32(00000000,?,00000010), ref: 00A412BA
WSAGetLastError.WSOCK32 ref: 00A412C5
closesocket.WSOCK32(00000000), ref: 00A412F4
listen.WSOCK32(00000000,00000005), ref: 00A41303
WSAGetLastError.WSOCK32 ref: 00A4130D
closesocket.WSOCK32(00000000), ref: 00A4133C

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 4bd7755cf7e523ec657782c0e57c5042537adf990a82adb3510937dbdd758e63
Instruction ID: 167829208d6dd41ae78f306b6c916a70d4a79f8ac1e8b2856e9ee8ef9dda04ec
Opcode Fuzzy Hash: 4bd7755cf7e523ec657782c0e57c5042537adf990a82adb3510937dbdd758e63
Instruction Fuzzy Hash: 0C417275A002409FD710DF64C489B69BBE5BF86328F18819CE8569F396C771ED82CBE1

Function 00A2D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C3A97,?,?,009C2E7F,?,?,?,00000000), ref: 009C3AC2

Part of subcall function 00A2E199: GetFileAttributesW.KERNEL32(?,00A2CF95), ref: 00A2E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A2D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A2D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A2D481
FindClose.KERNEL32(00000000), ref: 00A2D498
FindClose.KERNEL32(00000000), ref: 00A2D4A1

Strings

\*.*, xrefs: 00A2D3F2

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: ae1a2593fd0256a7f63a536c80d4d1dbe13e7bb373011a25261e5ea819936bdc
Instruction ID: 1a2635f24d7a2f0f05c52697eb0641137cf940c103b45b0522d0b1853d3e03a7
Opcode Fuzzy Hash: ae1a2593fd0256a7f63a536c80d4d1dbe13e7bb373011a25261e5ea819936bdc
Instruction Fuzzy Hash: BE316F714083559FC204FF64D855EAFB7A8BED5314F444A2DF4D153192EB30AA09C763

Function 009FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 009FE645

Strings

1#IND, xrefs: 009FF83D
1#SNAN, xrefs: 009FF844
1#QNAN, xrefs: 009FF84B
1#INF, xrefs: 009FF852

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 44d8c7ebd99126d65a9e1878fbd77813cf04edf552509ab32058ca31404a2d9c
Instruction ID: 9ee8ecbdee97ee5ad6dd719eda6a97f2c26b511b490b6b70183d5369c8b62cc8
Opcode Fuzzy Hash: 44d8c7ebd99126d65a9e1878fbd77813cf04edf552509ab32058ca31404a2d9c
Instruction Fuzzy Hash: 55C24971E0862C8FDB25CE289D507EAB7B9EF84305F1445EAD54EE7250E778AE818F40

Function 00A3648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A364DC
CoInitialize.OLE32(00000000), ref: 00A36639
CoCreateInstance.OLE32(00A5FCF8,00000000,00000001,00A5FB68,?), ref: 00A36650
CoUninitialize.OLE32 ref: 00A368D4

Strings

.lnk, xrefs: 00A364BA, 00A36524, 00A365E0

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: fa326b2dbc32d3edd4e3502a8c90b3186d90496641d647174581d892bca2298d
Instruction ID: 5a832b6a587d3c4e72e340468025c3284a23c934c262b518846063b5baa9efb3
Opcode Fuzzy Hash: fa326b2dbc32d3edd4e3502a8c90b3186d90496641d647174581d892bca2298d
Instruction Fuzzy Hash: 43D11771908301AFD314EF24C881E6BB7E9BFD9704F10896DF5958B291EB71E905CB92

Function 00A422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00A422E8

Part of subcall function 00A3E4EC: GetWindowRect.USER32(?,?), ref: 00A3E504

GetDesktopWindow.USER32 ref: 00A42312
GetWindowRect.USER32(00000000), ref: 00A42319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A42355
GetCursorPos.USER32(?), ref: 00A42381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A423DF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: aca93e918b39f9e1bd3b7d8215d459e6fb7bd2057edb58c0b0b4a0f6cfa040a7
Instruction ID: 8d2efbc7b8d8a1734a44461e6d80303c65457cdd55c5a6652ecef1f400b5bc7d
Opcode Fuzzy Hash: aca93e918b39f9e1bd3b7d8215d459e6fb7bd2057edb58c0b0b4a0f6cfa040a7
Instruction Fuzzy Hash: D831DE72504315AFC720DF58D849B5BBBA9FFC8724F400919F9859B181DB34EA49CB92

Function 00A39B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00A39B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00A39C8B

Part of subcall function 00A33874: GetInputState.USER32 ref: 00A338CB
Part of subcall function 00A33874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A33966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00A39BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00A39C75

Strings

*.*, xrefs: 00A39B5D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 300e4586161b3ddce8b25d875e021ed291e73a10eea12e9ef9f2e11b1d9f9739
Instruction ID: 92b9558bfae39e9b516b9c3da1391b4c6b087ea906d8a260565010628508e208
Opcode Fuzzy Hash: 300e4586161b3ddce8b25d875e021ed291e73a10eea12e9ef9f2e11b1d9f9739
Instruction Fuzzy Hash: A441717190420AAFDF54DFA4C989BEEBBB4FF45311F144159F805A2191EB709E84CF61

Function 009D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 009D9A4E
GetSysColor.USER32(0000000F), ref: 009D9B23
SetBkColor.GDI32(?,00000000), ref: 009D9B36

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 319ced3f1d92149f6f718a23a84434063dd792241ef881eab1416d8232055b56
Instruction ID: 5c624851f5d29ae2aeac676617d0a220ed45519b43ff96f02ad62f9e1c991ddb
Opcode Fuzzy Hash: 319ced3f1d92149f6f718a23a84434063dd792241ef881eab1416d8232055b56
Instruction Fuzzy Hash: 24A13971288500BEE724FB3C8D98EBF26ADEB82350F15860BF412DA7D1DA299D41D271

Function 00A41806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A4304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A4307A
Part of subcall function 00A4304E: _wcslen.LIBCMT ref: 00A4309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A4185D
WSAGetLastError.WSOCK32 ref: 00A41884
bind.WSOCK32(00000000,?,00000010), ref: 00A418DB
WSAGetLastError.WSOCK32 ref: 00A418E6
closesocket.WSOCK32(00000000), ref: 00A41915

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7b25e6288f6edbead8dc263627a364996c76886c229259e213d56c48d1b54d0d
Instruction ID: 0c78bef5a3078d6c71a33f0bc32ed4873522c888702bfed3e64fa736d917aaea
Opcode Fuzzy Hash: 7b25e6288f6edbead8dc263627a364996c76886c229259e213d56c48d1b54d0d
Instruction Fuzzy Hash: FC519375A00210AFDB10EF64C886F6A7BE5ABC4718F18845CF9169F3D3D771AD428BA1

Function 00A51C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A51CC0
IsWindowEnabled.USER32 ref: 00A51CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00A51CDB
IsIconic.USER32 ref: 00A51CE9
IsZoomed.USER32 ref: 00A51CF7

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 423eabd716be77893a43f35a3e5fbcb544c32b4873d349bc80ae5f64f615d3ed
Instruction ID: c0125303c030cbaf24b9553683056782118f3505dfb67d6ce56b32fdd7ec40bb
Opcode Fuzzy Hash: 423eabd716be77893a43f35a3e5fbcb544c32b4873d349bc80ae5f64f615d3ed
Instruction Fuzzy Hash: 7C219F317402105FD7208F2AC884F7A7BA5FF95326B19806CEC4A8B351DB72ED46CB90

Function 009C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009C83FA
VUUU, xrefs: 00A05DF0
VUUU, xrefs: 009C843C
VUUU, xrefs: 009C83E8
ERCP, xrefs: 009C813C

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 5376986294125546684860a00b456a9662a3e14ef719e96281b865c546aa354a
Instruction ID: f5efd05ac55e0431ac499be39a83721075b08bde946301c2cdb0936d3bcacff7
Opcode Fuzzy Hash: 5376986294125546684860a00b456a9662a3e14ef719e96281b865c546aa354a
Instruction Fuzzy Hash: ECA2AE70E0061ECBDF24CF58D944BAEB7B1BF44314F2485AAE815AB281EB749D91CF91

Function 00A2AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00A2AAAC
SetKeyboardState.USER32(00000080), ref: 00A2AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00A2AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00A2AB88

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 352894fe17361fc0ef1be3469246147194f32101e27495e78efacc611be55e9c
Instruction ID: e31a651f3a505ad3007a73768f882728630f25146ef49ccbe8d6539e680cd1b7
Opcode Fuzzy Hash: 352894fe17361fc0ef1be3469246147194f32101e27495e78efacc611be55e9c
Instruction Fuzzy Hash: 9A311670A40328AFFB35CB6CAC05BFA7BA6EF64320F04422AF181961D0D3758D85C762

Function 009FBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009FBB7F

Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0

GetTimeZoneInformation.KERNEL32 ref: 009FBB91
WideCharToMultiByte.KERNEL32(00000000,?,00A9121C,000000FF,?,0000003F,?,?), ref: 009FBC09
WideCharToMultiByte.KERNEL32(00000000,?,00A91270,000000FF,?,0000003F,?,?,?,00A9121C,000000FF,?,0000003F,?,?), ref: 009FBC36

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: df9d9f267aab2fe2e5b37a63b8643645948581d4f3264a85a13a41de2aa981b6
Instruction ID: 2033bcc20e493205d275fa53cce69ee61757412cf2f9c51b2d57f8aaf8eac2f0
Opcode Fuzzy Hash: df9d9f267aab2fe2e5b37a63b8643645948581d4f3264a85a13a41de2aa981b6
Instruction Fuzzy Hash: C831B571A4420ADFCB11EFA9DC8097EBBB8FF4575071446AAE260DB2B1DB709D41CB50

Function 00A3CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00A3CE89
GetLastError.KERNEL32(?,00000000), ref: 00A3CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00A3CEFE

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 5ac76fb2c677d463c803ab82cf68b14050c81eb85da9c188a703d3d8a07ae4dd
Instruction ID: 50e5ec45acd4e5b88a96b8d3c66326f1de4c16a34fb12563eb55f86c4d9b7acd
Opcode Fuzzy Hash: 5ac76fb2c677d463c803ab82cf68b14050c81eb85da9c188a703d3d8a07ae4dd
Instruction Fuzzy Hash: AD219AB1500705AFEB20DFA5CD48BAAB7F8EB40769F20442EF546A2151EB70EE058B64

Function 00A28298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A282AA

Strings

(, xrefs: 00A282F0
|, xrefs: 00A282DA

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b6af9a4b11d98088800393270b8e4f8aad3832f3d62d909b5d17a90df8a0871a
Instruction ID: c30edc5f7c36fe4ab0310ba1a7cc2f67d04157b58803a2a6b243b5f3f96744ba
Opcode Fuzzy Hash: b6af9a4b11d98088800393270b8e4f8aad3832f3d62d909b5d17a90df8a0871a
Instruction Fuzzy Hash: 71324474A016159FCB28CF19D081AAAB7F0FF48710B15C46EE49ADB7A1EB74E981CB40

Function 00A35C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A35CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00A35D17
FindClose.KERNEL32(?), ref: 00A35D5F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 21c1961f501190d1677fc287c8197a5edbf27f9112046ea7c1f2a0c920e22418
Instruction ID: 843bc951f63e281be04f50c2d04b045958ecd34189a031676dfa68b8707ca666
Opcode Fuzzy Hash: 21c1961f501190d1677fc287c8197a5edbf27f9112046ea7c1f2a0c920e22418
Instruction Fuzzy Hash: 27514374A04A019FC714DF28C494E9AB7E4FF49324F14855EF9AA8B3A2DB30ED45CB91

Function 009F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 009F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 009F2731

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 670b4371b94d2c026e5f37b352e2877006f27edaf8f9a742a6c0eb19402abd4a
Instruction ID: f77fdf9337835019c9b0a93240542720dafb05548d7db8c0ad470046271895db
Opcode Fuzzy Hash: 670b4371b94d2c026e5f37b352e2877006f27edaf8f9a742a6c0eb19402abd4a
Instruction Fuzzy Hash: 5231C27490131CABCB21DF69D98979CBBB8AF58320F5041EAE80CA7260E7709F818F45

Function 00A351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A35238
SetErrorMode.KERNEL32(00000000), ref: 00A352A1

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 3b62a7ff7545e44cc3a0fc21049c9e3724f88a6d3f26014f29611e009a39bbab
Instruction ID: 401f78593b5ece97299e8e419b5ab941c507633b0009c783d7be652274424c64
Opcode Fuzzy Hash: 3b62a7ff7545e44cc3a0fc21049c9e3724f88a6d3f26014f29611e009a39bbab
Instruction Fuzzy Hash: 06312B75A006189FDB00DFA4D884FAEBBB4FF49314F048099E805AB366DB35E956CB91

Function 00A216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 009DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009E0668
Part of subcall function 009DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A2170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A2173A
GetLastError.KERNEL32 ref: 00A2174A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e3d7bac77272111c549ec28f906c3ff901b73867fe5bd19e4ae0471281c1eca6
Instruction ID: 700ce778d0871eda04c89d5aa5db9f829ee40061e1ef3c1a6a7129f7d3c4fcd1
Opcode Fuzzy Hash: e3d7bac77272111c549ec28f906c3ff901b73867fe5bd19e4ae0471281c1eca6
Instruction Fuzzy Hash: F41191B2404304AFD718DF54EC86E6BB7B9FB44725B20852EE05657681EB70BC418A60

Function 00A2D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A2D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00A2D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A2D650

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: beb8c235876fc4ffc94ec77157e2225d59c057d283add7e22fd9020a4c74e60f
Instruction ID: 3d3e8cef661f88099ea1427e14354b5862b182d2c087798713f4a86d8c45bc4a
Opcode Fuzzy Hash: beb8c235876fc4ffc94ec77157e2225d59c057d283add7e22fd9020a4c74e60f
Instruction Fuzzy Hash: A0113C75E05328BFDB108F99AC45FAFBBBCEB45B60F108125F914E7294D6704A058BA1

Function 00A21663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A2168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A216A1
FreeSid.ADVAPI32(?), ref: 00A216B1

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 743bb6fae49a8533dc42149d96997540ff72f77e900bcf155124540f0c6992ef
Instruction ID: 72f1d8ad2cccd77c29cea12b87ef8914b18b658387eef191875935cdcc001690
Opcode Fuzzy Hash: 743bb6fae49a8533dc42149d96997540ff72f77e900bcf155124540f0c6992ef
Instruction Fuzzy Hash: 4EF0FF71950309FFEB00DFE49C89AAEBBBDFB08615F5049A5E901E2181E774AA448A60

Function 009ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 06928e100d66fef5ffc5f852a2e91ced7cb9be1ea11820f8270e54bf4b1e432e
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 7C022DB1E002599BDF15CFA9C8806ADBBF5FF88314F254569E959E7380D731AD42CB80

Function 00A368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A36918
FindClose.KERNEL32(00000000), ref: 00A36961

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9443df4b17c2da3e4671ff697051e783b4066a2d6c5c52305ca01da0f340cbd6
Instruction ID: 4ca6a4f4e9de2c35881a3987c3195bbf41cffa64dba46e1fc1b9f13f2fc359f5
Opcode Fuzzy Hash: 9443df4b17c2da3e4671ff697051e783b4066a2d6c5c52305ca01da0f340cbd6
Instruction Fuzzy Hash: E7117C71604200AFC710DF69D485B1ABBE5FF85329F14C69DF4698B6A2C730EC06CB91

Function 00A337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A44891,?,?,00000035,?), ref: 00A337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A44891,?,?,00000035,?), ref: 00A337F4

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 51e6aa169573c565daca84b327be1e8495d7c5ddda794a80adcfba3cfdf47c9e
Instruction ID: f4f0d8a8cf0b1fd82280d29f65a4f4a279d0f3f21d74f33d51a6a37dcd51235a
Opcode Fuzzy Hash: 51e6aa169573c565daca84b327be1e8495d7c5ddda794a80adcfba3cfdf47c9e
Instruction Fuzzy Hash: 27F0E5B1A043292AEB20A7A69C4DFEB7AAEEFC4771F000165F509D22D5D9609904C7B0

Function 00A2B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A2B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00A2B270

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c4bc73eaa0d604a140ab1b1987ee35a0827d7ffca9681be46113e478da539284
Instruction ID: 08d7e06faed8c43024a91c28698990c8b33645ddd8c630c326525515cdb7e7e7
Opcode Fuzzy Hash: c4bc73eaa0d604a140ab1b1987ee35a0827d7ffca9681be46113e478da539284
Instruction Fuzzy Hash: 86F0F97181434DABDB059FA4D805BEE7BB4FF08315F008019E955A5192D3798611DFA4

Function 00A210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A211FC), ref: 00A210D4
CloseHandle.KERNEL32(?,?,00A211FC), ref: 00A210E9

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c32586de4bf7005aca8943fe05b455453f72a1b766f265a7cf0268198c68dcbc
Instruction ID: ec13c08eef91b778a94ecd30bf8629b627b0aaa1acbc08c416a2cfa51b342016
Opcode Fuzzy Hash: c32586de4bf7005aca8943fe05b455453f72a1b766f265a7cf0268198c68dcbc
Instruction Fuzzy Hash: CBE04F32008710AEE7252B51FC06F7377A9FB04321F10C82EF4A6804B5DB626C90DB50

Function 009CCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00A10C40

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: e75bba0d92fadde2af04bcdab8097a520dffb9e3cbb7b3ba48adb65a346f0bdd
Instruction ID: 03e405512723c5f90a7c15ac464e69b38f69dbc3a20445eef39cab1cfc20603a
Opcode Fuzzy Hash: e75bba0d92fadde2af04bcdab8097a520dffb9e3cbb7b3ba48adb65a346f0bdd
Instruction Fuzzy Hash: A8327BB4D002189BCF14DF90C981FEDBBB5BF45344F14845DE80AAB292D775AE86CB62

Function 009F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009F6766,?,?,00000008,?,?,009FFEFE,00000000), ref: 009F6998

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 506d60cf43294dc85f358998b2b8e25046893975168f0a9431e156ecd8e3ec0d
Instruction ID: 3f2b6f1b282b5b53a9d29ca9264cddddf29dbd8d4cf38c16d02b00c3c382f7b3
Opcode Fuzzy Hash: 506d60cf43294dc85f358998b2b8e25046893975168f0a9431e156ecd8e3ec0d
Instruction Fuzzy Hash: 6AB13A316107099FD719CF28C48AB657BE0FF45364F25865CEA9ACF2A2C335E991CB40

Function 009DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00A1851F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 404dc48e31a8fb4bebb7917fd363419c1add269dd0352fa2422b2fced1ca6393
Instruction ID: 059bcf2bb0bd337496411e9df02cfc61103f14ba5c5d9eae2934fbc75be9f283
Opcode Fuzzy Hash: 404dc48e31a8fb4bebb7917fd363419c1add269dd0352fa2422b2fced1ca6393
Instruction Fuzzy Hash: F5124E75A00229DFDB14CF58C881BEEB7B5FF48710F15819AE849EB255EB349E81CB90

Function 00A3EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00A3EABD

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 51e618186bc6e575716fd40150f4c55836c0dcfca9d7f6ea40ce1a23050364f0
Instruction ID: f920f6e23a4d2688c141ce0138d63babe6c3b20555c8a499eaf64c3ca1ec2f77
Opcode Fuzzy Hash: 51e618186bc6e575716fd40150f4c55836c0dcfca9d7f6ea40ce1a23050364f0
Instruction Fuzzy Hash: 19E01A316002059FC710EF59D805E9ABBE9AF987A1F00841AFC49C7391DA70A9418B91

Function 009E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009E03EE), ref: 009E09DA

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 93c6f04194f3bbd6773e1b0c8df38218a485f85c41408c66ebbefb8d5704121b
Instruction ID: b0644e232b4a1001ef44734275d23ff8f7d3d80cbaed6a25a8c224af8e7f55a4
Opcode Fuzzy Hash: 93c6f04194f3bbd6773e1b0c8df38218a485f85c41408c66ebbefb8d5704121b
Instruction Fuzzy Hash:

Function 009E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 009E798B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 94db70461fff6b521c801271b043417a4245253dcebea68de565175d7478c66f
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 9E51437160C6C56BDB3B85EB889A7BFE78D9F62340F180919D886C7283CA19DE01D353

Function 009F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113640d2205e8c45d866bb1d4ba0f2b5f0bc3dcdc4ec1e9955eff53d34c49d3b
Instruction ID: d7bce63c0f02abee9b5b80305560cf07343eb9e220010d0a8fe353110825f77b
Opcode Fuzzy Hash: 113640d2205e8c45d866bb1d4ba0f2b5f0bc3dcdc4ec1e9955eff53d34c49d3b
Instruction Fuzzy Hash: D5325522D29F054DD7239674CC22335A69DAFB73D5F14C737F81AB59A9EB69C4834200

Function 009DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b8c83f0a61b5e72db4c1bdfc27b0e7707056c3a590412f17ce46a5a56cf6e2
Instruction ID: 26a406b16abf35759cfb94c9594d7fc6846aeebf99086a998c45c8a167c6fa58
Opcode Fuzzy Hash: 79b8c83f0a61b5e72db4c1bdfc27b0e7707056c3a590412f17ce46a5a56cf6e2
Instruction Fuzzy Hash: 62321272A841168BDF28CB28C5946FD7BB2EF45360F28896BD59ACB391D234DDC1DB40

Function 009C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1b1a6082fead44c8c73d68e2043cfdabfb62f59d025afcc82e14723eaa43bf
Instruction ID: 500c95a3e027b6feb9e50ec2a06566ecd38d48379c45f873b1238bd0f7972b2a
Opcode Fuzzy Hash: 4d1b1a6082fead44c8c73d68e2043cfdabfb62f59d025afcc82e14723eaa43bf
Instruction Fuzzy Hash: 4222AF70E0060A9FDF14CFA5D881BAEB7B6FF48300F144529E816AB291EB36AD51CF51

Function 009C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36036b54b8326944a3f4dbaed006c81a4095ac2bad5f6f190d806ff344cf8780
Instruction ID: 6a72034f14dac3a325332756c21ecdc1cf07b6c2a7e8a0fdd985f81a3cbc0e6c
Opcode Fuzzy Hash: 36036b54b8326944a3f4dbaed006c81a4095ac2bad5f6f190d806ff344cf8780
Instruction Fuzzy Hash: 5902B4B1E00209EBDB04DF54D881BAEB7B1FF44300F508569E81A9B2D1EB35AE61DB91

Function 009F9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e0df4787d995e9b64ad60b8c0a053c4de51f8c1e78334456cd444bd26c9fe0
Instruction ID: a6cc0ded84280587e30e565c802bc8518759609ed82caac6bd524678bb5c82ef
Opcode Fuzzy Hash: b4e0df4787d995e9b64ad60b8c0a053c4de51f8c1e78334456cd444bd26c9fe0
Instruction Fuzzy Hash: 1CB12421E2AF414DD72396398831336B65CAFBB6D5F51D31BFC2778E62EB6181834140

Function 009E1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: c4e239ca10a0fbe3dd6c96a20f7b6235c9d565959ef4cae99c9c92f3c21b01d3
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 909157726080E34ADB2F463B857447EFFE55A923A131A0B9DE4F2CA1C5EE34DD94D620

Function 009E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 6b6090f08d588e0aaf634fc1cfe45a61a2a9146dfd483d3e9e976529d022031d
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 8A9121722090E34ADB6B467B957403DFFE55A923A131E07AED4F2CA1C5FE348D54D620

Function 009E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7840a9bc01fae0124cbad6268698df2b7d559836f21870626695f1d30f5da421
Instruction ID: 45f66d0bbf8fdd857f5ecde1d0ae76997beb973b2cd24c7a0258d507ff3cb951
Opcode Fuzzy Hash: 7840a9bc01fae0124cbad6268698df2b7d559836f21870626695f1d30f5da421
Instruction Fuzzy Hash: A3615B716087C996DA3799EB8C95BBFF39CDF81700F280D2DE882DB281D6159E428357

Function 009E7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b60899ca933000c86e26c1023145e9d744a4506c5a5486e1a812c52ceb9111
Instruction ID: f419640b93972dbe1ad49459f1c6a92276a578c30c0a32162f54eb1ee38edef0
Opcode Fuzzy Hash: 15b60899ca933000c86e26c1023145e9d744a4506c5a5486e1a812c52ceb9111
Instruction Fuzzy Hash: A0616A712087C9A6DA3B49EB4C55BBFE38DAF42700F100D5DE946CB2D1DA159DC2C217

Function 009E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: f21813994fb3bf864efb30dceb780425fb5eefb4d6b1c749e3faa08bcd37d48a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8D8163766090E34ADB6F423B857447EFFE55A923A131A079ED4F2CA1C2EE34CD54E620

Function 00A32046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb6063584bfe506f909a47f03a9f83457f4daa18b7199b09553cd7f925bf4ff
Instruction ID: f2678cae62188eeb17b7feb1d1b42a9ccbdd2aaf210bf95fa4d5ae5572c3d653
Opcode Fuzzy Hash: 6bb6063584bfe506f909a47f03a9f83457f4daa18b7199b09553cd7f925bf4ff
Instruction Fuzzy Hash: E62181327216118BDB28CF79C8227BE73E5A754310F15862EA4A7C76D0DE35A9048B80

Function 00A42ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A42B30
DeleteObject.GDI32(00000000), ref: 00A42B43
DestroyWindow.USER32 ref: 00A42B52
GetDesktopWindow.USER32 ref: 00A42B6D
GetWindowRect.USER32(00000000), ref: 00A42B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00A42CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A42CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42CF8
GetClientRect.USER32(00000000,?), ref: 00A42D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A42D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42D80
GlobalLock.KERNEL32(00000000), ref: 00A42D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42D98
GlobalUnlock.KERNEL32(00000000), ref: 00A42DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42DA8
GlobalFree.KERNEL32(00000000), ref: 00A42DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A5FC38,00000000), ref: 00A42DDB
GlobalFree.KERNEL32(00000000), ref: 00A42DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00A42E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A42E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A4303F

Strings

DISPLAY, xrefs: 00A42EA2
, xrefs: 00A42FC5
AutoIt v3, xrefs: 00A42CF2
static, xrefs: 00A42D3A, 00A42E91

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 92034dafbcb1b288700d8c96af1ad7f48fb95df9097aafff0b87ed16749dc47d
Instruction ID: 6ab0cdfc3333e58e5ad0095726c89de5f7862fe156affed6831831d5cb5ff178
Opcode Fuzzy Hash: 92034dafbcb1b288700d8c96af1ad7f48fb95df9097aafff0b87ed16749dc47d
Instruction Fuzzy Hash: 1F026E75A00205AFDB14DFA4CC89FAE7BB9FB88721F108558F915AB2A1DB749D01CF60

Function 00A570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A5712F
GetSysColorBrush.USER32(0000000F), ref: 00A57160
GetSysColor.USER32(0000000F), ref: 00A5716C
SetBkColor.GDI32(?,000000FF), ref: 00A57186
SelectObject.GDI32(?,?), ref: 00A57195
InflateRect.USER32(?,000000FF,000000FF), ref: 00A571C0
GetSysColor.USER32(00000010), ref: 00A571C8
CreateSolidBrush.GDI32(00000000), ref: 00A571CF
FrameRect.USER32(?,?,00000000), ref: 00A571DE
DeleteObject.GDI32(00000000), ref: 00A571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00A57230
FillRect.USER32(?,?,?), ref: 00A57262
GetWindowLongW.USER32(?,000000F0), ref: 00A57284

Part of subcall function 00A573E8: GetSysColor.USER32(00000012), ref: 00A57421
Part of subcall function 00A573E8: SetTextColor.GDI32(?,?), ref: 00A57425
Part of subcall function 00A573E8: GetSysColorBrush.USER32(0000000F), ref: 00A5743B
Part of subcall function 00A573E8: GetSysColor.USER32(0000000F), ref: 00A57446
Part of subcall function 00A573E8: GetSysColor.USER32(00000011), ref: 00A57463
Part of subcall function 00A573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A57471
Part of subcall function 00A573E8: SelectObject.GDI32(?,00000000), ref: 00A57482
Part of subcall function 00A573E8: SetBkColor.GDI32(?,00000000), ref: 00A5748B
Part of subcall function 00A573E8: SelectObject.GDI32(?,?), ref: 00A57498
Part of subcall function 00A573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00A574B7
Part of subcall function 00A573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A574CE
Part of subcall function 00A573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00A574DB

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e87cb0e00ddee9f89c3ef9729add5e22e2ecd6ac2a4f43022bcb707b31c1120d
Instruction ID: 4cb7b0b771ca09ff79ddb7ecbf13c715db175f32d0d2f6be953bc25ca875e386
Opcode Fuzzy Hash: e87cb0e00ddee9f89c3ef9729add5e22e2ecd6ac2a4f43022bcb707b31c1120d
Instruction Fuzzy Hash: 20A18072008701AFDB11DFA4EC48A5FBBA9FB49332F100B19F962A61E1E771E945CB51

Function 009D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 009D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A16AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A16AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A16F43

Part of subcall function 009D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009D8BE8,?,00000000,?,?,?,?,009D8BBA,00000000,?), ref: 009D8FC5

SendMessageW.USER32(?,00001053), ref: 00A16F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A16F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A16FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A16FB7

Strings

0, xrefs: 00A16DCF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0b55f717456b7b186f75b1c14acb2e0180ff2f155652834f10edf2ca5ea4bfb2
Instruction ID: 2a9a23ec0090feb1748484b23e932447ae983cdce67a74813f114c6722d3033a
Opcode Fuzzy Hash: 0b55f717456b7b186f75b1c14acb2e0180ff2f155652834f10edf2ca5ea4bfb2
Instruction Fuzzy Hash: 51129C30204211EFDB25DF24D984BEAB7E5FB44311F14856AE485CB6A2CB35EC92DF91

Function 00A42711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A4273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A4286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00A428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00A42900
GetClientRect.USER32(00000000,?), ref: 00A4290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00A42955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A42964
GetStockObject.GDI32(00000011), ref: 00A42974
SelectObject.GDI32(00000000,00000000), ref: 00A42978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00A42988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A42991
DeleteDC.GDI32(00000000), ref: 00A4299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00A42A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A42A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A42A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00A42A77
GetStockObject.GDI32(00000011), ref: 00A42A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A42A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00A42A97

Strings

DISPLAY, xrefs: 00A4295A
msctls_progress32, xrefs: 00A42A13
AutoIt v3, xrefs: 00A428F8
static, xrefs: 00A4294F, 00A42A71

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 3ee20290ada6052db1bc47e0a8618cb937a80f5fbe14941ef10a23ca21ee3bbd
Instruction ID: e8cfb4680a1229ee93055fce825cbf2a8ff02b0add93ac92d1c380e27851101a
Opcode Fuzzy Hash: 3ee20290ada6052db1bc47e0a8618cb937a80f5fbe14941ef10a23ca21ee3bbd
Instruction Fuzzy Hash: BDB15B75A00205AFEB14DFA8CC8AFAE7BB9FB48711F004519F915EB290DB70AD41CB90

Function 00A34ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A34AED
GetDriveTypeW.KERNEL32(?,00A5CB68,?,\\.\,00A5CC08), ref: 00A34BCA
SetErrorMode.KERNEL32(00000000,00A5CB68,?,\\.\,00A5CC08), ref: 00A34D36

Strings

Virtual, xrefs: 00A34CE5
ATA, xrefs: 00A34C98
RAID, xrefs: 00A34CBB
FileBackedVirtual, xrefs: 00A34CEC
SAS, xrefs: 00A34CC9
CDROM, xrefs: 00A34BFB
Removable, xrefs: 00A34C10, 00A34C15
PhysicalDrive, xrefs: 00A34B76
\\.\, xrefs: 00A34B3F
MMC, xrefs: 00A34CDE
RAMDisk, xrefs: 00A34BF4
SSA, xrefs: 00A34CA6
Fixed, xrefs: 00A34C09
iSCSI, xrefs: 00A34CC2
SCSI, xrefs: 00A34C8A
1394, xrefs: 00A34C9F
ATAPI, xrefs: 00A34C91
SSD, xrefs: 00A34C4A
Network, xrefs: 00A34C02
Fibre, xrefs: 00A34CAD
Unknown, xrefs: 00A34BED, 00A34C83
USB, xrefs: 00A34CB4
SATA, xrefs: 00A34CD0

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a8762785903b43589b0f7518d81bde99a4611967d6a522de5b55438f4990d263
Instruction ID: 7d76c03db2c4d06e93d58fcf251c0d02d3db15193a2f74c894573021065763ce
Opcode Fuzzy Hash: a8762785903b43589b0f7518d81bde99a4611967d6a522de5b55438f4990d263
Instruction Fuzzy Hash: 6C619230605605AFDB04EF24CA82E6DB7B0FB4C744F24941AF806AB692DB35FD41DB42

Function 00A573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A57421
SetTextColor.GDI32(?,?), ref: 00A57425
GetSysColorBrush.USER32(0000000F), ref: 00A5743B
GetSysColor.USER32(0000000F), ref: 00A57446
CreateSolidBrush.GDI32(?), ref: 00A5744B
GetSysColor.USER32(00000011), ref: 00A57463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A57471
SelectObject.GDI32(?,00000000), ref: 00A57482
SetBkColor.GDI32(?,00000000), ref: 00A5748B
SelectObject.GDI32(?,?), ref: 00A57498
InflateRect.USER32(?,000000FF,000000FF), ref: 00A574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00A574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A5752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A57554
InflateRect.USER32(?,000000FD,000000FD), ref: 00A57572
DrawFocusRect.USER32(?,?), ref: 00A5757D
GetSysColor.USER32(00000011), ref: 00A5758E
SetTextColor.GDI32(?,00000000), ref: 00A57596
DrawTextW.USER32(?,00A570F5,000000FF,?,00000000), ref: 00A575A8
SelectObject.GDI32(?,?), ref: 00A575BF
DeleteObject.GDI32(?), ref: 00A575CA
SelectObject.GDI32(?,?), ref: 00A575D0
DeleteObject.GDI32(?), ref: 00A575D5
SetTextColor.GDI32(?,?), ref: 00A575DB
SetBkColor.GDI32(?,?), ref: 00A575E5

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: a49b726afd461053f2ac342c66a341fc3e515622eff0a6ae5fe94ba3cda6aca1
Instruction ID: 78bcebc3ea515af67573435e0c1e8359ba88a6513c5a077e71ef4c5af5ee2aeb
Opcode Fuzzy Hash: a49b726afd461053f2ac342c66a341fc3e515622eff0a6ae5fe94ba3cda6aca1
Instruction Fuzzy Hash: 54614A72900318AFDB01DFA4DC49EAEBFB9FB08322F114215F915BB2A1E7749941CB90

Function 00A50FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A51128
GetDesktopWindow.USER32 ref: 00A5113D
GetWindowRect.USER32(00000000), ref: 00A51144
GetWindowLongW.USER32(?,000000F0), ref: 00A51199
DestroyWindow.USER32(?), ref: 00A511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A5120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A5121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00A51232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A51245
IsWindowVisible.USER32(00000000), ref: 00A512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A512D0
GetWindowRect.USER32(00000000,?), ref: 00A512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00A5130E
GetMonitorInfoW.USER32(00000000,?), ref: 00A51328
CopyRect.USER32(?,?), ref: 00A5133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00A513AA

Strings

(, xrefs: 00A5131B
tooltips_class32, xrefs: 00A511E6
0, xrefs: 00A510D3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 827fb15b7761319300aae94e066ad6333214c79c87ad6d3efebe166ed09480b9
Instruction ID: 644917cedddceb0203ef1fb40fe0f604533814ad54cf3a6ede6a396c42ed5e71
Opcode Fuzzy Hash: 827fb15b7761319300aae94e066ad6333214c79c87ad6d3efebe166ed09480b9
Instruction Fuzzy Hash: 5FB17A71604341AFD700DF64C885F6ABBE4FF88755F00891CF9999B2A1D771E849CB92

Function 009D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009D8968
GetSystemMetrics.USER32(00000007), ref: 009D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009D899B
GetSystemMetrics.USER32(00000008), ref: 009D89A3
GetSystemMetrics.USER32(00000004), ref: 009D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 009D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 009D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 009D8A5A
GetStockObject.GDI32(00000011), ref: 009D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 009D8A81

Part of subcall function 009D912D: GetCursorPos.USER32(?), ref: 009D9141
Part of subcall function 009D912D: ScreenToClient.USER32(00000000,?), ref: 009D915E
Part of subcall function 009D912D: GetAsyncKeyState.USER32(00000001), ref: 009D9183
Part of subcall function 009D912D: GetAsyncKeyState.USER32(00000002), ref: 009D919D

SetTimer.USER32(00000000,00000000,00000028,009D90FC), ref: 009D8AA8

Strings

AutoIt v3 GUI, xrefs: 009D8A20

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: af63dc08fb5f1f5e48fa37a4b4451db6c7fa647ea2fbf53748505d95b01ee1b4
Instruction ID: 2412d4bd56085cd9fad7bc668291f9191e7e4d4dafca4b9442ed66317f61ae11
Opcode Fuzzy Hash: af63dc08fb5f1f5e48fa37a4b4451db6c7fa647ea2fbf53748505d95b01ee1b4
Instruction Fuzzy Hash: 0AB16D75A4030A9FDB14DFA8CC95BEE3BB5FB48315F10822AFA15E7290DB34A941CB51

Function 00A20D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A21114
Part of subcall function 00A210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21120
Part of subcall function 00A210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A2112F
Part of subcall function 00A210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21136
Part of subcall function 00A210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A2114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A20DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A20E29
GetLengthSid.ADVAPI32(?), ref: 00A20E40
GetAce.ADVAPI32(?,00000000,?), ref: 00A20E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A20E96
GetLengthSid.ADVAPI32(?), ref: 00A20EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A20EB5
HeapAlloc.KERNEL32(00000000), ref: 00A20EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A20EDD
CopySid.ADVAPI32(00000000), ref: 00A20EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A20F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A20F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A20F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20F6E
HeapFree.KERNEL32(00000000), ref: 00A20F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20F7E
HeapFree.KERNEL32(00000000), ref: 00A20F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20F8E
HeapFree.KERNEL32(00000000), ref: 00A20F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00A20FA1
HeapFree.KERNEL32(00000000), ref: 00A20FA8

Part of subcall function 00A21193: GetProcessHeap.KERNEL32(00000008,00A20BB1,?,00000000,?,00A20BB1,?), ref: 00A211A1
Part of subcall function 00A21193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A20BB1,?), ref: 00A211A8
Part of subcall function 00A21193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A20BB1,?), ref: 00A211B7

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 88e518ae62be6c3105aa111d863bb82ebc307244893df50daf8ac814c0bc20c3
Instruction ID: 6b3d2acec63cbba19e138f7458f9e61bfd1f8269febf8deb4106329986c1c7ab
Opcode Fuzzy Hash: 88e518ae62be6c3105aa111d863bb82ebc307244893df50daf8ac814c0bc20c3
Instruction Fuzzy Hash: 4C714A7290032AAFDF20DFA8ED44FAEBBB8FF04311F144125E919E6192D7719905CB60

Function 00A4C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A4C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A5CC08,00000000,?,00000000,?,?), ref: 00A4C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00A4C5A4
_wcslen.LIBCMT ref: 00A4C5F4
_wcslen.LIBCMT ref: 00A4C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00A4C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00A4C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00A4C84D
RegCloseKey.ADVAPI32(?), ref: 00A4C881
RegCloseKey.ADVAPI32(00000000), ref: 00A4C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00A4C960

Strings

REG_SZ, xrefs: 00A4C644
REG_EXPAND_SZ, xrefs: 00A4C5CD
REG_BINARY, xrefs: 00A4C913
REG_MULTI_SZ, xrefs: 00A4C6F5
REG_QWORD, xrefs: 00A4C8C3
REG_DWORD, xrefs: 00A4C804

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: d3feeb9d5804bc9533e971bcbff1b055c67d761eef6d8c6bab608041c3ca5fa6
Instruction ID: 1ce1630fde55d646763f2d78105039030341f46511ca7d62055e590f0b7f8938
Opcode Fuzzy Hash: d3feeb9d5804bc9533e971bcbff1b055c67d761eef6d8c6bab608041c3ca5fa6
Instruction Fuzzy Hash: 0D1225756042019FD754DF24C891F2AB7E5EF88724F14889DF88A9B2A2DB31ED41CB86

Function 00A5091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A509C6
_wcslen.LIBCMT ref: 00A50A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A50A54
_wcslen.LIBCMT ref: 00A50A8A
_wcslen.LIBCMT ref: 00A50B06
_wcslen.LIBCMT ref: 00A50B81

Part of subcall function 009DF9F2: _wcslen.LIBCMT ref: 009DF9FD

Part of subcall function 00A22BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A22BFA

Strings

ISCHECKED, xrefs: 00A50CE1
COLLAPSE, xrefs: 00A50B01, 00A50B1C
EXISTS, xrefs: 00A50B7C, 00A50B97
GETSELECTED, xrefs: 00A50C4E
CHECK, xrefs: 00A50A85, 00A50AA0
EXPAND, xrefs: 00A50BF8
GETTOTALCOUNT, xrefs: 00A509F2, 00A50A17
SELECT, xrefs: 00A50D11
GETITEMCOUNT, xrefs: 00A50C1E
UNCHECK, xrefs: 00A50D3E
GETTEXT, xrefs: 00A50C97

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 92e7a40f9ffb91c6a1853f6a845124017625150860b313a7ba861d98c07363ab
Instruction ID: 8f28ad8852a10f534b199eff2941f5e2d7b9fd53dd699ba18fbabcd90ff1e1e7
Opcode Fuzzy Hash: 92e7a40f9ffb91c6a1853f6a845124017625150860b313a7ba861d98c07363ab
Instruction Fuzzy Hash: 9FE18B326087019FCB14EF24C490E2AB7E2BFD8355B15895DF8969B362D730ED49CB82

Function 00A4C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A4B6AE,?,?), ref: 00A4C9B5
_wcslen.LIBCMT ref: 00A4C9F1
_wcslen.LIBCMT ref: 00A4CA68
_wcslen.LIBCMT ref: 00A4CA9E
_wcslen.LIBCMT ref: 00A4CAF9
_wcslen.LIBCMT ref: 00A4CB2F
_wcslen.LIBCMT ref: 00A4CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00A4CA62, 00A4CA67
HKU, xrefs: 00A4CBF0
HKEY_CURRENT_CONFIG, xrefs: 00A4CB79, 00A4CB7E
HKLM, xrefs: 00A4CA98, 00A4CA9D
HKEY_CURRENT_USER, xrefs: 00A4CBBD
HKEY_USERS, xrefs: 00A4CBDF
HKCC, xrefs: 00A4CBAC
HKCU, xrefs: 00A4CBCE
HKEY_CLASSES_ROOT, xrefs: 00A4CAF3, 00A4CAF8
HKCR, xrefs: 00A4CB29, 00A4CB2E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 818b5e59ffda9bfa50b359b822f0ae3b8eb8849cba4e2f7f187787a9fe4e7208
Instruction ID: 3bb71bca32dccb5d28c102bdac17b7014bbda67eea194a52e296b2c7cbfe0291
Opcode Fuzzy Hash: 818b5e59ffda9bfa50b359b822f0ae3b8eb8849cba4e2f7f187787a9fe4e7208
Instruction Fuzzy Hash: 7071F83660116A8BCB50DF78CD516BE33A2AFE07B4B254528F85AA7285EA31CD45C790

Function 00A5833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A5835A
_wcslen.LIBCMT ref: 00A5836E
_wcslen.LIBCMT ref: 00A58391
_wcslen.LIBCMT ref: 00A583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00A5361A,?), ref: 00A5844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A58487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A58501
FreeLibrary.KERNEL32(?), ref: 00A5850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A5851D
DestroyIcon.USER32(?), ref: 00A5852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A58549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A58555

Strings

.icl, xrefs: 00A58368
.exe, xrefs: 00A58388
.dll, xrefs: 00A583AB

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: bd8df81fdec29635196209b11af4e99d69b936f774e107be690d8c969af4d533
Instruction ID: 80fed713e2fe7086fdebcd69bf4b6a17f90ae9b48eea1630be96224f0b8f0c6c
Opcode Fuzzy Hash: bd8df81fdec29635196209b11af4e99d69b936f774e107be690d8c969af4d533
Instruction Fuzzy Hash: 6D61D171940315BEEB14DFA4CC41BBE77B8BB48B22F104509FC15EA1D1EB78A984CBA0

Function 009C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 00A05279
#pragma compile, xrefs: 009C77D3
#include-once, xrefs: 009C782F
#comments-start, xrefs: 009C785F, 009C78B1
#notrayicon, xrefs: 009C77E7
#cs, xrefs: 009C7873, 009C78C5
#OnAutoItStartRegister, xrefs: 009C7817
", xrefs: 00A05153
Unterminated group of comments, xrefs: 00A0528C
#requireadmin, xrefs: 009C77FF
', xrefs: 00A05169
#include, xrefs: 009C7847
Bad directive syntax error, xrefs: 00A0519A
#comments-end, xrefs: 009C78D9
#ce, xrefs: 009C78ED

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 5284acf58088802dce329b4c6550dc769826687a634cfd47cd6dc031a9f3e135
Instruction ID: e0ffa0bb5af31cc60073e1eeb7dc8a838bc8b2361831460aab7bd0e68ef28421
Opcode Fuzzy Hash: 5284acf58088802dce329b4c6550dc769826687a634cfd47cd6dc031a9f3e135
Instruction Fuzzy Hash: 4981F871E40209BBDB11BFA0DD53FAF7768BF55300F044429F905AA196EB70DA15CBA2

Function 00A33E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A33EF8
_wcslen.LIBCMT ref: 00A33F03
_wcslen.LIBCMT ref: 00A33F5A
_wcslen.LIBCMT ref: 00A33F98
GetDriveTypeW.KERNEL32(?), ref: 00A33FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A3401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A34059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A34087

Strings

closed, xrefs: 00A33F08, 00A33F2D, 00A33F46, 00A33F7E, 00A33F97
wait, xrefs: 00A34044
type cdaudio alias cd wait, xrefs: 00A34001
close cd wait, xrefs: 00A34072
set cd door , xrefs: 00A34028
open , xrefs: 00A33FE5
open, xrefs: 00A33F54, 00A33F59
close, xrefs: 00A33EFE, 00A33F18

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: dcbb63d7effbdaa5e6db0f592fe71803c2816373fbc9b684cd06a2d36ab0f975
Instruction ID: e7225e7208cc54f5539464761ea9c48be65db656f504fb5928153299afc68338
Opcode Fuzzy Hash: dcbb63d7effbdaa5e6db0f592fe71803c2816373fbc9b684cd06a2d36ab0f975
Instruction Fuzzy Hash: 7671F472A083019FC710EF24C881A6AB7F4FF99758F40492DF89697251EB34EE45CB92

Function 00A25A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00A25A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A25A40
SetWindowTextW.USER32(?,?), ref: 00A25A57
GetDlgItem.USER32(?,000003EA), ref: 00A25A6C
SetWindowTextW.USER32(00000000,?), ref: 00A25A72
GetDlgItem.USER32(?,000003E9), ref: 00A25A82
SetWindowTextW.USER32(00000000,?), ref: 00A25A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A25AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A25AC3
GetWindowRect.USER32(?,?), ref: 00A25ACC
_wcslen.LIBCMT ref: 00A25B33
SetWindowTextW.USER32(?,?), ref: 00A25B6F
GetDesktopWindow.USER32 ref: 00A25B75
GetWindowRect.USER32(00000000), ref: 00A25B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00A25BD3
GetClientRect.USER32(?,?), ref: 00A25BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00A25C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A25C2F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: fa83756a5a39b9df32c6633235ed83a5dda347cf1be22c9a55976dab7f670f47
Instruction ID: 87e1d2ee05d9cb7d1c738671dbdd6c1d5dce576b4592e904f9e2ec63fc73edd0
Opcode Fuzzy Hash: fa83756a5a39b9df32c6633235ed83a5dda347cf1be22c9a55976dab7f670f47
Instruction Fuzzy Hash: 06718C31900B19AFDB20DFB8DE89AAEBBF5FF48715F104528E542A25A0E774E944CB50

Function 00A3FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00A3FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00A3FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00A3FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00A3FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00A3FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00A3FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00A3FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00A3FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00A3FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00A3FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00A3FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00A3FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00A3FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00A3FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00A3FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00A3FECC
GetCursorInfo.USER32(?), ref: 00A3FEDC
GetLastError.KERNEL32 ref: 00A3FF1E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 643b1a34720a251a77a3e856415b64f92f8d3d158cfdccdccd38cfcac46d3a11
Instruction ID: 25ff6514465dec2560fc8788f562377d342bcd0a69c867603a80d52d6b1cbe16
Opcode Fuzzy Hash: 643b1a34720a251a77a3e856415b64f92f8d3d158cfdccdccd38cfcac46d3a11
Instruction Fuzzy Hash: FE4140B0D043196EDB10DFBA8C89D5EBFA8FF04754B50452AF51DEB281DB78A9018E91

Function 009E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009E00C6

Part of subcall function 009E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A9070C,00000FA0,9D4483DB,?,?,?,?,00A023B3,000000FF), ref: 009E011C
Part of subcall function 009E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00A023B3,000000FF), ref: 009E0127
Part of subcall function 009E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00A023B3,000000FF), ref: 009E0138
Part of subcall function 009E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 009E014E
Part of subcall function 009E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009E015C
Part of subcall function 009E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009E016A
Part of subcall function 009E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009E0195
Part of subcall function 009E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009E01A0

___scrt_fastfail.LIBCMT ref: 009E00E7

Part of subcall function 009E00A3: __onexit.LIBCMT ref: 009E00A9

Strings

SleepConditionVariableCS, xrefs: 009E0154
kernel32.dll, xrefs: 009E0133
InitializeConditionVariable, xrefs: 009E0148
WakeAllConditionVariable, xrefs: 009E0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 009E0122

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 71d5733b14e2188b41e36f7aa039e6eb4ffc3dbacdeb4980cbbcbbeae83f85ff
Instruction ID: e719fa3a6ba59ce057b94b490cce879099357981a7a31118e85496acac121cbd
Opcode Fuzzy Hash: 71d5733b14e2188b41e36f7aa039e6eb4ffc3dbacdeb4980cbbcbbeae83f85ff
Instruction Fuzzy Hash: 5521FC33648B507FD7129BF5AC06F2A37A8FB85F76F000526F801A7295DFB45C418A90

Function 00A230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A2318D
_wcslen.LIBCMT ref: 00A231F8

Strings

CLASS, xrefs: 00A23188, 00A231A5
INSTANCE, xrefs: 00A23453
TEXT, xrefs: 00A2347C
NAME, xrefs: 00A23335, 00A23346
REGEXPCLASS, xrefs: 00A23255, 00A23266
CLASSNN, xrefs: 00A231F3, 00A23204

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: c88866170a1acffe078e4feac180023396bd30204c205af459650e1bc5409953
Instruction ID: 77877c09a0fc223bb5682bdc3803edd0e66199dd83fee120e16cb85f984821db
Opcode Fuzzy Hash: c88866170a1acffe078e4feac180023396bd30204c205af459650e1bc5409953
Instruction Fuzzy Hash: 77E1D233E00526ABCF14EFBCD451BEDBBB0BF55750F14816AE856A7240DB34AE858790

Function 00A344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00A5CC08), ref: 00A34527
_wcslen.LIBCMT ref: 00A3453B
_wcslen.LIBCMT ref: 00A34599
_wcslen.LIBCMT ref: 00A345F4
_wcslen.LIBCMT ref: 00A3463F
_wcslen.LIBCMT ref: 00A346A7

Part of subcall function 009DF9F2: _wcslen.LIBCMT ref: 009DF9FD

GetDriveTypeW.KERNEL32(?,00A86BF0,00000061), ref: 00A34743

Strings

removable, xrefs: 00A345EA, 00A345EF
network, xrefs: 00A3469D, 00A346A2
unknown, xrefs: 00A34708
fixed, xrefs: 00A34635, 00A3463A
ramdisk, xrefs: 00A346F1
all, xrefs: 00A34531, 00A34536
cdrom, xrefs: 00A3458F, 00A34594

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 2db4dd6d639bc36fa8d982d8ea4295d56fde02e6ed70823d656c903bdf013c44
Instruction ID: ebd115208ffa86db22a30e6b44368660d50c60515fae1c2f5a8e406ff8806893
Opcode Fuzzy Hash: 2db4dd6d639bc36fa8d982d8ea4295d56fde02e6ed70823d656c903bdf013c44
Instruction Fuzzy Hash: D9B1DF71A083029FC710EF28C891A6AB7E5BFE9764F50491DF496C7291E730ED45CBA2

Function 009C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00A91990), ref: 00A02F8D
GetMenuItemCount.USER32(00A91990), ref: 00A0303D
GetCursorPos.USER32(?), ref: 00A03081
SetForegroundWindow.USER32(00000000), ref: 00A0308A
TrackPopupMenuEx.USER32(00A91990,00000000,?,00000000,00000000,00000000), ref: 00A0309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A030A9

Strings

0, xrefs: 009C327D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a5ca9bf200ad1a453bd4542db6bad71530e23c232555814d1550cf487704eb71
Instruction ID: 84ef5f59820021af7d1b93c876717b9f53a6ba0ec29b3df31ece90cff0056b78
Opcode Fuzzy Hash: a5ca9bf200ad1a453bd4542db6bad71530e23c232555814d1550cf487704eb71
Instruction Fuzzy Hash: 9A71087164031ABFEB258F64EC49FAABF68FF04364F208216F5256A1E0C7B1A910CB51

Function 00A56CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00A56DEB

Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A56E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A56E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A56E94
DestroyWindow.USER32(?), ref: 00A56EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,009C0000,00000000), ref: 00A56EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A56EFD
GetDesktopWindow.USER32 ref: 00A56F16
GetWindowRect.USER32(00000000), ref: 00A56F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A56F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A56F4D

Part of subcall function 009D9944: GetWindowLongW.USER32(?,000000EB), ref: 009D9952

Strings

0, xrefs: 00A56D98
tooltips_class32, xrefs: 00A56E58, 00A56EDD

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: e7483ba50f5cf9e3d897292a3ec1bb240e40bde79b5501b53093786ebd4a9fc3
Instruction ID: 73e0dacf9506853b05303df2f99ecc27d07c8d02dc0bca734febb91d02649b2a
Opcode Fuzzy Hash: e7483ba50f5cf9e3d897292a3ec1bb240e40bde79b5501b53093786ebd4a9fc3
Instruction Fuzzy Hash: EA716770504345AFDB21CF58DC48FAABBE9FB99315F44091EF98987261CB74A90ACB12

Function 00A5911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00A59147

Part of subcall function 00A57674: ClientToScreen.USER32(?,?), ref: 00A5769A
Part of subcall function 00A57674: GetWindowRect.USER32(?,?), ref: 00A57710
Part of subcall function 00A57674: PtInRect.USER32(?,?,00A58B89), ref: 00A57720

SendMessageW.USER32(?,000000B0,?,?), ref: 00A591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A59225
SendMessageW.USER32(?,000000B0,?,?), ref: 00A5923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A59255
SendMessageW.USER32(?,000000B1,?,?), ref: 00A59277
DragFinish.SHELL32(?), ref: 00A5927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A59371

Strings

@GUI_DROPID, xrefs: 00A5929E
@GUI_DRAGID, xrefs: 00A592E9
@GUI_DRAGFILE, xrefs: 00A59320

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 6ac2013c845deb28c438991157a102f08588a278f211c4d3a4e5a79745b2722a
Instruction ID: 942c3381323ad9ae1e1426f83a75180277cc8c9eec61ee24af82f610333cb10d
Opcode Fuzzy Hash: 6ac2013c845deb28c438991157a102f08588a278f211c4d3a4e5a79745b2722a
Instruction Fuzzy Hash: 9A614771508301AFC701EFA4DC89EAFBBE9FBC9750F00092EF595961A1DB309A49CB52

Function 00A3C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A3C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A3C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A3C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A3C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00A3C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A3C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A3C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A3C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A3C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A3C5F0
InternetCloseHandle.WININET(00000000), ref: 00A3C5FB

Strings

, xrefs: 00A3C575

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: f52a8fb083119685ca3ba0435197a45932cfc9ef00e702c466bbdea13a81bac6
Instruction ID: d7940666685ecb6325c42f6cb5b5ec82dff50676df44b6eb6ea8873a9e8a3a74
Opcode Fuzzy Hash: f52a8fb083119685ca3ba0435197a45932cfc9ef00e702c466bbdea13a81bac6
Instruction Fuzzy Hash: C5514AB1540308BFDB21DFA4CD88AAB7BBCFF08765F00441AF946A6610DB34E945DB60

Function 00A5856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00A58592
GetFileSize.KERNEL32(00000000,00000000), ref: 00A585A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00A585AD
CloseHandle.KERNEL32(00000000), ref: 00A585BA
GlobalLock.KERNEL32(00000000), ref: 00A585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A585D7
GlobalUnlock.KERNEL32(00000000), ref: 00A585E0
CloseHandle.KERNEL32(00000000), ref: 00A585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00A585F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A5FC38,?), ref: 00A58611
GlobalFree.KERNEL32(00000000), ref: 00A58621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00A58641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00A58671
DeleteObject.GDI32(00000000), ref: 00A58699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A586AF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: d4342909890c7d7a131994673ff055d6cde5b1c88c86fa934c27ada374efd2a6
Instruction ID: 522a1798ad7263413b606fdccbc193f0e60ff1178dac15a87f882fa9cc89a48b
Opcode Fuzzy Hash: d4342909890c7d7a131994673ff055d6cde5b1c88c86fa934c27ada374efd2a6
Instruction Fuzzy Hash: 3241E875600308BFDB11DFA5DC48EAE7BB8FB89722F104158F906EB260DB349946DB60

Function 00A314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A31502
VariantCopy.OLEAUT32(?,?), ref: 00A3150B
VariantClear.OLEAUT32(?), ref: 00A31517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00A31657
VariantInit.OLEAUT32(?), ref: 00A31708
SysFreeString.OLEAUT32(?), ref: 00A3178C
VariantClear.OLEAUT32(?), ref: 00A317D8
VariantClear.OLEAUT32(?), ref: 00A317E7
VariantInit.OLEAUT32(00000000), ref: 00A31823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A31625
Default, xrefs: 00A316AF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 356c32d64f8f43e0d3441df4692fec0f2dbe160ab1b1c630210efc083c1fff0a
Instruction ID: e3bafa55b712f4ddecfc795ea0c52d4d607133dfa4a6af15130f7cba1b8a7a4a
Opcode Fuzzy Hash: 356c32d64f8f43e0d3441df4692fec0f2dbe160ab1b1c630210efc083c1fff0a
Instruction Fuzzy Hash: 1AD1F271A00215EFDB10EFA5E889B7DB7B5BF84700F14845AF846AB680DB30ED45DB62

Function 00A4B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

Part of subcall function 00A4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A4B6AE,?,?), ref: 00A4C9B5
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4C9F1
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA68
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A4B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A4B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00A4B80A
RegCloseKey.ADVAPI32(?), ref: 00A4B87E
RegCloseKey.ADVAPI32(?), ref: 00A4B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A4B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A4B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00A4B922
FreeLibrary.KERNEL32(00000000), ref: 00A4B983
RegCloseKey.ADVAPI32(00000000), ref: 00A4B994

Strings

RegDeleteKeyExW, xrefs: 00A4B8FE
advapi32.dll, xrefs: 00A4B8ED

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 76cb0251cd8a108774d38074004cf447206e8cf71960a1f6dfb798d1a53b7659
Instruction ID: bc367b7d4fb45e43d455916410a2553fa24ecf672409969db090de09fb81ec8e
Opcode Fuzzy Hash: 76cb0251cd8a108774d38074004cf447206e8cf71960a1f6dfb798d1a53b7659
Instruction Fuzzy Hash: B3C17D34618201AFD714DF24C495F2ABBE5BFC4318F14855CF49A8B2A2CB75ED46CBA2

Function 00A4255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A425E8
CreateCompatibleDC.GDI32(?), ref: 00A425F4
SelectObject.GDI32(00000000,?), ref: 00A42601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A4266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A426D0
SelectObject.GDI32(?,?), ref: 00A426D8
DeleteObject.GDI32(?), ref: 00A426E1
DeleteDC.GDI32(?), ref: 00A426E8
ReleaseDC.USER32(00000000,?), ref: 00A426F3

Strings

(, xrefs: 00A4268D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 44cc250f170948ed643161815d329a0a217666175372d0b79f0fee22ad1d52a1
Instruction ID: ef6cbbe1b229dccf9a3fc9c2d7696391cd313243df2d5b4a519eb311b279ff39
Opcode Fuzzy Hash: 44cc250f170948ed643161815d329a0a217666175372d0b79f0fee22ad1d52a1
Instruction Fuzzy Hash: 0261D175D00219EFCF14CFE8D984AAEBBB5FF48310F208529E956A7250E770A951CF64

Function 009FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 009FDAA1

Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD659
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD66B
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD67D
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD68F
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6A1
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6B3
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6C5
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6D7
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6E9
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6FB
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD70D
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD71F
Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD731

_free.LIBCMT ref: 009FDA96

Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0

_free.LIBCMT ref: 009FDAB8
_free.LIBCMT ref: 009FDACD
_free.LIBCMT ref: 009FDAD8
_free.LIBCMT ref: 009FDAFA
_free.LIBCMT ref: 009FDB0D
_free.LIBCMT ref: 009FDB1B
_free.LIBCMT ref: 009FDB26
_free.LIBCMT ref: 009FDB5E
_free.LIBCMT ref: 009FDB65
_free.LIBCMT ref: 009FDB82
_free.LIBCMT ref: 009FDB9A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9ef609beac75fac2c989c299e2ba2b29606bcd31b3248c22417f591ebf266eb7
Instruction ID: ae66c3670022219bd06e6851a396f0a3feec487c6a13d69f88e477d786d6f4eb
Opcode Fuzzy Hash: 9ef609beac75fac2c989c299e2ba2b29606bcd31b3248c22417f591ebf266eb7
Instruction Fuzzy Hash: A231583164520E9FEB22AF38E945B7AB7EEFF40321F114529E648D7191DB71EC808B24

Function 00A2365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A2369C
_wcslen.LIBCMT ref: 00A236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A23797
GetClassNameW.USER32(?,?,00000400), ref: 00A2380C
GetDlgCtrlID.USER32(?), ref: 00A2385D
GetWindowRect.USER32(?,?), ref: 00A23882
GetParent.USER32(?), ref: 00A238A0
ScreenToClient.USER32(00000000), ref: 00A238A7
GetClassNameW.USER32(?,?,00000100), ref: 00A23921
GetWindowTextW.USER32(?,?,00000400), ref: 00A2395D

Strings

%s%u, xrefs: 00A23734

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: e529c446bc74db7a9c8ffbd893dde0755e4455de0b7f9e5427356610e05de952
Instruction ID: efc2fde7ddfea340dd9dcc5abb149071e9922f1092532849ba5e5c58a89131a2
Opcode Fuzzy Hash: e529c446bc74db7a9c8ffbd893dde0755e4455de0b7f9e5427356610e05de952
Instruction Fuzzy Hash: 5F91F572200316AFDB09DF68D894FAAF7E9FF46310F004529F999C6190DB34EA46CB91

Function 00A24954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00A24994
GetWindowTextW.USER32(?,?,00000400), ref: 00A249DA
_wcslen.LIBCMT ref: 00A249EB
CharUpperBuffW.USER32(?,00000000), ref: 00A249F7
_wcsstr.LIBVCRUNTIME ref: 00A24A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00A24A64
GetWindowTextW.USER32(?,?,00000400), ref: 00A24A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00A24AE6
GetClassNameW.USER32(?,?,00000400), ref: 00A24B20
GetWindowRect.USER32(?,?), ref: 00A24B8B

Strings

ThumbnailClass, xrefs: 00A24A6F, 00A24AF1

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a3c00c1c6862942d300c95cb1bc97636049fe31284c2c607b2ead21a1941a6de
Instruction ID: 47aa791ac01c8440910453e3e30f457e3dbd6ed521b3c10de2b690f505259407
Opcode Fuzzy Hash: a3c00c1c6862942d300c95cb1bc97636049fe31284c2c607b2ead21a1941a6de
Instruction Fuzzy Hash: 9391CE710043159FDB04DF18E985BAA7BE8FF88354F048479FD859A196EB30EE45CBA1

Function 00A4CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A4CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00A4CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A4CD48

Part of subcall function 00A4CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00A4CCAA
Part of subcall function 00A4CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00A4CCBD
Part of subcall function 00A4CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A4CCCF
Part of subcall function 00A4CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A4CD05
Part of subcall function 00A4CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A4CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A4CCF3

Strings

RegDeleteKeyExW, xrefs: 00A4CCC9
advapi32.dll, xrefs: 00A4CCB8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: a04c15101ec7698f0962d2e16cda030b761c8566dfe5377bd33a38028728f6ce
Instruction ID: deaa6e96e9b3065ac74ee05b94bf1f385f37acf685b1ab8b6e535704b0a5de0b
Opcode Fuzzy Hash: a04c15101ec7698f0962d2e16cda030b761c8566dfe5377bd33a38028728f6ce
Instruction Fuzzy Hash: A4318075902229BFD760DB90DC88EFFBB7CFF45761F000165A909E3154DB349A46DAA0

Function 00A33D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A33D40
_wcslen.LIBCMT ref: 00A33D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A33D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A33DBE
RemoveDirectoryW.KERNEL32(?), ref: 00A33DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A33E55
CloseHandle.KERNEL32(00000000), ref: 00A33E60
CloseHandle.KERNEL32(00000000), ref: 00A33E6B

Strings

\??\%s, xrefs: 00A33D5B
\, xrefs: 00A33D77
:, xrefs: 00A33D82

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 801299b061efc85626e02266715758aeb7857fc88588e787913bc980b63ebb91
Instruction ID: 74e2976889ed84807ad573d64b2c618b927f2cfdadeb3fe54b9f3d5141b84329
Opcode Fuzzy Hash: 801299b061efc85626e02266715758aeb7857fc88588e787913bc980b63ebb91
Instruction Fuzzy Hash: A131BE72904309AADB21DBA0DC49FEF77BCFF88751F1040A6F609D6064EB7097858B24

Function 00A2E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A2E6B4

Part of subcall function 009DE551: timeGetTime.WINMM(?,?,00A2E6D4), ref: 009DE555

Sleep.KERNEL32(0000000A), ref: 00A2E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00A2E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A2E727
SetActiveWindow.USER32 ref: 00A2E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A2E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A2E773
Sleep.KERNEL32(000000FA), ref: 00A2E77E
IsWindow.USER32 ref: 00A2E78A
EndDialog.USER32(00000000), ref: 00A2E79B

Strings

BUTTON, xrefs: 00A2E719

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 39ebc8070d06976e5a2a15ecc55f00afaddf341ff301d6d59a29e38230073e09
Instruction ID: 4f076fe5244ecd09a2d1d3fd3968b26a2b4bf94ac89bf665e58186ba3741ae6a
Opcode Fuzzy Hash: 39ebc8070d06976e5a2a15ecc55f00afaddf341ff301d6d59a29e38230073e09
Instruction Fuzzy Hash: 36214CB0204315BFEB10DFA8FCC9B263A69F75575AB101436F506826A2DE65AC528B24

Function 00A2E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A2EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A2EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A2EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A2EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A2EAA7

Strings

close PlayMe, xrefs: 00A2EA6E, 00A2EA9B
play PlayMe, xrefs: 00A2EAA2
open , xrefs: 00A2EA0C
play PlayMe wait, xrefs: 00A2EA91
status PlayMe mode, xrefs: 00A2EA58
alias PlayMe, xrefs: 00A2EA36

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 041f0b1a09fea1ddee6f9b768fda9a660eadf2515e30915667d172e2d619c932
Instruction ID: 3b4215a81059596d56d4ac53dde910fe986df5283176b7b930a6881e38c17ec7
Opcode Fuzzy Hash: 041f0b1a09fea1ddee6f9b768fda9a660eadf2515e30915667d172e2d619c932
Instruction Fuzzy Hash: 63115E31A9026979E724F7A5EC4AFFF7A7CFBD1B40F400829B811A20D1EAB00955C6B1

Function 00A25CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A25CE2
GetWindowRect.USER32(00000000,?), ref: 00A25CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00A25D59
GetDlgItem.USER32(?,00000002), ref: 00A25D69
GetWindowRect.USER32(00000000,?), ref: 00A25D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00A25DCF
GetDlgItem.USER32(?,000003E9), ref: 00A25DDD
GetWindowRect.USER32(00000000,?), ref: 00A25DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00A25E31
GetDlgItem.USER32(?,000003EA), ref: 00A25E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A25E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A25E67

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 004c4679233b27e3a4a53d19ee6bfbaf7e594c9a6750a66681ef693b37cfdcbc
Instruction ID: c9aabfeb73c161ab8e9ea7a989bb66b9353b84870aebc7ee4ccb24dfb21c2a72
Opcode Fuzzy Hash: 004c4679233b27e3a4a53d19ee6bfbaf7e594c9a6750a66681ef693b37cfdcbc
Instruction Fuzzy Hash: 19512C70E00715AFDF18CFA8DD89AAEBBB5FB48311F148129F915E6694D7709E01CB50

Function 009D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 009D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009D8BE8,?,00000000,?,?,?,?,009D8BBA,00000000,?), ref: 009D8FC5

DestroyWindow.USER32(?), ref: 009D8C81
KillTimer.USER32(00000000,?,?,?,?,009D8BBA,00000000,?), ref: 009D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00A16973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,009D8BBA,00000000,?), ref: 00A169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,009D8BBA,00000000,?), ref: 00A169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,009D8BBA,00000000), ref: 00A169D4
DeleteObject.GDI32(00000000), ref: 00A169E6

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: cbb2e111858215e0a3a52c9f5c560d1e412eb28a00618c2c0d2e6aa883acdf59
Instruction ID: 11a4c3854aed6cc81884d1542c0ea4547b0946f26ae3924927c624a27ae41c0c
Opcode Fuzzy Hash: cbb2e111858215e0a3a52c9f5c560d1e412eb28a00618c2c0d2e6aa883acdf59
Instruction Fuzzy Hash: BA618E30552701DFCB25DF64D988B6A77F5FB50322F14891AE0829BAA1CB35A9C2DF90

Function 009D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 009D9944: GetWindowLongW.USER32(?,000000EB), ref: 009D9952

GetSysColor.USER32(0000000F), ref: 009D9862

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 88ad99ab739fdf913394b673798b2053b924e0c420240c7ef3e6e4b5df388f68
Instruction ID: 414ee3ba8683eaf4075efd3905939e5ea576bb07ecb7bed2bd4f6bd1220dcc0c
Opcode Fuzzy Hash: 88ad99ab739fdf913394b673798b2053b924e0c420240c7ef3e6e4b5df388f68
Instruction Fuzzy Hash: F641A6311447449FDF20AF789C84BB9376AFB06731F148616F9A2872E5D7319D42EB10

Function 00A296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00A0F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00A29717
LoadStringW.USER32(00000000,?,00A0F7F8,00000001), ref: 00A29720

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00A0F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00A29742
LoadStringW.USER32(00000000,?,00A0F7F8,00000001), ref: 00A29745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00A29866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A2984A
Error: , xrefs: 00A2981D
Line %d:, xrefs: 00A297A0
^ ERROR, xrefs: 00A297FB
Line %d (File "%s"):, xrefs: 00A2978F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: cd4b4431c2c1a0905f0bea937a2084e4d300e20f0b0338065898218dd2e46e5d
Instruction ID: b0461f4438b3025dd9e9c20842c00e95f15107d0cb39db11d55cc39522cd33df
Opcode Fuzzy Hash: cd4b4431c2c1a0905f0bea937a2084e4d300e20f0b0338065898218dd2e46e5d
Instruction Fuzzy Hash: B7415D72D00219AADB04FBE0DE46FEE7378AF94740F504129B60672092EB356F49CB62

Function 00A206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A20804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00A2082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A20837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A2083C

Strings

\IPC$, xrefs: 00A20784
\CLSID, xrefs: 00A20724
SOFTWARE\Classes\, xrefs: 00A2070E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 43dc75fe00457624c6f4ce2b08de82bda1cf51ac848ec7fc4e78908f229f917c
Instruction ID: dfd0e0dd56b1d0d8de0a5d90208b8baa500768f2d66b7799124b17b6eda8ff6b
Opcode Fuzzy Hash: 43dc75fe00457624c6f4ce2b08de82bda1cf51ac848ec7fc4e78908f229f917c
Instruction Fuzzy Hash: B341F472D10629AFDF15EBA4EC95EEEB778FF44354B444129E901A31A1EB309E04CBA1

Function 00A43C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A43C5C
CoInitialize.OLE32(00000000), ref: 00A43C8A
CoUninitialize.OLE32 ref: 00A43C94
_wcslen.LIBCMT ref: 00A43D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00A43DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A43ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00A43F0E
CoGetObject.OLE32(?,00000000,00A5FB98,?), ref: 00A43F2D
SetErrorMode.KERNEL32(00000000), ref: 00A43F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A43FC4
VariantClear.OLEAUT32(?), ref: 00A43FD8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: d965c168becba83c277ed4cad40c321fcd0930628d1729ba0c00e8e918997711
Instruction ID: 30c070249bf29bffece4f11be6afedb374f86b3653eb8945fb3120951be108f9
Opcode Fuzzy Hash: d965c168becba83c277ed4cad40c321fcd0930628d1729ba0c00e8e918997711
Instruction Fuzzy Hash: 0EC11376A08301AFDB00DF68C88592AB7E9FFC9754F10491DF98A9B251D731EE06CB52

Function 00A37A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A37AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A37B8F
SHGetDesktopFolder.SHELL32(?), ref: 00A37BA3
CoCreateInstance.OLE32(00A5FD08,00000000,00000001,00A86E6C,?), ref: 00A37BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A37C74
CoTaskMemFree.OLE32(?,?), ref: 00A37CCC
SHBrowseForFolderW.SHELL32(?), ref: 00A37D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A37D7A
CoTaskMemFree.OLE32(00000000), ref: 00A37D81
CoTaskMemFree.OLE32(00000000), ref: 00A37DD6
CoUninitialize.OLE32 ref: 00A37DDC

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 9784c12b081a2eae01f9277cde14f7c49f79e0926cdc90572db723cb3557ce66
Instruction ID: 98824941810586c924e2a9ce8445499bbb63c15d050663c5a83e9081f9dd8de9
Opcode Fuzzy Hash: 9784c12b081a2eae01f9277cde14f7c49f79e0926cdc90572db723cb3557ce66
Instruction Fuzzy Hash: 9EC1EB75A04219AFCB14DFA4C884EAEBBF5FF48314F148499F41A9B261D731ED45CB90

Function 00A5541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A55504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A55515
CharNextW.USER32(00000158), ref: 00A55544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A55585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A5559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A555AC

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 789ddc91323418d73ead6dba1a70c683c66145d635c8f19dcc32abceba21f3aa
Instruction ID: c6bc1ed734ffbdf1c8d5ba637f91185e742cbdddaa94d945da16738d047c0381
Opcode Fuzzy Hash: 789ddc91323418d73ead6dba1a70c683c66145d635c8f19dcc32abceba21f3aa
Instruction Fuzzy Hash: E3617D70D00609EFDF10CFA4CC94AFE7BB9FB09722F108145F925A6290D7788A89DB60

Function 00A1FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A1FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00A1FB08
VariantInit.OLEAUT32(?), ref: 00A1FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A1FB3A
VariantCopy.OLEAUT32(?,?), ref: 00A1FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A1FBA1
VariantClear.OLEAUT32(?), ref: 00A1FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00A1FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A1FBCC
VariantClear.OLEAUT32(?), ref: 00A1FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A1FBE9

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: fcbc157223d4084587d88b8995cff1d5819dc793b478ba9f6dab4cb386b9f337
Instruction ID: 914d0fbbea5656e06fc48439017a673691142ead33b386c89e432589a1005139
Opcode Fuzzy Hash: fcbc157223d4084587d88b8995cff1d5819dc793b478ba9f6dab4cb386b9f337
Instruction Fuzzy Hash: 6B414275A04319AFCB00DFA8C858DEDBBB9FF48355F008069E956A7265C734AA46CF90

Function 00A29C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A29CA1
GetAsyncKeyState.USER32(000000A0), ref: 00A29D22
GetKeyState.USER32(000000A0), ref: 00A29D3D
GetAsyncKeyState.USER32(000000A1), ref: 00A29D57
GetKeyState.USER32(000000A1), ref: 00A29D6C
GetAsyncKeyState.USER32(00000011), ref: 00A29D84
GetKeyState.USER32(00000011), ref: 00A29D96
GetAsyncKeyState.USER32(00000012), ref: 00A29DAE
GetKeyState.USER32(00000012), ref: 00A29DC0
GetAsyncKeyState.USER32(0000005B), ref: 00A29DD8
GetKeyState.USER32(0000005B), ref: 00A29DEA

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c496ecba508c7017389c3819cc714f2d6f410409a6f08a3fdc3030f36958ed75
Instruction ID: ad03f5a077e4beb9c49121786f25d4ccf60c744fcbebcebf000ef82ccd70f61d
Opcode Fuzzy Hash: c496ecba508c7017389c3819cc714f2d6f410409a6f08a3fdc3030f36958ed75
Instruction Fuzzy Hash: C241E7345047D96DFF3487A8E8043B7BEE07F11B44F04807ADAC6565C2EBA499C8D7A2

Function 00A4055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A405BC
inet_addr.WSOCK32(?), ref: 00A4061C
gethostbyname.WSOCK32(?), ref: 00A40628
IcmpCreateFile.IPHLPAPI ref: 00A40636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00A407B9
WSACleanup.WSOCK32 ref: 00A407BF

Strings

Ping, xrefs: 00A40676

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a294241b4cc00229f6c67c26e7f2b9f0a64a6b34d05c2abf4a4b1c2fae685511
Instruction ID: 78afe8c3c60fb574c4a0473795ad5f09b754f55eba3734da6f2aa91d388f88ec
Opcode Fuzzy Hash: a294241b4cc00229f6c67c26e7f2b9f0a64a6b34d05c2abf4a4b1c2fae685511
Instruction Fuzzy Hash: 03917C396047019FD320DF15C489F1ABBE0BF88318F1585A9F56A8B6A2C770ED41DF92

Function 00A48CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00A48CF3

Part of subcall function 00A28E54: _wcslen.LIBCMT ref: 00A28E77

_wcslen.LIBCMT ref: 00A48D4E
_wcslen.LIBCMT ref: 00A48D9C
_wcslen.LIBCMT ref: 00A48DDC
_wcslen.LIBCMT ref: 00A48E6E

Strings

winapi, xrefs: 00A48D96, 00A48D9B
cdecl, xrefs: 00A48D48, 00A48D4D
none, xrefs: 00A48E65, 00A48E6A
stdcall, xrefs: 00A48DD6, 00A48DDB

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5ac38d9dedf2c9eb13315bd5ce535341b2e624579ccaf1ec6addb2cc3f27d6a9
Instruction ID: a307dddd8a6383ddbdd0aa96a57734bb34d575b78b83ca14a5af6b91cb6e6c5e
Opcode Fuzzy Hash: 5ac38d9dedf2c9eb13315bd5ce535341b2e624579ccaf1ec6addb2cc3f27d6a9
Instruction Fuzzy Hash: 0C519035E011169BCF14EF6CD9419BEB7B5BFA4724B204229E826E72C5EB39DD40C790

Function 00A4372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00A43774
CoUninitialize.OLE32 ref: 00A4377F
CoCreateInstance.OLE32(?,00000000,00000017,00A5FB78,?), ref: 00A437D9
IIDFromString.OLE32(?,?), ref: 00A4384C
VariantInit.OLEAUT32(?), ref: 00A438E4
VariantClear.OLEAUT32(?), ref: 00A43936

Strings

NULL Pointer assignment, xrefs: 00A4381E
Invalid parameter, xrefs: 00A43865
Failed to create object, xrefs: 00A437E4, 00A4389A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d2bbf7fcea149bf75cbc623f205972a2edbb659791b43867348089982800e869
Instruction ID: b6c7060e837f9dba3a5396fd84ffe82f19b03541a48a8c2f77789e330b4d6146
Opcode Fuzzy Hash: d2bbf7fcea149bf75cbc623f205972a2edbb659791b43867348089982800e869
Instruction Fuzzy Hash: A761AC76608311AFDB10DF54C889F6ABBE8FF88711F104819F9859B291D770EE49CB92

Function 00A38195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A38257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A38267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A38273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A38310
SetCurrentDirectoryW.KERNEL32(?), ref: 00A38324
SetCurrentDirectoryW.KERNEL32(?), ref: 00A38356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A3838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00A38395

Strings

*.*, xrefs: 00A3839B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e33b5a944085179654e49efb61a0ea4e1338e365bb77158375b011179fc0a37b
Instruction ID: 3522f84bf16a1b8165ca86eddcd672524166c7b9d91ad70224363dd223f2bf20
Opcode Fuzzy Hash: e33b5a944085179654e49efb61a0ea4e1338e365bb77158375b011179fc0a37b
Instruction Fuzzy Hash: 0B6169B25043459FC710EF64C841AAEB3E8FF89324F04892EF99997251DB35E945CB92

Function 00A33388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A333CF

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A333F0

Strings

Incorrect parameters to object property !, xrefs: 00A334AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00A33504
Error: , xrefs: 00A334D1
"%s" (%d) : ==> %s:, xrefs: 00A33522
Line %d (File "%s"):, xrefs: 00A33443, 00A3345C
^ ERROR , xrefs: 00A3349E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: d44804f8786674fc59644873632f72e489ef725a4ba09af0de34168acff7d947
Instruction ID: ba21bea0186e265c72785cde7a695fcc7e83f611c78ed2f4e7cafe6f776f0c64
Opcode Fuzzy Hash: d44804f8786674fc59644873632f72e489ef725a4ba09af0de34168acff7d947
Instruction Fuzzy Hash: 4C516D32D40209BADF15EBE0DE46FEEB778AF44740F108569B50572092EB356F58CB61

Function 00A2B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A2B5FC
_wcslen.LIBCMT ref: 00A2B608
_wcslen.LIBCMT ref: 00A2B64D
_wcslen.LIBCMT ref: 00A2B68C
_wcslen.LIBCMT ref: 00A2B6C7

Strings

KEYS, xrefs: 00A2B647, 00A2B64C
EXISTS, xrefs: 00A2B686, 00A2B68B
APPEND, xrefs: 00A2B6C1, 00A2B6C6
REMOVE, xrefs: 00A2B602, 00A2B607

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 4ead0f05c26552516beee98527644e3dddc3f4de9d47b8f46968ae2f44ada3b4
Instruction ID: 46c1c9c884d373bcdcf3cb40374bfdd291e83e4672a6a43a76fbbd1da6c5ac51
Opcode Fuzzy Hash: 4ead0f05c26552516beee98527644e3dddc3f4de9d47b8f46968ae2f44ada3b4
Instruction Fuzzy Hash: 9D41B632A111379BCB206F7D9C905BE77B5BFA0B94B244539E462DB284E735CD81C7A0

Function 00A35393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A35416
GetLastError.KERNEL32 ref: 00A35420
SetErrorMode.KERNEL32(00000000,READY), ref: 00A354A7

Strings

NOTREADY, xrefs: 00A3544B
UNKNOWN, xrefs: 00A35444
INVALID, xrefs: 00A35459
READY, xrefs: 00A35460, 00A35468
READONLY, xrefs: 00A35452

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 49722581a54e62b998974119564c751df4237b646541218a1d241b8bbb6b08e0
Instruction ID: 04240408bdc60675215ff405ce279f1ecdc8c625705f0380657f9d3416175fdd
Opcode Fuzzy Hash: 49722581a54e62b998974119564c751df4237b646541218a1d241b8bbb6b08e0
Instruction Fuzzy Hash: 7F318935E006049FD718EF6CC884BAABBB5FF44305F148069F8068B2A2DB31DD82CB91

Function 00A53C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00A53C79
SetMenu.USER32(?,00000000), ref: 00A53C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A53D10
IsMenu.USER32(?), ref: 00A53D24
CreatePopupMenu.USER32 ref: 00A53D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A53D5B
DrawMenuBar.USER32 ref: 00A53D63

Strings

F, xrefs: 00A53D4E
0, xrefs: 00A53C54

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: dd332463ce5fbf6d6771435325e064225c671b7954f3b491acdbd2c70d90db56
Instruction ID: 685daa3a907af66e306d3af82fb65fa458535ce5e18ceb9dd864fa5a495cce0d
Opcode Fuzzy Hash: dd332463ce5fbf6d6771435325e064225c671b7954f3b491acdbd2c70d90db56
Instruction Fuzzy Hash: 80415676A01309AFDF14CFA4D884BAA7BB5FF89391F140429ED46A7360D730AA15CB90

Function 00A21EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

Part of subcall function 00A23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A23CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00A21F64
GetDlgCtrlID.USER32 ref: 00A21F6F
GetParent.USER32 ref: 00A21F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A21F8E
GetDlgCtrlID.USER32(?), ref: 00A21F97
GetParent.USER32(?), ref: 00A21FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A21FAE

Strings

ComboBox, xrefs: 00A21EEC
ListBox, xrefs: 00A21F21

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 40684148a60a31cf5cba3e059594f5fec743878e1cb0385e52d67f83196a565d
Instruction ID: 4eb3cae89d7f6268f298177a4dfa0ecb57e0e2bbde539b8883dc4bbadeffb674
Opcode Fuzzy Hash: 40684148a60a31cf5cba3e059594f5fec743878e1cb0385e52d67f83196a565d
Instruction Fuzzy Hash: 7D21A171D00214BFCF04AFA4DD85EEEBBB5EB15310B004126B96567291DB385A19DB60

Function 00A53A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A53A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A53AA0
GetWindowLongW.USER32(?,000000F0), ref: 00A53AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A53AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A53B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A53BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A53BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A53BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A53BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A53C13

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: fe82c94943c949cc1c27eaf8f6c07b422911fe9be4218e809d8b783c7d38fee3
Instruction ID: efff284dba8c88168c84f0f4a9c49356ee50787f2ba08ac695f2c7cfb00af348
Opcode Fuzzy Hash: fe82c94943c949cc1c27eaf8f6c07b422911fe9be4218e809d8b783c7d38fee3
Instruction Fuzzy Hash: 01616C75A00248AFDB11DFA8CC81EEE77B8FB49710F10419AFA15E7291C774AE49DB50

Function 00A2B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A2B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B165
GetWindowThreadProcessId.USER32(00000000), ref: 00A2B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A2B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B21D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 05adbb51ab8344e0cb604bf94cf934eb17b2e3bb0c36babfe7e236ce677a019e
Instruction ID: 8062cafe65b66a0e9f64780ac72f558c77f9f18d415a8c6ce2694c8996e3f3a0
Opcode Fuzzy Hash: 05adbb51ab8344e0cb604bf94cf934eb17b2e3bb0c36babfe7e236ce677a019e
Instruction Fuzzy Hash: D0317F72620314EFDB10DFA8EC44BAE7BB9BB51322F104125FA05D61A1DBB49A42CB70

Function 009F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009F2C94

Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0

_free.LIBCMT ref: 009F2CA0
_free.LIBCMT ref: 009F2CAB
_free.LIBCMT ref: 009F2CB6
_free.LIBCMT ref: 009F2CC1
_free.LIBCMT ref: 009F2CCC
_free.LIBCMT ref: 009F2CD7
_free.LIBCMT ref: 009F2CE2
_free.LIBCMT ref: 009F2CED
_free.LIBCMT ref: 009F2CFB

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7098d777ad2dcf9e01eabea6d5be60adc47228819ebe3932f22528762ad55077
Instruction ID: f18dabf9773c837c5f498eb9640a99ff93b51a3ca78c7f45fa91dedbc2f84536
Opcode Fuzzy Hash: 7098d777ad2dcf9e01eabea6d5be60adc47228819ebe3932f22528762ad55077
Instruction Fuzzy Hash: 5511B97614010DBFCB02EF54D942EED3BA5FF45350F5144A5FA485F222D671EE909B90

Function 00A37DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A37FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00A37FC1
GetFileAttributesW.KERNEL32(?), ref: 00A37FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A38005
SetCurrentDirectoryW.KERNEL32(?), ref: 00A38017
SetCurrentDirectoryW.KERNEL32(?), ref: 00A38060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A380B0

Strings

*.*, xrefs: 00A38066

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 9024f141150624a43312bb4234440b047b73ced0bd781a93b18479a6f2658ec8
Instruction ID: 1cd60bbb6f589dbf2b75bda43ff4d9eadd1acbd67181b40387ef3bed7579f4fc
Opcode Fuzzy Hash: 9024f141150624a43312bb4234440b047b73ced0bd781a93b18479a6f2658ec8
Instruction Fuzzy Hash: FD818DB25083459FCB24EF54C885AAEB3E8BF89310F64486EF885D7251EB34DD498B52

Function 009C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 009C5C7A

Part of subcall function 009C5D0A: GetClientRect.USER32(?,?), ref: 009C5D30
Part of subcall function 009C5D0A: GetWindowRect.USER32(?,?), ref: 009C5D71
Part of subcall function 009C5D0A: ScreenToClient.USER32(?,?), ref: 009C5D99

GetDC.USER32 ref: 00A046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A04708
SelectObject.GDI32(00000000,00000000), ref: 00A04716
SelectObject.GDI32(00000000,00000000), ref: 00A0472B
ReleaseDC.USER32(?,00000000), ref: 00A04733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A047C4

Strings

U, xrefs: 00A04693

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ec46d368ad7d47d1aa0cf0495153ee9d34e5fb9d6b9cb4f5d057b66f355ad337
Instruction ID: 89d53a4b71033b593fbd07978b82893c46c937217923639438c3ae5c60378a48
Opcode Fuzzy Hash: ec46d368ad7d47d1aa0cf0495153ee9d34e5fb9d6b9cb4f5d057b66f355ad337
Instruction Fuzzy Hash: BB71F070900209DFCF21CF64D984ABA3BB5FF4A360F144269EE515A2A6D7319C81DF60

Function 00A3359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00A335E4

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

LoadStringW.USER32(00A92390,?,00000FFF,?), ref: 00A3360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00A33724
Error: , xrefs: 00A336EF
"%s" (%d) : ==> %s:, xrefs: 00A33742
^ ERROR, xrefs: 00A336C9
Line %d (File "%s"):, xrefs: 00A3366B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 44754dd4c46ff66f57f6cd12a4302c974e6e763de5459a9f48a9e0cd7997cb52
Instruction ID: 3dfe3cee3e3a7a9a5cd1f29dba94d9a6a3a12c67675f44bb9b5e8b2f353ee087
Opcode Fuzzy Hash: 44754dd4c46ff66f57f6cd12a4302c974e6e763de5459a9f48a9e0cd7997cb52
Instruction Fuzzy Hash: 1B516B72D0020ABBDF14EBE0DD46FEEBB38AF44340F148129F105721A1EB305A99DBA1

Function 00A3C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A3C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A3C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A3C2CA
GetLastError.KERNEL32 ref: 00A3C322
SetEvent.KERNEL32(?), ref: 00A3C336
InternetCloseHandle.WININET(00000000), ref: 00A3C341

Strings

, xrefs: 00A3C2BB

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 7a2a062f4e718716671884571721ab220e7a0bdab03ab8e2ab6a5641fdfd0854
Instruction ID: 21ecadc133153b52e691adc6900676ab8025897685610b8533b1ac23a9c95c85
Opcode Fuzzy Hash: 7a2a062f4e718716671884571721ab220e7a0bdab03ab8e2ab6a5641fdfd0854
Instruction Fuzzy Hash: 75316BB1600308AFD721EFA49D88AABBBFCFB49764F14851EF446A7200DB34DD059B61

Function 00A2989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A03AAF,?,?,Bad directive syntax error,00A5CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A298BC
LoadStringW.USER32(00000000,?,00A03AAF,?), ref: 00A298C3

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A29987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00A298F1
Error: , xrefs: 00A29955
Line %d:, xrefs: 00A29912
Line %d (File "%s"):, xrefs: 00A2992D
., xrefs: 00A2996D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 966c63b272de24310b2bee11d5baf98afc3720af0e71edae6b1178f0630d0f7c
Instruction ID: db61908732acc9cc4f730683d0c0c6a4630617381dba5477b2fb1f28e4d20457
Opcode Fuzzy Hash: 966c63b272de24310b2bee11d5baf98afc3720af0e71edae6b1178f0630d0f7c
Instruction Fuzzy Hash: 9B216B31D4021ABBDF11AF90DC0AFEE7739FF18700F04882AF519660A2EA319658DB11

Function 00A2209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00A220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A2214D

Strings

largeicons, xrefs: 00A220E1
smallicons, xrefs: 00A22115
details, xrefs: 00A220FB
list, xrefs: 00A2212F
SHELLDLL_DefView, xrefs: 00A220CC

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 2f092f4716b4a770c6d576b728d5725853ceca18ee8d1e5c188baf3d5cddc1ef
Instruction ID: 40fa0dd4af0c8073c0c5e5fa2c6dfd83c2841f6b881b820a0f00748c51c4b145
Opcode Fuzzy Hash: 2f092f4716b4a770c6d576b728d5725853ceca18ee8d1e5c188baf3d5cddc1ef
Instruction Fuzzy Hash: 9211E77AA88716B9F6017665EC0AEE637ACEF14334B200236FB04A50D1FE655D225718

Function 009F8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7b904fb85da3b0f44a599a8b6be82bb48e1cdb56ecea73b9aef6431d3b99fc
Instruction ID: 22f30bd5c1cb97e8eeefd3e9bcfe2860d1b49dbf751a11b5ad49ea1c0c213513
Opcode Fuzzy Hash: ee7b904fb85da3b0f44a599a8b6be82bb48e1cdb56ecea73b9aef6431d3b99fc
Instruction Fuzzy Hash: 45C1F475A0424DAFCB11DFA9D841BBEBBB4BF49310F18409AE614A7392CB359D41CB61

Function 009FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 009FCEB7
_free.LIBCMT ref: 009FCF22
_free.LIBCMT ref: 009FCF48
_free.LIBCMT ref: 009FCF71
_free.LIBCMT ref: 009FCFA9
_free.LIBCMT ref: 009FCFDA
_free.LIBCMT ref: 009FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 009FD09C
_free.LIBCMT ref: 009FD0B5

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 741a135dfe7f06c6bd0f4143c5df2d8539ff66cc1202c31e9ac77a5ab38d351e
Instruction ID: a5404ddf25dcbbce005c6b01227dbdf8af0c46539cc397e41768558626701ab3
Opcode Fuzzy Hash: 741a135dfe7f06c6bd0f4143c5df2d8539ff66cc1202c31e9ac77a5ab38d351e
Instruction Fuzzy Hash: 64614AB1A0430DAFDB21AFB49981B7EBBA9EF45350F04816EFB419B281DB319D018790

Function 00A550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00A55186
ShowWindow.USER32(?,00000000), ref: 00A551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00A551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00A551D1

Part of subcall function 00A56FBA: DeleteObject.GDI32(00000000), ref: 00A56FE6

GetWindowLongW.USER32(?,000000F0), ref: 00A5520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A5521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A5524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00A55287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00A55296

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 907c32edd3a28a417a179961453b7841faf26ae70a819bcecfd5c746578b49db
Instruction ID: 0913c2a350449938e83e17379cf4799f7ee40227283e48aa1c2007e78c07f0ba
Opcode Fuzzy Hash: 907c32edd3a28a417a179961453b7841faf26ae70a819bcecfd5c746578b49db
Instruction Fuzzy Hash: D3518F30E50A08BEEF20AF74CC66BD93BB5FB15322F148112FE15966E0C775A988DB41

Function 009D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00A16890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00A168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00A168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00A16901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A1691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00A1692D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 22144a6c0bba86b306839d8217eaf2462d78c15343bd456f5ce7bec7bc1a148a
Instruction ID: 23c7c6d811c38b28ec1093c531a93377bba6bb758189a1a9e1e8445b2aa4420b
Opcode Fuzzy Hash: 22144a6c0bba86b306839d8217eaf2462d78c15343bd456f5ce7bec7bc1a148a
Instruction Fuzzy Hash: 2B51A770640309AFDB20CF64CC95FAA7BB5FB48760F10891AF912D72A0DB78E991DB40

Function 00A3C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A3C182
GetLastError.KERNEL32 ref: 00A3C195
SetEvent.KERNEL32(?), ref: 00A3C1A9

Part of subcall function 00A3C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A3C272
Part of subcall function 00A3C253: GetLastError.KERNEL32 ref: 00A3C322
Part of subcall function 00A3C253: SetEvent.KERNEL32(?), ref: 00A3C336
Part of subcall function 00A3C253: InternetCloseHandle.WININET(00000000), ref: 00A3C341

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 19074fee050ae2b69a8df91ccf850a2abf3c504d0170a7160deb0aa4d85286c0
Instruction ID: c086b16b7af2cef39879392ac1115fa89f3fab25390a5b3911d3d2b4022adaf1
Opcode Fuzzy Hash: 19074fee050ae2b69a8df91ccf850a2abf3c504d0170a7160deb0aa4d85286c0
Instruction Fuzzy Hash: 7331AD71200705AFDB21AFE5DD04AABBBF8FF18321F00451DF956A6610D730E811EBA0

Function 00A225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A23A57
Part of subcall function 00A23A3D: GetCurrentThreadId.KERNEL32 ref: 00A23A5E
Part of subcall function 00A23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A225B3), ref: 00A23A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00A225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A22601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00A22605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A2260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A22623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00A22627

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: eb5ff3b719197696e6828b1152eddafa1f6d4babe30a748a96de5856c1516165
Instruction ID: 72f41db1474bf3037cb47f62c79c20b3fd5f7889cf83735b759789c9de85b1d3
Opcode Fuzzy Hash: eb5ff3b719197696e6828b1152eddafa1f6d4babe30a748a96de5856c1516165
Instruction Fuzzy Hash: 3501D831390720BBFB10A7A89C8AF593F99EB4EB62F100021F314AE1D5C9E614458A69

Function 00A21803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00A21449,?,?,00000000), ref: 00A2180C
HeapAlloc.KERNEL32(00000000,?,00A21449,?,?,00000000), ref: 00A21813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A21449,?,?,00000000), ref: 00A21828
GetCurrentProcess.KERNEL32(?,00000000,?,00A21449,?,?,00000000), ref: 00A21830
DuplicateHandle.KERNEL32(00000000,?,00A21449,?,?,00000000), ref: 00A21833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A21449,?,?,00000000), ref: 00A21843
GetCurrentProcess.KERNEL32(00A21449,00000000,?,00A21449,?,?,00000000), ref: 00A2184B
DuplicateHandle.KERNEL32(00000000,?,00A21449,?,?,00000000), ref: 00A2184E
CreateThread.KERNEL32(00000000,00000000,00A21874,00000000,00000000,00000000), ref: 00A21868

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 5fa010962e0b6b4119442f0c2e939298762a60e67f09be3a77cc9d6c20d5106b
Instruction ID: d622d8b65d7fc294c201bb71b8f02a9076502d8d9dcf8e53de61808a525ed6f3
Opcode Fuzzy Hash: 5fa010962e0b6b4119442f0c2e939298762a60e67f09be3a77cc9d6c20d5106b
Instruction Fuzzy Hash: B401A8B5640708BFE610EBA5DC49F6B7BACFB89B21F004511FA05DB1A5CA709841CB20

Function 00A4A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00A2D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00A2D501
Part of subcall function 00A2D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00A2D50F
Part of subcall function 00A2D4DC: CloseHandle.KERNEL32(00000000), ref: 00A2D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A4A16D
GetLastError.KERNEL32 ref: 00A4A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A4A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A4A268
GetLastError.KERNEL32(00000000), ref: 00A4A273
CloseHandle.KERNEL32(00000000), ref: 00A4A2C4

Strings

SeDebugPrivilege, xrefs: 00A4A18F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9d711c31026b3bb2c45bc1c766319c0c54a3acdc70227af87151c2286be59950
Instruction ID: 2be7522708b51bf6ac4cff7b4ab264379872e02291b2ce69215832eb8e9743ed
Opcode Fuzzy Hash: 9d711c31026b3bb2c45bc1c766319c0c54a3acdc70227af87151c2286be59950
Instruction Fuzzy Hash: 51618F742443429FD710DF18C494F5ABBE1AFA4318F54849CE46A4B7A3C7B2ED46CB92

Function 00A53886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A53925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A5393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A53954
_wcslen.LIBCMT ref: 00A53999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A539F4

Strings

SysListView32, xrefs: 00A538F7

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 184969448054d604b9ad85b6af41027ae8e33ba0b798d2feb39d6db4a2ebf9e6
Instruction ID: cef958324c92eb24ef89d4788cd9b9ce14e06f366da1eab4d859dcb8f0013177
Opcode Fuzzy Hash: 184969448054d604b9ad85b6af41027ae8e33ba0b798d2feb39d6db4a2ebf9e6
Instruction Fuzzy Hash: 03419172A00319ABEF21DF64CC45BEA7BA9FF48391F100526F958E7281D7759E84CB90

Function 00A2BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A2BCFD
IsMenu.USER32(00000000), ref: 00A2BD1D
CreatePopupMenu.USER32 ref: 00A2BD53
GetMenuItemCount.USER32(00FF68A0), ref: 00A2BDA4
InsertMenuItemW.USER32(00FF68A0,?,00000001,00000030), ref: 00A2BDCC

Strings

2, xrefs: 00A2BD37
0, xrefs: 00A2BCA8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 3845b95a520b1c6db6d0911503631a44aae587312c5f279bb4fe148341b85749
Instruction ID: c12c45fa74112f2377c1ffadb060de870918776238c834145b87532dc36f8a54
Opcode Fuzzy Hash: 3845b95a520b1c6db6d0911503631a44aae587312c5f279bb4fe148341b85749
Instruction Fuzzy Hash: 7C519C70A103259BDB10DFACE988BEEBBF4BF45324F148169E45197291E7709941CB61

Function 00A2C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A2C913

Strings

warning, xrefs: 00A2C8FC
stop, xrefs: 00A2C8E4
info, xrefs: 00A2C8B4
blank, xrefs: 00A2C895
question, xrefs: 00A2C8CC

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: be6fff0c48c63f89e920c80d6efce394a11944409f3e01227ca0c7e35642982c
Instruction ID: 3ae0f581ef27fe770e2cdc067c9010c83d6792d501b0504f8ed624e27048cc82
Opcode Fuzzy Hash: be6fff0c48c63f89e920c80d6efce394a11944409f3e01227ca0c7e35642982c
Instruction Fuzzy Hash: 7D113D32689316BEF701AB58BC83DAE27ACDF19334B10003AF500A7282D7B05E4053A8

Function 00A2ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A2ED2A
_wcslen.LIBCMT ref: 00A2ED3B
_wcslen.LIBCMT ref: 00A2ED79
_wcslen.LIBCMT ref: 00A2EDAF
_wcslen.LIBCMT ref: 00A2EDDF
_wcslen.LIBCMT ref: 00A2EDEF
_wcslen.LIBCMT ref: 00A2EE2B
_wcslen.LIBCMT ref: 00A2EE5A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 31bf65e4a22e6f36d43859d9a6abcaa763d7082fe901afcabda2e2fd9f625614
Instruction ID: fecf3b83c5b56faa0f81d36a22a793f455db46bcb5a44e353a707c0e96d5e3c3
Opcode Fuzzy Hash: 31bf65e4a22e6f36d43859d9a6abcaa763d7082fe901afcabda2e2fd9f625614
Instruction Fuzzy Hash: F8419665C1025875CB12EBF6888ABCF77A8AF85750F504462E624F3222FB34E655C3E5

Function 009DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A1682C,00000004,00000000,00000000), ref: 009DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00A1682C,00000004,00000000,00000000), ref: 00A1F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A1682C,00000004,00000000,00000000), ref: 00A1F454

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 767684f6d9d5016411b6ae4400fea46cc13a60ae7e778467f450d882e7772c5b
Instruction ID: e32887da2a9b9ec5d230e4fd9b43f5f0673e450d80536fbcf2497c1de39f6163
Opcode Fuzzy Hash: 767684f6d9d5016411b6ae4400fea46cc13a60ae7e778467f450d882e7772c5b
Instruction Fuzzy Hash: 9A412A30A48BC0BEC739CB2988B976A7B95BB46360F14C43EE09B56B64D635A8C1C711

Function 00A52D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A52D1B
GetDC.USER32(00000000), ref: 00A52D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A52D2E
ReleaseDC.USER32(00000000,00000000), ref: 00A52D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A52D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A52D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A55A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00A52DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A52DE1

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: fd586f3dea595a75a1a2b13a677c0a7f7231fb16b8f89cb5e1a1ff3846c20dbe
Instruction ID: ba27686fa9750dd47c8310d09ac92ca67f92ebb7c3476b7364c0d7277b23362c
Opcode Fuzzy Hash: fd586f3dea595a75a1a2b13a677c0a7f7231fb16b8f89cb5e1a1ff3846c20dbe
Instruction Fuzzy Hash: 93317C72201314BFEB118F50DC8AFEB3BA9FF0A726F044055FE08AA295C6759C51CBA4

Function 00A25622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A25637
_memcmp.LIBVCRUNTIME ref: 00A25659
_memcmp.LIBVCRUNTIME ref: 00A25671
_memcmp.LIBVCRUNTIME ref: 00A25684
_memcmp.LIBVCRUNTIME ref: 00A2569E
_memcmp.LIBVCRUNTIME ref: 00A256B1
_memcmp.LIBVCRUNTIME ref: 00A256C9
_memcmp.LIBVCRUNTIME ref: 00A256E4

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6b31a505825406c2427ccdbee23fbcf64827f92d111f919c041eed0ec94c93f8
Instruction ID: 26085453b9522d1b021574b408eee4cdac33ada9f945fafe9c592f017927ca58
Opcode Fuzzy Hash: 6b31a505825406c2427ccdbee23fbcf64827f92d111f919c041eed0ec94c93f8
Instruction Fuzzy Hash: E821C671E41A69BFD2159639AE82FFB335CBF61385F480430FD049A685F731ED1481A5

Function 00A44FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00A4502E, 00A45383
Not an Object type, xrefs: 00A45007

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ab0b3632483a7654fdef49ded861b0b5423ec559eaae163447dffc668e9e450c
Instruction ID: 66c57d26816538262c30e8bd052666d73ad59977d80c6481e1add6e713b8f2e1
Opcode Fuzzy Hash: ab0b3632483a7654fdef49ded861b0b5423ec559eaae163447dffc668e9e450c
Instruction Fuzzy Hash: BCD1C579E0060AAFDF10DFA8C891FAEB7B5BF88344F148569E915AB282D770DD41CB50

Function 00A01522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00A015CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00A01651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A016E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00A016FB

Part of subcall function 009F3820: RtlAllocateHeap.NTDLL(00000000,?,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6,?,009C1129), ref: 009F3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A01777
__freea.LIBCMT ref: 00A017A2
__freea.LIBCMT ref: 00A017AE

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: df0acc829f2e39c598079b7c7b229ba022d2c37f0aa1e7c66fe3b1b8c73fdc8a
Instruction ID: 629e0004947073b9f5506804952b5f74fe37e01b65e9784bb4216b1ebf6cb7ec
Opcode Fuzzy Hash: df0acc829f2e39c598079b7c7b229ba022d2c37f0aa1e7c66fe3b1b8c73fdc8a
Instruction Fuzzy Hash: 09919471E0021E9FDB208FA4ED81AEEBBB5AF89710F584659E901EB1C1D735DD41CB60

Function 00A44523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A44648
VariantInit.OLEAUT32(?), ref: 00A44749
VariantClear.OLEAUT32(?), ref: 00A44753
VariantClear.OLEAUT32(?), ref: 00A447B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00A4472C
Null Object assignment in FOR..IN loop, xrefs: 00A445D8, 00A44706, 00A447BE

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: db13e0d361e4e7a781b67ecb3315b03f8c288f2548b74a4eade63ac43df88227
Instruction ID: cd9bb8ef91f97c671ab755a0fe3dd8f82b637ed3391e92d5b168b65f2df538ab
Opcode Fuzzy Hash: db13e0d361e4e7a781b67ecb3315b03f8c288f2548b74a4eade63ac43df88227
Instruction Fuzzy Hash: 10917275A00215AFDF20CFA5C848FAEBBB8FF8A715F108559F515AB280D7709945CFA0

Function 00A31187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00A3125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A31284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00A312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A3135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A31430

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 8cf91cebc2d25e153f1ae85cb3211f1fe0425768d80b2d1d953c152549d35b13
Instruction ID: 5d9bcf18b03634654ca06409898b0f307ff6321dab347a39eaad49e0db749a0d
Opcode Fuzzy Hash: 8cf91cebc2d25e153f1ae85cb3211f1fe0425768d80b2d1d953c152549d35b13
Instruction Fuzzy Hash: 7791BBB5A00308AFDB00DFA8C895BBEB7B5FF44325F108029F911EB291D774A942CB90

Function 009D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 08e8478a1b84f8c9d9a214b3797e506c710d3f5f2b1d9d0c612bd0a7162af22d
Instruction ID: 70415f35a4ce1a9c5d3f7eed90e31ca86ee71d06b5038d509390a16091849ac3
Opcode Fuzzy Hash: 08e8478a1b84f8c9d9a214b3797e506c710d3f5f2b1d9d0c612bd0a7162af22d
Instruction Fuzzy Hash: B3913771D44219EFCB10DFA9CC84AEEBBB8FF49320F148556E915B7251D378AA42CB60

Function 00A43947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A4396B
CharUpperBuffW.USER32(?,?), ref: 00A43A7A
_wcslen.LIBCMT ref: 00A43A8A
VariantClear.OLEAUT32(?), ref: 00A43C1F

Part of subcall function 00A30CDF: VariantInit.OLEAUT32(00000000), ref: 00A30D1F
Part of subcall function 00A30CDF: VariantCopy.OLEAUT32(?,?), ref: 00A30D28
Part of subcall function 00A30CDF: VariantClear.OLEAUT32(?), ref: 00A30D34

Strings

Incorrect Parameter format, xrefs: 00A439A6, 00A43BA1
AUTOIT.ERROR, xrefs: 00A43A80, 00A43A85

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 19a430b84c28b963636d6acfa8e43ae63d2489de2f5a2b07d0b1b4fa69605fba
Instruction ID: 54c6768444538cf74f5112b348755246efae473b8d92413e90ef840e52365534
Opcode Fuzzy Hash: 19a430b84c28b963636d6acfa8e43ae63d2489de2f5a2b07d0b1b4fa69605fba
Instruction Fuzzy Hash: C3912575A083059FCB00EF64C481A6AB7E5FBC8314F14896DF88A97351DB31EE06CB92

Function 00A44BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00A2000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?,?,00A2035E), ref: 00A2002B
Part of subcall function 00A2000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?), ref: 00A20046
Part of subcall function 00A2000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?), ref: 00A20054
Part of subcall function 00A2000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?), ref: 00A20064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00A44C51
_wcslen.LIBCMT ref: 00A44D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A44DCF
CoTaskMemFree.OLE32(?), ref: 00A44DDA

Strings

NULL Pointer assignment, xrefs: 00A44E23, 00A44E52

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: c7c2c8256a6a2f17b022e6cbab837743fbf747f9861af4d59d51a3447b9acfa9
Instruction ID: f392a8b7e3cdb4b011822ed0c9fba58127139b6a80f8b9bdfb54f8d512d1dd72
Opcode Fuzzy Hash: c7c2c8256a6a2f17b022e6cbab837743fbf747f9861af4d59d51a3447b9acfa9
Instruction Fuzzy Hash: 28912371D0021DAFDF10DFA4D891FEEB7B9BF88314F10816AE915A7241EB309A458FA1

Function 00A520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A52183
GetMenuItemCount.USER32(00000000), ref: 00A521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A521DD
_wcslen.LIBCMT ref: 00A52213
GetMenuItemID.USER32(?,?), ref: 00A5224D
GetSubMenu.USER32(?,?), ref: 00A5225B

Part of subcall function 00A23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A23A57
Part of subcall function 00A23A3D: GetCurrentThreadId.KERNEL32 ref: 00A23A5E
Part of subcall function 00A23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A225B3), ref: 00A23A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A522E3

Part of subcall function 00A2E97B: Sleep.KERNEL32 ref: 00A2E9F3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 3ba810559e24d56b25519d395276a0007b5741ea6ce1b747e15a674a48e52c78
Instruction ID: 71d2d517eef75bd4ca1e6d98441ccd1ffdd425eaccd3cf7c9ffcf1cbb3644b4e
Opcode Fuzzy Hash: 3ba810559e24d56b25519d395276a0007b5741ea6ce1b747e15a674a48e52c78
Instruction Fuzzy Hash: 6A717E75E00205AFCB10DFA4C885BAEB7F1FF89321F148469E816EB341D734AE468B90

Function 00A57E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00FF6AF8), ref: 00A57F37
IsWindowEnabled.USER32(00FF6AF8), ref: 00A57F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00A5801E
SendMessageW.USER32(00FF6AF8,000000B0,?,?), ref: 00A58051
IsDlgButtonChecked.USER32(?,?), ref: 00A58089
GetWindowLongW.USER32(00FF6AF8,000000EC), ref: 00A580AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A580C3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 683c9f93b5779abcef342484aa3108afa6a1102fa128a59bbe7e22a83c9e94ed
Instruction ID: a8ea75ff17c032a4ab7a468f1b3e45044ed45dffd59b3caae66d2d9cc950ca2c
Opcode Fuzzy Hash: 683c9f93b5779abcef342484aa3108afa6a1102fa128a59bbe7e22a83c9e94ed
Instruction Fuzzy Hash: 02717A74608204AFEB21DF64D884FAEBBB9FF19302F144459ED45A72A1CB35AD4DDB20

Function 00A2AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A2AEF9
GetKeyboardState.USER32(?), ref: 00A2AF0E
SetKeyboardState.USER32(?), ref: 00A2AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A2AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A2AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A2AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A2B020

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e2412235ef9ed417ed04b6e42b3f461fcb77260eb78860e0a0b5d7211ba1028b
Instruction ID: 98b8c205a8aacec8425306c9af26ad7a17d41661f46e417403d8b27392f679ff
Opcode Fuzzy Hash: e2412235ef9ed417ed04b6e42b3f461fcb77260eb78860e0a0b5d7211ba1028b
Instruction Fuzzy Hash: D051E4A06187E53EFB37833C9D45BBA7FE95B06304F0884A9E1D9558C2C398ADC4D761

Function 00A2ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A2AD19
GetKeyboardState.USER32(?), ref: 00A2AD2E
SetKeyboardState.USER32(?), ref: 00A2AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A2ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A2ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A2AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A2AE38

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6b98179ae4b024ef44651cf7cb5ea11082e24ce4a4356f252c6524d35f830019
Instruction ID: c9cac96c878e4a76778ea29ffa22ca1acbbe313ede37835ab13344d64ea2f11c
Opcode Fuzzy Hash: 6b98179ae4b024ef44651cf7cb5ea11082e24ce4a4356f252c6524d35f830019
Instruction Fuzzy Hash: 4D5106A16047F13FFB3683389C55BBABEA96B55300F0884A8E1D5568C3D294EC85D762

Function 009F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00A03CD6,?,?,?,?,?,?,?,?,009F5BA3,?,?,00A03CD6,?,?), ref: 009F5470
__fassign.LIBCMT ref: 009F54EB
__fassign.LIBCMT ref: 009F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00A03CD6,00000005,00000000,00000000), ref: 009F552C
WriteFile.KERNEL32(?,00A03CD6,00000000,009F5BA3,00000000,?,?,?,?,?,?,?,?,?,009F5BA3,?), ref: 009F554B
WriteFile.KERNEL32(?,?,00000001,009F5BA3,00000000,?,?,?,?,?,?,?,?,?,009F5BA3,?), ref: 009F5584

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 27cc4e38359b5fa17095d415452ea3615f7c01c22fb26d520bdd3e6f0a08f2b7
Instruction ID: 1165453c6e6a8b04f742a526fcc032ce816941365ea38b1788c12ee9d9209cc5
Opcode Fuzzy Hash: 27cc4e38359b5fa17095d415452ea3615f7c01c22fb26d520bdd3e6f0a08f2b7
Instruction Fuzzy Hash: EA51C071A00749AFDB10CFA8D885AEEBBF9FF09310F15451AFA55E7291D7309A41CB60

Function 009E2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 009E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 009E2D53
_ValidateLocalCookies.LIBCMT ref: 009E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 009E2E0C
_ValidateLocalCookies.LIBCMT ref: 009E2E61

Strings

csm, xrefs: 009E2DF6

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d2f50e24c62c868baccc0f652450a4ae48dc5f8792a6c7eb2e548caf9c7b064e
Instruction ID: 970970c67ef3ccbec44202e6ef53f88c4a35f5e35629603493f2e5fa15bd1b18
Opcode Fuzzy Hash: d2f50e24c62c868baccc0f652450a4ae48dc5f8792a6c7eb2e548caf9c7b064e
Instruction Fuzzy Hash: 8E41B234E00289EBCF11DF6ACC45B9EBBB9BF84324F148155E914AB392D771AE41CB90

Function 00A410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A4304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A4307A
Part of subcall function 00A4304E: _wcslen.LIBCMT ref: 00A4309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A41112
WSAGetLastError.WSOCK32 ref: 00A41121
WSAGetLastError.WSOCK32 ref: 00A411C9
closesocket.WSOCK32(00000000), ref: 00A411F9

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 9c8b10a81f44f0b4c6e0d824a60ccad193b921c8921aef0510b07a6850be8f4c
Instruction ID: 6847f8b71a16599638dc736ec40ad5bd733c7fcaecaf0a113f4f0cb68d11682d
Opcode Fuzzy Hash: 9c8b10a81f44f0b4c6e0d824a60ccad193b921c8921aef0510b07a6850be8f4c
Instruction Fuzzy Hash: 2341F435600204AFDB10DF68C884BA9BBE9FF85325F14815DF9099B295D770AE82CBE1

Function 00A2CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A2CF22,?), ref: 00A2DDFD

Part of subcall function 00A2DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A2CF22,?), ref: 00A2DE16

lstrcmpiW.KERNEL32(?,?), ref: 00A2CF45
MoveFileW.KERNEL32(?,?), ref: 00A2CF7F
_wcslen.LIBCMT ref: 00A2D005
_wcslen.LIBCMT ref: 00A2D01B
SHFileOperationW.SHELL32(?), ref: 00A2D061

Strings

\*.*, xrefs: 00A2CFF3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 7bef85835a6dd015f1084187c52cc714bc4e5e69a9834caaff60efdcfde10e3d
Instruction ID: c7e9f68f40f12babb2a1102471f1beb4aa79e289e2ee3c54618a87f552034010
Opcode Fuzzy Hash: 7bef85835a6dd015f1084187c52cc714bc4e5e69a9834caaff60efdcfde10e3d
Instruction Fuzzy Hash: 8F4176718452285FDF12EBA8DA81FDDB7B9AF48790F1000F6E545EB142EA34AA84CB50

Function 00A52DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00A52E1C
GetWindowLongW.USER32(?,000000F0), ref: 00A52E4F
GetWindowLongW.USER32(?,000000F0), ref: 00A52E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00A52EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00A52EE0
GetWindowLongW.USER32(?,000000F0), ref: 00A52EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A52F0B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2c702d6fe918643b6a3269f21077f74e94b654190e34b2311dd05968b298df45
Instruction ID: 022aee297edbf8752b1bfccf3c4e5d046e8119f14b3c94e37770a63fe68a537d
Opcode Fuzzy Hash: 2c702d6fe918643b6a3269f21077f74e94b654190e34b2311dd05968b298df45
Instruction Fuzzy Hash: DC310330644251AFEB21CF98EC86F653BE1FB9A722F150165FD008F2B6CB75A849DB41

Function 00A27726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A27769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A2778F
SysAllocString.OLEAUT32(00000000), ref: 00A27792
SysAllocString.OLEAUT32(?), ref: 00A277B0
SysFreeString.OLEAUT32(?), ref: 00A277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00A277DE
SysAllocString.OLEAUT32(?), ref: 00A277EC

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b20c5957262defc6369f442d5cb99ee3179c7386d46a5fb012c74324c5eaeeb6
Instruction ID: b75a0df1b386a1887ac290eedd5bf38d8a4f42522bf1a9488e88ec1b33e6c0df
Opcode Fuzzy Hash: b20c5957262defc6369f442d5cb99ee3179c7386d46a5fb012c74324c5eaeeb6
Instruction Fuzzy Hash: 51217C76604229AFDB10DFACDC88DBE77ACFB09764B048135FA15DB254D6709E428760

Function 00A277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A27842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A27868
SysAllocString.OLEAUT32(00000000), ref: 00A2786B
SysAllocString.OLEAUT32 ref: 00A2788C
SysFreeString.OLEAUT32 ref: 00A27895
StringFromGUID2.OLE32(?,?,00000028), ref: 00A278AF
SysAllocString.OLEAUT32(?), ref: 00A278BD

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b2e9619096b544b046ae83dd8c2a5f755c111be09f086d26e3481bdb80935c98
Instruction ID: d3ca7766327b0fa63df4cbc0246ed0bc053be1d41cafea352c68b917eca0ded8
Opcode Fuzzy Hash: b2e9619096b544b046ae83dd8c2a5f755c111be09f086d26e3481bdb80935c98
Instruction Fuzzy Hash: 49215E36608224AFDB109BEDEC8DDAA77ECFB097607108125F915CB2A5E670DD81CB64

Function 00A304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A3052E

Strings

nul, xrefs: 00A30567

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 123897e87d29d431a23bd6fe19828c88b508a2fd87200a026670faf0c349e4ad
Instruction ID: 2e9258b09b9b833c2252c235592fdd770ab74d9d8f61913b1755b0fb43d7443f
Opcode Fuzzy Hash: 123897e87d29d431a23bd6fe19828c88b508a2fd87200a026670faf0c349e4ad
Instruction Fuzzy Hash: F8214A75600305AFDF209F69DC54E9ABBB4BF54765F208A19F8A1E72E0E7709981CF20

Function 00A305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A30601

Strings

nul, xrefs: 00A30639

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ac7d1fcb6bf9b314e771ee6ead18e6aecf290ae94e87e29dd8d0746e3d758f9a
Instruction ID: 0e8a2674fd9c68ef4db527165c30455cab90c9284f544f534035fe98b7cfa226
Opcode Fuzzy Hash: ac7d1fcb6bf9b314e771ee6ead18e6aecf290ae94e87e29dd8d0746e3d758f9a
Instruction Fuzzy Hash: 452181755003059FDB209F69DC15E9ABBE8BF95B30F200A19F8A1E72E8D7B09861CB10

Function 00A540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009C604C
Part of subcall function 009C600E: GetStockObject.GDI32(00000011), ref: 009C6060
Part of subcall function 009C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A54112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A5411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A5412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A54139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A54145

Strings

Msctls_Progress32, xrefs: 00A540E3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: de764536c061e533d0c05dd3ee33c48d84c36d1e1f4e9dc3ce1616e2502e03e2
Instruction ID: 89b39b4bf5b3551c8ba924adc1e950b4fc76b627e6c909fe5b33cd1adc8ae567
Opcode Fuzzy Hash: de764536c061e533d0c05dd3ee33c48d84c36d1e1f4e9dc3ce1616e2502e03e2
Instruction Fuzzy Hash: 3511B6B11402197EEF119F64CC85EE77F5DFF18798F104111BA18A2050C776DC61DBA4

Function 009FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009FD7A3: _free.LIBCMT ref: 009FD7CC

_free.LIBCMT ref: 009FD82D

Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0

_free.LIBCMT ref: 009FD838
_free.LIBCMT ref: 009FD843
_free.LIBCMT ref: 009FD897
_free.LIBCMT ref: 009FD8A2
_free.LIBCMT ref: 009FD8AD
_free.LIBCMT ref: 009FD8B8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 44caa126003322478b66d817fd61cf4af55d29d2f87bc6801ffe68ce9552bbc2
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 481151B1582B0CAAE521BFB0CC47FEB7BDD6F80710F400825B399AA0A2DA65B5454750

Function 00A2DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A2DA74
LoadStringW.USER32(00000000), ref: 00A2DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A2DA91
LoadStringW.USER32(00000000), ref: 00A2DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A2DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A2DAB9

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: bc1ab289d7b1bc2e760a59bea3f90ad90e1393de7d9b94d461687d636ba9a6f7
Instruction ID: 3eff78d89a8140595d94ab53e94f4b4a901b3b26c7b2858fb1480e1e4077c83b
Opcode Fuzzy Hash: bc1ab289d7b1bc2e760a59bea3f90ad90e1393de7d9b94d461687d636ba9a6f7
Instruction Fuzzy Hash: 3F0162F25003187FE710EBE49D89EEB326CF708716F4045A1B706E2046EA749E858F74

Function 00A3096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00FF2C38,00FF2C38), ref: 00A3097B
EnterCriticalSection.KERNEL32(00FF2C18,00000000), ref: 00A3098D
TerminateThread.KERNEL32(?,000001F6), ref: 00A3099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00A309A9
CloseHandle.KERNEL32(?), ref: 00A309B8
InterlockedExchange.KERNEL32(00FF2C38,000001F6), ref: 00A309C8
LeaveCriticalSection.KERNEL32(00FF2C18), ref: 00A309CF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5f4cee97581f78b9dbe2a07d0ffa6e2e5195d3d4e92f1ecf88dd094054159b24
Instruction ID: 62e56c5480f10bd5082c917ba0231d11a4f05025d1b137b389e8eed819176691
Opcode Fuzzy Hash: 5f4cee97581f78b9dbe2a07d0ffa6e2e5195d3d4e92f1ecf88dd094054159b24
Instruction Fuzzy Hash: 3CF01D31442B12AFD741AB94EE88BDABA25FF01712F401015F202548A4CB749466CF90

Function 009C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 009C5D30
GetWindowRect.USER32(?,?), ref: 009C5D71
ScreenToClient.USER32(?,?), ref: 009C5D99
GetClientRect.USER32(?,?), ref: 009C5ED7
GetWindowRect.USER32(?,?), ref: 009C5EF8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 33a953fc9bad7bdff6a9c2dd7e58428942d52dfc034beedb8eca3313bcf39f62
Instruction ID: 2133c070e327cebc9083dd3e85ce9f1d2f55e5bcd5523dffd4d4f779b33e01c1
Opcode Fuzzy Hash: 33a953fc9bad7bdff6a9c2dd7e58428942d52dfc034beedb8eca3313bcf39f62
Instruction Fuzzy Hash: 55B16A74A0074ADBDB14CFA8C480BEAB7F1BF58310F14881AE8A9D7294D734AA91DB51

Function 009F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009F00D6
__allrem.LIBCMT ref: 009F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009F010B
__allrem.LIBCMT ref: 009F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009F0140

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 6d83fda93c773b68462c7e3a679fdf52a875278de0e7c25f28254b384f15110c
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 2181E672B00B0A9BE7219F69CC51B7A73EDEF81724F24453AF651D6682EB70DD008B50

Function 00A41D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A43149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00A4101C,00000000,?,?,00000000), ref: 00A43195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A41DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A41DE1
WSAGetLastError.WSOCK32 ref: 00A41DF2
inet_ntoa.WSOCK32(?), ref: 00A41E8C
htons.WSOCK32(?,?,?,?,?), ref: 00A41EDB
_strlen.LIBCMT ref: 00A41F35

Part of subcall function 00A239E8: _strlen.LIBCMT ref: 00A239F2

Part of subcall function 009C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,009DCF58,?,?,?), ref: 009C6DBA
Part of subcall function 009C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,009DCF58,?,?,?), ref: 009C6DED

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 33f5343415bc1dbb8c5ecaae54f6da08158d2821f1395f8995c13e53a7d57927
Instruction ID: 56124259cd7ec0d3211cc9f5ef436d125b3af6a12fbab7b93e54cce57cf745f0
Opcode Fuzzy Hash: 33f5343415bc1dbb8c5ecaae54f6da08158d2821f1395f8995c13e53a7d57927
Instruction Fuzzy Hash: 28A1DE35604340AFC324DF24C896F2ABBE5AFC4318F54895DF4565B2A2DB31ED86CB92

Function 009F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009E82D9,009E82D9,?,?,?,009F644F,00000001,00000001,8BE85006), ref: 009F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009F644F,00000001,00000001,8BE85006,?,?,?), ref: 009F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009F63D8
__freea.LIBCMT ref: 009F63E5

Part of subcall function 009F3820: RtlAllocateHeap.NTDLL(00000000,?,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6,?,009C1129), ref: 009F3852

__freea.LIBCMT ref: 009F63EE
__freea.LIBCMT ref: 009F6413

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4ed47ea5dcab834b2a90f225a045049738748f06bace5ad4bbfb799bbee46e9a
Instruction ID: 9c915a6c766733d21bb0f96ed3f08f69a32520caa420762abfe7edb788ee49f7
Opcode Fuzzy Hash: 4ed47ea5dcab834b2a90f225a045049738748f06bace5ad4bbfb799bbee46e9a
Instruction Fuzzy Hash: 6F51DF72A0031AABEB258F64CC81FBF77AAEB94760F154629FA05D7140DB74DC44C7A0

Function 00A4BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

Part of subcall function 00A4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A4B6AE,?,?), ref: 00A4C9B5
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4C9F1
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA68
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A4BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A4BD25
RegCloseKey.ADVAPI32(00000000), ref: 00A4BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A4BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A4BDF3
RegCloseKey.ADVAPI32(?), ref: 00A4BDFF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 090cfee472b9db2dc67c6d6625e75d3001f12546e43c23a210494697dadc5019
Instruction ID: d639215aa0bc5b7aa8c5ee623c848c7c965b199e5ab65e8e75dae41cf791f747
Opcode Fuzzy Hash: 090cfee472b9db2dc67c6d6625e75d3001f12546e43c23a210494697dadc5019
Instruction Fuzzy Hash: 4A816C34618241AFD714DF24C895E2ABBE5FFC4318F14899CF4594B2A2DB31ED45CBA2

Function 00A1F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00A1F7B9
SysAllocString.OLEAUT32(00000001), ref: 00A1F860
VariantCopy.OLEAUT32(00A1FA64,00000000), ref: 00A1F889
VariantClear.OLEAUT32(00A1FA64), ref: 00A1F8AD
VariantCopy.OLEAUT32(00A1FA64,00000000), ref: 00A1F8B1
VariantClear.OLEAUT32(?), ref: 00A1F8BB

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: b5f6830749a95fd8cfc4463c9abee1d5e1e549290b87bcdf374799bdd3e54c0d
Instruction ID: 613fc56f2b1c4a11272abb5bb5d2f21ac6553de4f0a0886610ba59ee78e61b63
Opcode Fuzzy Hash: b5f6830749a95fd8cfc4463c9abee1d5e1e549290b87bcdf374799bdd3e54c0d
Instruction Fuzzy Hash: 2B51C735500390BFCF10AB65D895BA9B3B9EF45710F24846BF806DF295DB708C80CB96

Function 00A3910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 009C7620: _wcslen.LIBCMT ref: 009C7625

Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00A394E5
_wcslen.LIBCMT ref: 00A39506
_wcslen.LIBCMT ref: 00A3952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00A39585

Strings

X, xrefs: 00A39412

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: df36952c868fc906ab3e55d8f1a91d3e37f16657d1bf86f36afff6f84419d996
Instruction ID: d8b51d059d8ac962ffb958bafaf98d81d451af176eab10800d71809e77624743
Opcode Fuzzy Hash: df36952c868fc906ab3e55d8f1a91d3e37f16657d1bf86f36afff6f84419d996
Instruction Fuzzy Hash: 2DE17B71A083409FD724EF24C885F6AB7E4BF84314F04896DF8999B2A2DB71DD45CB92

Function 009D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2

BeginPaint.USER32(?,?,?), ref: 009D9241
GetWindowRect.USER32(?,?), ref: 009D92A5
ScreenToClient.USER32(?,?), ref: 009D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009D92D3
EndPaint.USER32(?,?,?,?,?), ref: 009D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A171EA

Part of subcall function 009D9339: BeginPath.GDI32(00000000), ref: 009D9357

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 9ed566b442f2045092ae5bd241658bd0fc5a4f23703a44a7ce96b7f0dd1f1ff5
Instruction ID: a4f98d113d95cf1fb1f1d62634e2d1717c87c0fc03de78b771d907cb995a3437
Opcode Fuzzy Hash: 9ed566b442f2045092ae5bd241658bd0fc5a4f23703a44a7ce96b7f0dd1f1ff5
Instruction Fuzzy Hash: B941B030244301AFD711EFA4DC84FBA7BB8FB45761F14462AFA64972B1C7319846DB61

Function 00A307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A3080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00A30847
EnterCriticalSection.KERNEL32(?), ref: 00A30863
LeaveCriticalSection.KERNEL32(?), ref: 00A308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00A308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A30921

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 06dbf47673fd95701636d6cb0005b916a8444c0d8bb4168ec47ae7cf76230648
Instruction ID: 4fedb1d12b0eb6a4de78d1b857fec03937c1b6b199ebe0242f5799075b847367
Opcode Fuzzy Hash: 06dbf47673fd95701636d6cb0005b916a8444c0d8bb4168ec47ae7cf76230648
Instruction Fuzzy Hash: 94416A71900205EFDF15EF94DC85AAAB7B8FF44310F1480A9FD059A29ADB30DE61DBA0

Function 00A581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00A1F3AB,00000000,?,?,00000000,?,00A1682C,00000004,00000000,00000000), ref: 00A5824C
EnableWindow.USER32(?,00000000), ref: 00A58272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A582D1
ShowWindow.USER32(?,00000004), ref: 00A582E5
EnableWindow.USER32(?,00000001), ref: 00A5830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A5832F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: daf8aa955616f003ea9b9ea77291a005614bf4910b7bad173096a44049488403
Instruction ID: 03ee6c846c8fbf17d3c039adc3292fd1f4d458b98839c9c5f3c865aa191c45d1
Opcode Fuzzy Hash: daf8aa955616f003ea9b9ea77291a005614bf4910b7bad173096a44049488403
Instruction Fuzzy Hash: 3641D530601740AFDF12CF54C899BE87BE0FB0A726F184169E9189F272CB35A84ACF40

Function 00A24C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A24C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A24CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A24CEA
_wcslen.LIBCMT ref: 00A24D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A24D10
_wcsstr.LIBVCRUNTIME ref: 00A24D1A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: bd60ea0e200c3ec8b7fefc7d2f62883b4af8d87d03a7b731bec340b4802abaef
Instruction ID: 12246e373b8ec9051f63942e9d61c66ab54254c52c177afac1f335ad5eb97b2b
Opcode Fuzzy Hash: bd60ea0e200c3ec8b7fefc7d2f62883b4af8d87d03a7b731bec340b4802abaef
Instruction Fuzzy Hash: FA21D7722042107BEB159B7DAC4AE7B7BACDF49760F10803AF805CA192EA65DD0196A0

Function 00A3581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 009C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C3A97,?,?,009C2E7F,?,?,?,00000000), ref: 009C3AC2

_wcslen.LIBCMT ref: 00A3587B
CoInitialize.OLE32(00000000), ref: 00A35995
CoCreateInstance.OLE32(00A5FCF8,00000000,00000001,00A5FB68,?), ref: 00A359AE
CoUninitialize.OLE32 ref: 00A359CC

Strings

.lnk, xrefs: 00A35876, 00A358C1, 00A35985

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 9b042750f7a2ee6a73c1028c84d9da219da5f3af7ce172afff48e0e8d7e03ae0
Instruction ID: 77115dcb78eca86dea337c100989d110a0f1b10dc61149803eff26b5abba703a
Opcode Fuzzy Hash: 9b042750f7a2ee6a73c1028c84d9da219da5f3af7ce172afff48e0e8d7e03ae0
Instruction Fuzzy Hash: 36D13F71A087019FC714DF28C484A2ABBE5FF89724F14895DF88A9B361DB31ED45CB92

Function 00A2175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A20FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A20FCA
Part of subcall function 00A20FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A20FD6
Part of subcall function 00A20FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A20FE5
Part of subcall function 00A20FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A20FEC
Part of subcall function 00A20FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A21002

GetLengthSid.ADVAPI32(?,00000000,00A21335), ref: 00A217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A217BA
HeapAlloc.KERNEL32(00000000), ref: 00A217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A217DA
GetProcessHeap.KERNEL32(00000000,00000000,00A21335), ref: 00A217EE
HeapFree.KERNEL32(00000000), ref: 00A217F5

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 26aecefc009bf473cfae1e515bd95a75ec0f84eba84a000361f2e0b06f65f6a3
Instruction ID: 37e322c2237fa6e27f1a651cb898078b3a7f1c029dc3b9e817b69e89d0c55df5
Opcode Fuzzy Hash: 26aecefc009bf473cfae1e515bd95a75ec0f84eba84a000361f2e0b06f65f6a3
Instruction Fuzzy Hash: 4C119A31500725EFDB10DFA8EC49FAE7BA9FB95366F104128F48197211D735A941CFA0

Function 00A214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00A21506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A21515
CloseHandle.KERNEL32(00000004), ref: 00A21520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A2154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A21563

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d1c331e70677ceef0788a1489e138fcc5ac294f9ec3ebb026433ce5edae889ec
Instruction ID: 3531b80786a4f5d1717a5f948305c14e71a2d0889a8c8271a12646cd5753e06e
Opcode Fuzzy Hash: d1c331e70677ceef0788a1489e138fcc5ac294f9ec3ebb026433ce5edae889ec
Instruction Fuzzy Hash: 431144B250020DAFDB11CFA8ED49FDA7BA9FB48719F044064FA05A20A0C3768E61DB60

Function 009E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009E3379,009E2FE5), ref: 009E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009E33B7
SetLastError.KERNEL32(00000000,?,009E3379,009E2FE5), ref: 009E3409

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 87c1ca82e0ffb71a96235abc8c3b981bd64157ef991f2ed72eb112fff0d8cf31
Instruction ID: e18cb16184b849f6355636b67814ce9433ec07b6a89e02d5cb75fbd3da38d57e
Opcode Fuzzy Hash: 87c1ca82e0ffb71a96235abc8c3b981bd64157ef991f2ed72eb112fff0d8cf31
Instruction Fuzzy Hash: 8E012832208751BFE72727B7FC8EA662AA8EB457B57308229F410871F0FF614D025A64

Function 009F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009F5686,00A03CD6,?,00000000,?,009F5B6A,?,?,?,?,?,009EE6D1,?,00A88A48), ref: 009F2D78
_free.LIBCMT ref: 009F2DAB
_free.LIBCMT ref: 009F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,009EE6D1,?,00A88A48,00000010,009C4F4A,?,?,00000000,00A03CD6), ref: 009F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,009EE6D1,?,00A88A48,00000010,009C4F4A,?,?,00000000,00A03CD6), ref: 009F2DEC
_abort.LIBCMT ref: 009F2DF2

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2bb2251c41243b3c98b98b87ff36475f9fa6cef451efcb545229371cc2fc2c87
Instruction ID: c6a11bbe99ad3460f61fe65f04af7a0a15a4199d76bce4fd91546fc9df160e61
Opcode Fuzzy Hash: 2bb2251c41243b3c98b98b87ff36475f9fa6cef451efcb545229371cc2fc2c87
Instruction Fuzzy Hash: 4AF0F431545B0C2BC2126774BC0AF7A265DBFC27B1F214518FB24971E6EE2888024320

Function 00A58A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 009D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009D9693
Part of subcall function 009D9639: SelectObject.GDI32(?,00000000), ref: 009D96A2
Part of subcall function 009D9639: BeginPath.GDI32(?), ref: 009D96B9
Part of subcall function 009D9639: SelectObject.GDI32(?,00000000), ref: 009D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A58A4E
LineTo.GDI32(?,00000003,00000000), ref: 00A58A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A58A70
LineTo.GDI32(?,00000000,00000003), ref: 00A58A80
EndPath.GDI32(?), ref: 00A58A90
StrokePath.GDI32(?), ref: 00A58AA0

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a6f12be63bec60b261dd4e114f91a6404ae471ada204548fefb5f83ae465ea80
Instruction ID: cb39401e3f09484ed1a44951059a37c45c33645ec3e23e16fb13209c8364facb
Opcode Fuzzy Hash: a6f12be63bec60b261dd4e114f91a6404ae471ada204548fefb5f83ae465ea80
Instruction Fuzzy Hash: 2811FA76000209FFDF119FD0DC88EAA7F6CFB043A1F048012BA15951A1C7719D56DB60

Function 00A251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A25218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A25229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A25230
ReleaseDC.USER32(00000000,00000000), ref: 00A25238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A2524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00A25261

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ec8b84313eab89c88dd68d892dbaa0fcd036efc3ad195a598cfd04f4b906c712
Instruction ID: 46b919f025f80c9d3650ac21726d8f080fda1b3df3d9d13bdfd1f88a4f39589a
Opcode Fuzzy Hash: ec8b84313eab89c88dd68d892dbaa0fcd036efc3ad195a598cfd04f4b906c712
Instruction Fuzzy Hash: 18014F75E00718BFEB109BF99C49A9EBFB8FF48762F044065FA04A7285D6709901CBA0

Function 009C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 009C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 009C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 009C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 009C1C22

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c407002500a2bbd5898746fe3d60fa32d5f5ad510b18c5b2ce6054823c12cd18
Instruction ID: 51e9c427b8d3cb60cfc0559d9ad52e9a8ea3171e8bf38dc2ac342fbd4367f2aa
Opcode Fuzzy Hash: c407002500a2bbd5898746fe3d60fa32d5f5ad510b18c5b2ce6054823c12cd18
Instruction Fuzzy Hash: E80167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00A2EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A2EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A2EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00A2EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A2EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A2EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A2EB75

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e85543da0b3f463bc6ee0f386937fc9765154cbdb5e37769769e220c0f2e2315
Instruction ID: 0c7e86555d45c2b58d94884bdba392e16280a14173a0c667a3ea7e3f78bd8ddf
Opcode Fuzzy Hash: e85543da0b3f463bc6ee0f386937fc9765154cbdb5e37769769e220c0f2e2315
Instruction Fuzzy Hash: 0CF01D72240758BFE62197929C0DEAB7A7CFBCAB22F004158F601D109596A45A4286B5

Function 00A17439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00A17452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A17469
GetWindowDC.USER32(?), ref: 00A17475
GetPixel.GDI32(00000000,?,?), ref: 00A17484
ReleaseDC.USER32(?,00000000), ref: 00A17496
GetSysColor.USER32(00000005), ref: 00A174B0

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 88d438d942bfb536f5660e2efe6d53e33cc03982ac960911670bd27e6aa7e2fa
Instruction ID: 7115640b6d2f84ab27346bcfbf18caabb29bc0932462ea9e7235f5bdb2c8f066
Opcode Fuzzy Hash: 88d438d942bfb536f5660e2efe6d53e33cc03982ac960911670bd27e6aa7e2fa
Instruction Fuzzy Hash: 4A018631440305EFEB519FA4DC08BEE7BB5FB04322F201160F916A31A0CB311E82EB10

Function 00A21874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A2187F
UnloadUserProfile.USERENV(?,?), ref: 00A2188B
CloseHandle.KERNEL32(?), ref: 00A21894
CloseHandle.KERNEL32(?), ref: 00A2189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A218A5
HeapFree.KERNEL32(00000000), ref: 00A218AC

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d5b33c0a827b1587be1838579e54fcec40ef31991e066a678d16e93f36798c28
Instruction ID: 37e6e74aef339838fa05d0353f23f01b70714713bef854e9e944427e19cdb884
Opcode Fuzzy Hash: d5b33c0a827b1587be1838579e54fcec40ef31991e066a678d16e93f36798c28
Instruction Fuzzy Hash: D4E0C236004705BFDA019BE1ED0C90ABB69FB49B32B108220F22685478CB32A4A2DB50

Function 00A2C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C7620: _wcslen.LIBCMT ref: 009C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A2C6EE
_wcslen.LIBCMT ref: 00A2C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A2C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A2C7CA

Strings

0, xrefs: 00A2C6AF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: b226ce32991a17b0e44c453d724e06cf85fbbb1fea78d1fade4d7496766ec6f1
Instruction ID: 83cbebaf6d02694e6fbd24a26ef22d97a9696ca499745d2122e0dc0c476873a7
Opcode Fuzzy Hash: b226ce32991a17b0e44c453d724e06cf85fbbb1fea78d1fade4d7496766ec6f1
Instruction Fuzzy Hash: 2551CC716043619BD7159F2CE885B6EB7E8AF89320F040A3DF995E32A1DB64DD04CB92

Function 00A4AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00A4AEA3

Part of subcall function 009C7620: _wcslen.LIBCMT ref: 009C7625

GetProcessId.KERNEL32(00000000), ref: 00A4AF38
CloseHandle.KERNEL32(00000000), ref: 00A4AF67

Strings

@, xrefs: 00A4AE72
<, xrefs: 00A4AE6B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 1f56fc69664c075c57b06c30e6ff58a89f3f20ec497cc5cb8b91581d2059b204
Instruction ID: 1bc0dcfaa4502aaf5a3b4070beec89cd7b0182bf65523250eb6a487282a21942
Opcode Fuzzy Hash: 1f56fc69664c075c57b06c30e6ff58a89f3f20ec497cc5cb8b91581d2059b204
Instruction Fuzzy Hash: BE714675A00619DFCB14DF94C485A9EBBF0BF88314F04849DE81AAB362CB74ED45CB92

Function 00A2719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A27206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A2723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A2724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A272CF

Strings

DllGetClassObject, xrefs: 00A27242

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a791f42b6e3e5113fe61bd8c3da1662ce6975c09e132d79e434c7ff4c97713a1
Instruction ID: 25549621343fdb8f2cd52e5d6e0e893a8b617803f395b12e98d3728b2cb6d51d
Opcode Fuzzy Hash: a791f42b6e3e5113fe61bd8c3da1662ce6975c09e132d79e434c7ff4c97713a1
Instruction Fuzzy Hash: BE413971A04314EFDB15CF98D884A9E7BB9EF44710F1580A9FD059F20AD7B1DA45CBA0

Function 00A53D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A53E35
IsMenu.USER32(?), ref: 00A53E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A53E92
DrawMenuBar.USER32 ref: 00A53EA5

Strings

0, xrefs: 00A53D89

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b51b01541579c97e0f83a36dde6104c9c7728b6a95f7b126c5b090ddedc46f3b
Instruction ID: 54151482f8a58145eeee109d1724dfc34ccc29c618a2ab7218b5fa0e97aca813
Opcode Fuzzy Hash: b51b01541579c97e0f83a36dde6104c9c7728b6a95f7b126c5b090ddedc46f3b
Instruction Fuzzy Hash: 84413A76A01209AFDF10DF90D885EAABBF9FF89395F044129ED0597250D730AE59CF60

Function 00A21DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

Part of subcall function 00A23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A23CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A21E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A21E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A21EA9

Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A

Strings

ComboBox, xrefs: 00A21DF0
ListBox, xrefs: 00A21E25

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 6148ab9d87189ce86efd5eeeb73b42f9c40298feae848c97099caecaf4602973
Instruction ID: 6fee2507ee273df6297466753b304b081362fb42763243c09be16c2111b9140e
Opcode Fuzzy Hash: 6148ab9d87189ce86efd5eeeb73b42f9c40298feae848c97099caecaf4602973
Instruction Fuzzy Hash: 7D212C71D00104BFDB14ABA8EC59DFF77B8EF95360B104539F825A71D1DB384D0A8620

Function 00A4C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A4C9F1
_wcslen.LIBCMT ref: 00A4CA68
_wcslen.LIBCMT ref: 00A4CA9E
_wcslen.LIBCMT ref: 00A4CAF9
_wcslen.LIBCMT ref: 00A4CB2F
_wcslen.LIBCMT ref: 00A4CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00A4CA62, 00A4CA67
HKLM, xrefs: 00A4CA98, 00A4CA9D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 8dd835371673658bdcf08af3f5b00e7a79965b4f3f384e19104427b6a6e06898
Instruction ID: 3431394c64411b18cc97114065a3f4bc9512cd97743fed1a6c5a8f0ce29ccdca
Opcode Fuzzy Hash: 8dd835371673658bdcf08af3f5b00e7a79965b4f3f384e19104427b6a6e06898
Instruction Fuzzy Hash: 1C31FB7BA0216A4BCB61EF6D88405BF37935BE17E0B154039E8596B345FA71CE44D3A0

Function 00A52F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A52F8D
LoadLibraryW.KERNEL32(?), ref: 00A52F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A52FA9
DestroyWindow.USER32(?), ref: 00A52FB1

Strings

SysAnimate32, xrefs: 00A52F68

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 2ed5cf98b2bbdc8b0f79f20dfc1bab9fc7ddbf6bab257920c2a9356de6654066
Instruction ID: 603d5df475bf422b397e9d6652faa8aaa767987c139528117e268cffd5fdf77f
Opcode Fuzzy Hash: 2ed5cf98b2bbdc8b0f79f20dfc1bab9fc7ddbf6bab257920c2a9356de6654066
Instruction Fuzzy Hash: 2C21AE71204205AFEB109FA4EC80FBB37B9FB5A366F104618FD50E6190D771DC6A9B60

Function 009E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009E4D1E,009F28E9,?,009E4CBE,009F28E9,00A888B8,0000000C,009E4E15,009F28E9,00000002), ref: 009E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,009E4D1E,009F28E9,?,009E4CBE,009F28E9,00A888B8,0000000C,009E4E15,009F28E9,00000002,00000000), ref: 009E4DC3

Strings

CorExitProcess, xrefs: 009E4D98
mscoree.dll, xrefs: 009E4D86

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8afd0a15fe65fb02fb51ef78c6043fa0f4ecdcff21aa50a6405950ed9fd0d57d
Instruction ID: b249fee6ee9a261e30979b8f8c909d9b88fd5e50170881f56f1aaa12bb31143a
Opcode Fuzzy Hash: 8afd0a15fe65fb02fb51ef78c6043fa0f4ecdcff21aa50a6405950ed9fd0d57d
Instruction Fuzzy Hash: 1EF04F34A40708BFDB119FA1DC49BAEBBB9FF44762F0001A4F805A62A0CB746D81CB90

Function 009C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,009C4EDD,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009C4EAE
FreeLibrary.KERNEL32(00000000,?,?,009C4EDD,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 009C4EA8
kernel32.dll, xrefs: 009C4E94

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1cdd6c375238f13f380b5917ff2f9411cc335422b4969c16886f32fdeb9b0ff7
Instruction ID: 4adc49a2f707233b92819a73f93b6021133b8cbf9a0e28af82b847aebb8a0077
Opcode Fuzzy Hash: 1cdd6c375238f13f380b5917ff2f9411cc335422b4969c16886f32fdeb9b0ff7
Instruction Fuzzy Hash: 8EE08636F01B226FD22157656C28F5B6658BF81F737060219FC00E3144DB64CD0281A1

Function 009C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A03CDE,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009C4E74
FreeLibrary.KERNEL32(00000000,?,?,00A03CDE,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 009C4E6E
kernel32.dll, xrefs: 009C4E5B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d8518456d8545561fb208ff2632548a9106c015feeb802aa27f425c28517b7c4
Instruction ID: 8ed20ec35c1e22c3346b3336741f929ada43d57f3a52ab8c0300a300033b4680
Opcode Fuzzy Hash: d8518456d8545561fb208ff2632548a9106c015feeb802aa27f425c28517b7c4
Instruction Fuzzy Hash: 0BD01236A02B216FDA225B697C28E8B6A1CBF85F723060619BD05A3119CF64CD02C5D2

Function 00A32947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A32C05
DeleteFileW.KERNEL32(?), ref: 00A32C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A32C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A32CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A32CC0

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a885f27f0e7c267de65115b08bcb8811e9002c32a083957e95441eea6f53151f
Instruction ID: 36a4b653dfc39104a37f38f60dc55fd378e32ee4bd3c6d051a80bca6c410f565
Opcode Fuzzy Hash: a885f27f0e7c267de65115b08bcb8811e9002c32a083957e95441eea6f53151f
Instruction Fuzzy Hash: 52B13D72D01219ABDF11EFA5CD85FDEB7BDEF48350F1040A6F609E6151EA30AE448B61

Function 00A4A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00A4A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A4A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A4A468
CloseHandle.KERNEL32(?), ref: 00A4A63D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: d449724e0a0221c7b509f1cfe03c7cac0f436b5186eec756f9c90a953bfef893
Instruction ID: 601c4978ad8947a141f3c6086b75252414ed9ae430596ee286501cad028734c5
Opcode Fuzzy Hash: d449724e0a0221c7b509f1cfe03c7cac0f436b5186eec756f9c90a953bfef893
Instruction Fuzzy Hash: 53A1AFB5644300AFD720DF24C886F2ABBE5AFD4714F14881DF59A9B392D7B0ED418B82

Function 00A2E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A2CF22,?), ref: 00A2DDFD

Part of subcall function 00A2DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A2CF22,?), ref: 00A2DE16

Part of subcall function 00A2E199: GetFileAttributesW.KERNEL32(?,00A2CF95), ref: 00A2E19A

lstrcmpiW.KERNEL32(?,?), ref: 00A2E473
MoveFileW.KERNEL32(?,?), ref: 00A2E4AC
_wcslen.LIBCMT ref: 00A2E5EB
_wcslen.LIBCMT ref: 00A2E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00A2E650

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: cf46543e7f7df1314a81fd307eea1ac8d6c2e45fb7f6b5e9c2ae48a576cb2e31
Instruction ID: 6284f406860a0d4bdd729e4b786b271df765b6d827e35e7f15d885a09edb1228
Opcode Fuzzy Hash: cf46543e7f7df1314a81fd307eea1ac8d6c2e45fb7f6b5e9c2ae48a576cb2e31
Instruction Fuzzy Hash: 2F5164B24083955BC724EB94DC81EDF73ECAF84350F00492EF689D3192EF75A6888766

Function 00A4B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

Part of subcall function 00A4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A4B6AE,?,?), ref: 00A4C9B5
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4C9F1
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA68
Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A4BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A4BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A4BB63
RegCloseKey.ADVAPI32(?,?), ref: 00A4BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00A4BBB3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: cf9beff50abed0849179d4e0d0a3e702b18487a8f6bb1b0b3063a427a7676259
Instruction ID: 91c66523dd78391de401fa6f11f3ee0a77361fefa4e49ead357d3cb3368a4545
Opcode Fuzzy Hash: cf9beff50abed0849179d4e0d0a3e702b18487a8f6bb1b0b3063a427a7676259
Instruction Fuzzy Hash: 29617C35218241AFC314DF14C895F2ABBE5FF84358F14896CF4994B2A2DB31ED46CBA2

Function 00A28BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A28BCD
VariantClear.OLEAUT32 ref: 00A28C3E
VariantClear.OLEAUT32 ref: 00A28C9D
VariantClear.OLEAUT32(?), ref: 00A28D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A28D3B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: fd4e6872a7498d7879c8ea0c4743100545007c1ef93aed04ff3d1c827864e236
Instruction ID: 2ef3d06381e0ec1b57dd94be0806ad4ef28737230e21983c7231af584d707789
Opcode Fuzzy Hash: fd4e6872a7498d7879c8ea0c4743100545007c1ef93aed04ff3d1c827864e236
Instruction Fuzzy Hash: E4516AB5A01219EFDB10CF68D884AAAB7F8FF89310B158569F905DB354E734E911CB90

Function 00A38AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A38BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00A38BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A38C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A38C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A38C5F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: ca4663fa2e70315a36f0b4d2ff584e9f866906d1f9fcaece64dfd5e8853c5ceb
Instruction ID: 93690779c729204bdc11c7a8d57f688f90f2f72311b4387d5f6a1e1b7ebb4c68
Opcode Fuzzy Hash: ca4663fa2e70315a36f0b4d2ff584e9f866906d1f9fcaece64dfd5e8853c5ceb
Instruction Fuzzy Hash: 3F513675A002159FCB00DF64C881EADBBF5BF88314F088059F849AB362CB35ED51CB91

Function 00A48EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A48F40
GetProcAddress.KERNEL32(00000000,?), ref: 00A48FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A48FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00A49032
FreeLibrary.KERNEL32(00000000), ref: 00A49052

Part of subcall function 009DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00A31043,?,753CE610), ref: 009DF6E6
Part of subcall function 009DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00A1FA64,00000000,00000000,?,?,00A31043,?,753CE610,?,00A1FA64), ref: 009DF70D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 972b2eceefcdb4c4cfdb04fa76a578881720c83a8b5b5adaf9a0cf10241553ab
Instruction ID: b2d9c16977a7298313bb08ab2dc33a423fd174f6059d63e27477dc84fe2636dc
Opcode Fuzzy Hash: 972b2eceefcdb4c4cfdb04fa76a578881720c83a8b5b5adaf9a0cf10241553ab
Instruction Fuzzy Hash: 88513C39A00205DFC711DF58C495DAEBBF1FF89324B048199E8069B762DB31ED86CB91

Function 00A56B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00A56C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00A56C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A56C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00A3AB79,00000000,00000000), ref: 00A56C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00A56CC7

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: a2caff63f8c18f4f94e335b5ab0f488d8e037b8ac7e022e358d4b8a9a62c3c0c
Instruction ID: 7d6be3e420fa2b27ac1172b24de73cde8c56e2dc9d282fd6e17aeafaf67716e2
Opcode Fuzzy Hash: a2caff63f8c18f4f94e335b5ab0f488d8e037b8ac7e022e358d4b8a9a62c3c0c
Instruction Fuzzy Hash: 7741D335A04204AFDB24CF68CC59FA97BB5FB09361F950228FC95A72E1D771ED45CA40

Function 009F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009F20C3
_free.LIBCMT ref: 009F20E3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 18d95eae4f80516a837a96277bc876945bacc70ef2d4d230fd3ff69132a8df20
Instruction ID: 3893f7c52b3efc4d8b405da366ab9ad04302816e6f578626e7f3845c3de3524c
Opcode Fuzzy Hash: 18d95eae4f80516a837a96277bc876945bacc70ef2d4d230fd3ff69132a8df20
Instruction Fuzzy Hash: CF41C432A002089FCB24DF78C981B6DB7F5EF89314F154569E615EB391DB31AD01CB90

Function 009D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009D9141
ScreenToClient.USER32(00000000,?), ref: 009D915E
GetAsyncKeyState.USER32(00000001), ref: 009D9183
GetAsyncKeyState.USER32(00000002), ref: 009D919D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 96efc2b198263e40b5e9057e1dbbc04522a7fc9c53d6af3dfa2b6c1467b910bc
Instruction ID: b99bd760cf45d0e689e43e0d1fa4a4340d9607057e7649ffafab8e0e6b1d795d
Opcode Fuzzy Hash: 96efc2b198263e40b5e9057e1dbbc04522a7fc9c53d6af3dfa2b6c1467b910bc
Instruction Fuzzy Hash: 97413F71A4861AFFDF19AF64C844BEEB775FB05324F208316E425A72A0C7346994CB91

Function 00A33874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00A33922
TranslateMessage.USER32(?), ref: 00A3394B
DispatchMessageW.USER32(?), ref: 00A33955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A33966

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: da763e26ff45596ba9024348c5c3258eb137c479d7cac242ef549afa7fed1385
Instruction ID: b1ad9e76f15b6cbb1bae3a2fe27ef1b05628a909e833fdad0823fbd6d5494f1f
Opcode Fuzzy Hash: da763e26ff45596ba9024348c5c3258eb137c479d7cac242ef549afa7fed1385
Instruction Fuzzy Hash: 5731B77260C342DFEF35CBB59859BB637E8EB05305F04456AF462C61A0E7F49686CB11

Function 00A3CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00A3C21E,00000000), ref: 00A3CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00A3CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00A3C21E,00000000), ref: 00A3CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A3C21E,00000000), ref: 00A3CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00A3C21E,00000000), ref: 00A3CFF2

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 0316fdd0ad88483b095d1798f09e29dffaf7e771b224ff91e2f7b963c8e1c4db
Instruction ID: 4b0772d5cd3456644c104b42703313ba41fcae406307ad7637a540e160741845
Opcode Fuzzy Hash: 0316fdd0ad88483b095d1798f09e29dffaf7e771b224ff91e2f7b963c8e1c4db
Instruction Fuzzy Hash: E8314971600705AFDB20DFA5DD85AABBBF9EB14365F10842EF506E2241DB30AE41DB60

Function 00A21901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A21915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00A219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00A219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00A219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00A219E2

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e61db13ad1787f5d67b093dfd92c7138d4768ac0e725e0b2d66f964ff77bc17a
Instruction ID: 5487145b33f18cad9276a0fbb01517c0a8d2b442df8cd17b6d4dcfdc4a3b294c
Opcode Fuzzy Hash: e61db13ad1787f5d67b093dfd92c7138d4768ac0e725e0b2d66f964ff77bc17a
Instruction Fuzzy Hash: 7931BF71A00229EFCB04CFACDD99ADE7BB5FB14325F104229F921A72D1C7709A84CB90

Function 00A55706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A55745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A5579D
_wcslen.LIBCMT ref: 00A557AF
_wcslen.LIBCMT ref: 00A557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A55816

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 43d2a55e0d0fc0e46b80a93a71f4ffda6d741844076c41caa760f155ca5a24a1
Instruction ID: 98e2b1dcebe407ae30b72db8d2d04c76c83370d9113e4d86985f3d44e51ab09c
Opcode Fuzzy Hash: 43d2a55e0d0fc0e46b80a93a71f4ffda6d741844076c41caa760f155ca5a24a1
Instruction Fuzzy Hash: 74218271D04618DADB21DFB0CC85AEE77B8FF44726F108656ED29EA180D7748A89CF50

Function 00A40930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A40951
GetForegroundWindow.USER32 ref: 00A40968
GetDC.USER32(00000000), ref: 00A409A4
GetPixel.GDI32(00000000,?,00000003), ref: 00A409B0
ReleaseDC.USER32(00000000,00000003), ref: 00A409E8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 285ccd621b9be4f03413f4295fe3843fb89630ed1e23423e4442fbf6950bf69f
Instruction ID: 7022a4ff929deea5162ac21ac65ca696d21fdc96c4d3dbd03236cc60cd437a53
Opcode Fuzzy Hash: 285ccd621b9be4f03413f4295fe3843fb89630ed1e23423e4442fbf6950bf69f
Instruction Fuzzy Hash: FC219F35A00214AFD704EFA5D985EAEBBE5FF88711F00842CF84A97752CB30AD05CB50

Function 009FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 009FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009FCDE9

Part of subcall function 009F3820: RtlAllocateHeap.NTDLL(00000000,?,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6,?,009C1129), ref: 009F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 009FCE0F
_free.LIBCMT ref: 009FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009FCE31

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: bbda2f66f692eb43bea1d0e6e7db80f30dc853126a6eec4358bfbb081a29e8c9
Instruction ID: 040cd05a34e99ac3bae1d2f6e808f3ba92af7befb0a87a9f758ae341eaccc3db
Opcode Fuzzy Hash: bbda2f66f692eb43bea1d0e6e7db80f30dc853126a6eec4358bfbb081a29e8c9
Instruction Fuzzy Hash: 7101D4B2A0171D7F632156B66D88DBB6A6DEEC6BB13158129FA05C7200EA658D0283F0

Function 009D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009D9693
SelectObject.GDI32(?,00000000), ref: 009D96A2
BeginPath.GDI32(?), ref: 009D96B9
SelectObject.GDI32(?,00000000), ref: 009D96E2

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3e9e2d8fc9d37bb74f587d916399c8a5959998f331209b7bc86b24b1710a82f3
Instruction ID: 7957bea6bc8d93bdeb3d6a57df9eab904b47f7409c6f3c356a329506df99e378
Opcode Fuzzy Hash: 3e9e2d8fc9d37bb74f587d916399c8a5959998f331209b7bc86b24b1710a82f3
Instruction Fuzzy Hash: 02218030942306EFDF11EFA4DC087A93BB8BB50366F908217F420A62B0D7719892CB90

Function 00A25711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A25726
_memcmp.LIBVCRUNTIME ref: 00A25744
_memcmp.LIBVCRUNTIME ref: 00A25757
_memcmp.LIBVCRUNTIME ref: 00A2576F
_memcmp.LIBVCRUNTIME ref: 00A25787

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0a9666d30618f61ea1105391208cbd040bef542d623d73af74e7da1da9816514
Instruction ID: 7cdac20190813c0d2afe6ee1a4c47158e8b2783ebb4f04a264476c221fbeeba0
Opcode Fuzzy Hash: 0a9666d30618f61ea1105391208cbd040bef542d623d73af74e7da1da9816514
Instruction Fuzzy Hash: 0D01B9B1A81655FFD2089625EE42FBB735CBF613A5F004830FD04AA241F770ED1482A0

Function 009D990E Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009D98CC
SetTextColor.GDI32(?,?), ref: 009D98D6
SetBkMode.GDI32(?,00000001), ref: 009D98E9
GetStockObject.GDI32(00000005), ref: 009D98F1
GetWindowLongW.USER32(?,000000EB), ref: 009D9952

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: b1cc51f2d9b755c33fb33c281a585bcec0fbfa8f880cf83990b1d68850a1e892
Instruction ID: 71d55c456c673bd89aea936b5bfdfb2d0587010ec39902e5d71760fdc7d2a750
Opcode Fuzzy Hash: b1cc51f2d9b755c33fb33c281a585bcec0fbfa8f880cf83990b1d68850a1e892
Instruction Fuzzy Hash: 891138312853509FCB12DF64EC64FE93B34FF06766B04404BF5428B2A2CB314991CB50

Function 009F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,009EF2DE,009F3863,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6), ref: 009F2DFD
_free.LIBCMT ref: 009F2E32
_free.LIBCMT ref: 009F2E59
SetLastError.KERNEL32(00000000,009C1129), ref: 009F2E66
SetLastError.KERNEL32(00000000,009C1129), ref: 009F2E6F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8b466cbce3d101fa546740d91549318c3c0571f6b716124ea12ec8a38688d8c6
Instruction ID: ca7bc8dc73916f8c6f71bd1955becac5e2773d1a69f9565c10f4fe0155a5cbc7
Opcode Fuzzy Hash: 8b466cbce3d101fa546740d91549318c3c0571f6b716124ea12ec8a38688d8c6
Instruction Fuzzy Hash: F901F93224570C6BC61267B46C49F7B2A5DBBC17B57314525FB6597192EA748C024320

Function 00A2000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?,?,00A2035E), ref: 00A2002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?), ref: 00A20046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?), ref: 00A20054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?), ref: 00A20064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?), ref: 00A20070

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ae497c8a8f67d9b93cc85013afe564264a3b459bd65fa5d4ed99cb45f8629bde
Instruction ID: c241be6918a558443f9ed939db730794fb0b92a9871ec6337d62bdc54ead7584
Opcode Fuzzy Hash: ae497c8a8f67d9b93cc85013afe564264a3b459bd65fa5d4ed99cb45f8629bde
Instruction Fuzzy Hash: 10018B72600324BFEB108FACEC44FAA7AADEB447A2F144134F905D6225E771DD418BA0

Function 00A2E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00A2E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00A2E9A5
Sleep.KERNEL32(00000000), ref: 00A2E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00A2E9B7
Sleep.KERNEL32 ref: 00A2E9F3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: de8407ed6980b2d84e3b5589eebfead668d1672c5dd5eedee2d2adfac540e8a9
Instruction ID: 2c0350bc327b8f73bbef4b24145c586dd8b8df7db650fed949b5fa1ad3da3301
Opcode Fuzzy Hash: de8407ed6980b2d84e3b5589eebfead668d1672c5dd5eedee2d2adfac540e8a9
Instruction Fuzzy Hash: CC010931C01639DBCF00EBE9ED59ADDFB78BB09711F000666E502B2245CB34959587A1

Function 00A210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A21114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A2112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A2114D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 2594a7693ffa52ea4bccbfc5b67656e2c340a52f29fd7b0997393cc36e0ef6c7
Instruction ID: 6e515fb5424936b81d358cb18b40ee1ae936f1db338c2fca2d00907e7d0a9a00
Opcode Fuzzy Hash: 2594a7693ffa52ea4bccbfc5b67656e2c340a52f29fd7b0997393cc36e0ef6c7
Instruction Fuzzy Hash: FA016D75100315BFDB118FA8EC49A6A3F6EFF89375B100428FA41D7350DA31DC11CA60

Function 00A20FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A20FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A20FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A20FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A20FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A21002

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4905f64eabc9217c8ed275ff0dfcd0e7a83315d3e0a8bfb18bd9dd802a2b8dd1
Instruction ID: 4aee6cef52e97ffba69e3028a090a67321a89e2adae678af66082e45bad88e0b
Opcode Fuzzy Hash: 4905f64eabc9217c8ed275ff0dfcd0e7a83315d3e0a8bfb18bd9dd802a2b8dd1
Instruction Fuzzy Hash: 88F04935200315AFDB218FA9AC49F5A3BADFF89762F104424FA46C6291CA70DC818A60

Function 00A21014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A2102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A21036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A21045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A2104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A21062

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a566e628d15d211f6cd193854a2475b316dddb92354c87847668c6cd61ed4d13
Instruction ID: 91e5ac3fa5581f4ca69fc7f9c423e51bbb9a96c626239b1374eb99431305d2cd
Opcode Fuzzy Hash: a566e628d15d211f6cd193854a2475b316dddb92354c87847668c6cd61ed4d13
Instruction Fuzzy Hash: F2F04935200355AFDB219FA9EC49F5A3BADFF89762F500424FA46C6290CA70D8818A60

Function 00A3030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A30324
CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A30331
CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A3033E
CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A3034B
CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A30358
CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A30365

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8c1d15764a55c0cd50903c576368f506e4983511fee4fe7880f5b7abca437160
Instruction ID: 6946285ccf2aaf60b83385efe758a7d5493c2397e28271ce24ed1364f05808ec
Opcode Fuzzy Hash: 8c1d15764a55c0cd50903c576368f506e4983511fee4fe7880f5b7abca437160
Instruction Fuzzy Hash: 4E01A272800B159FC7309F66D890812F7F9FF503153158A3FE19656931C371A955CF80

Function 009FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009FD752

Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0

_free.LIBCMT ref: 009FD764
_free.LIBCMT ref: 009FD776
_free.LIBCMT ref: 009FD788
_free.LIBCMT ref: 009FD79A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f3ec67cd27938a477ccede6ce3fa64c71e5d2dc6646864b6db231db41d45e509
Instruction ID: e81c61bfbe0b4ca1feb2c88a94c70441b7ffeab0382f7f5033c98ed6575bfac8
Opcode Fuzzy Hash: f3ec67cd27938a477ccede6ce3fa64c71e5d2dc6646864b6db231db41d45e509
Instruction Fuzzy Hash: 26F0127258520DABC621FBA4FAC5E3A77DEBB447207A40805F258EB511C770FC808B74

Function 00A25C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A25C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A25C6F
MessageBeep.USER32(00000000), ref: 00A25C87
KillTimer.USER32(?,0000040A), ref: 00A25CA3
EndDialog.USER32(?,00000001), ref: 00A25CBD

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d836274a251513195687e8b654ea0348146b6f5317157e5712a679062bb2e406
Instruction ID: 574b55efd66bc99af546cd8c9910a4b77b43ea9c60ad40abcce63eea2b02de20
Opcode Fuzzy Hash: d836274a251513195687e8b654ea0348146b6f5317157e5712a679062bb2e406
Instruction Fuzzy Hash: 2101AE309007149FEB259B64ED4EF9577B8FF04706F001569B543614E1E7F0AA45CB50

Function 009F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009F22BE

Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0

_free.LIBCMT ref: 009F22D0
_free.LIBCMT ref: 009F22E3
_free.LIBCMT ref: 009F22F4
_free.LIBCMT ref: 009F2305

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4a70a96a9c228d490ed09e848385b824484d88ec932522eafe3390c902f88eb1
Instruction ID: cc5c0051ae07cb306a8f7049a2d173ddd849b8c39195c045d3dc4038635ab719
Opcode Fuzzy Hash: 4a70a96a9c228d490ed09e848385b824484d88ec932522eafe3390c902f88eb1
Instruction Fuzzy Hash: 1AF03A71A801268BC612FFD8BD01EA83B68BB187A0700055BF524D72B1CB700993AFE4

Function 009D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009D95D4
StrokeAndFillPath.GDI32(?,?,00A171F7,00000000,?,?,?), ref: 009D95F0
SelectObject.GDI32(?,00000000), ref: 009D9603
DeleteObject.GDI32 ref: 009D9616
StrokePath.GDI32(?), ref: 009D9631

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: aa02fde2cbf0bfa729d1b2af6c6737ef527559e2721caabc0519a1b77fe438ec
Instruction ID: ffc67c8436969152dee694282ffbaf6e1dc8a8b94275124cdcae27ee1828662d
Opcode Fuzzy Hash: aa02fde2cbf0bfa729d1b2af6c6737ef527559e2721caabc0519a1b77fe438ec
Instruction Fuzzy Hash: A8F01930145705EFDB12EFA5ED187643B65BB01372F448216F425551F1CB318992DF20

Function 009F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009F10F9
__freea.LIBCMT ref: 009F1117

Part of subcall function 009F1537: _free.LIBCMT ref: 009F154F

Strings

am/pm, xrefs: 009F117A
a/p, xrefs: 009F11DE

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: b08acab1262753b2003cceb2b06f4f4a6f92061422a24b3cbf6f0d40426f1563
Instruction ID: b9936d3bf3a9dec2c21606e7c8b836b04957dfa25b5f4f78d7215c779a3cd742
Opcode Fuzzy Hash: b08acab1262753b2003cceb2b06f4f4a6f92061422a24b3cbf6f0d40426f1563
Instruction Fuzzy Hash: 08D1F031A0420EDBDB289F68C855BFEB7B9EF05300F284519EB11AB650D7B99D80CBD1

Function 00A47B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 009E0242: EnterCriticalSection.KERNEL32(00A9070C,00A91884,?,?,009D198B,00A92518,?,?,?,009C12F9,00000000), ref: 009E024D
Part of subcall function 009E0242: LeaveCriticalSection.KERNEL32(00A9070C,?,009D198B,00A92518,?,?,?,009C12F9,00000000), ref: 009E028A

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

Part of subcall function 009E00A3: __onexit.LIBCMT ref: 009E00A9

__Init_thread_footer.LIBCMT ref: 00A47BFB

Part of subcall function 009E01F8: EnterCriticalSection.KERNEL32(00A9070C,?,?,009D8747,00A92514), ref: 009E0202
Part of subcall function 009E01F8: LeaveCriticalSection.KERNEL32(00A9070C,?,009D8747,00A92514), ref: 009E0235

Strings

Variable must be of type 'Object'., xrefs: 00A47C3A
G, xrefs: 00A47C7F
5, xrefs: 00A47C78

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 27a254a01174c953b8214771bd94bbd11d30227adb3376feabf8b1e6ed91e8cb
Instruction ID: 10afad40e811ba03e739ff781623aeab4da8176a36e8411ef432a4dc7ae36987
Opcode Fuzzy Hash: 27a254a01174c953b8214771bd94bbd11d30227adb3376feabf8b1e6ed91e8cb
Instruction Fuzzy Hash: 3A917978A04249EFCB14EF94D991EBDB7B1FF88304F108059F806AB292DB71AE45CB51

Function 00A22716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A2B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A221D0,?,?,00000034,00000800,?,00000034), ref: 00A2B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A22760

Part of subcall function 00A2B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00A2B3F8

Part of subcall function 00A2B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00A2B355
Part of subcall function 00A2B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A22194,00000034,?,?,00001004,00000000,00000000), ref: 00A2B365
Part of subcall function 00A2B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A22194,00000034,?,?,00001004,00000000,00000000), ref: 00A2B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A2281A

Strings

@, xrefs: 00A22832

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 3175977b152cb6916c7100cbb96e96f548ab25d267981b7cd7df4398702eb9f2
Instruction ID: fca6b1cab0ead106faf776737b6e8589da3af18031f222cb52900dbdc571d68e
Opcode Fuzzy Hash: 3175977b152cb6916c7100cbb96e96f548ab25d267981b7cd7df4398702eb9f2
Instruction Fuzzy Hash: 41410C72900228BFDB10DFA8D985BDEBBB8EB05700F104065EA55B7181DA706E45CB61

Function 009F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 009F1769
_free.LIBCMT ref: 009F1834
_free.LIBCMT ref: 009F183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 009F1760, 009F1767, 009F1796, 009F17CE

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 480109f44b7379202d203005191964d99df904a216ebcfe8ea9c163e1343a2c5
Instruction ID: 0e1f582d38a20a6ab0787fcc0de05c56eb1d25f500c55a5a1d00dcf065eae327
Opcode Fuzzy Hash: 480109f44b7379202d203005191964d99df904a216ebcfe8ea9c163e1343a2c5
Instruction Fuzzy Hash: 76318E71A0021CEFDB21EB999981EAEBBFCEB85350F204167FA0497211DB708E41CBD0

Function 00A2C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A2C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00A2C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A91990,00FF68A0), ref: 00A2C395

Strings

0, xrefs: 00A2C2DF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1cb050de16b7b0b523680f93e5e2128cc0276491ec6ce34c6357ffc34f55a177
Instruction ID: dc0fe2836032d1a2e4ae5c0a088677c5f4207c8d8511f08af6a01aee1b8d8312
Opcode Fuzzy Hash: 1cb050de16b7b0b523680f93e5e2128cc0276491ec6ce34c6357ffc34f55a177
Instruction Fuzzy Hash: 59419F712043519FD720DF29E884B5EBBE8AF85320F148A2DF9A59B2D1D770E904CB62

Function 00A54416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A5CC08,00000000,?,?,?,?), ref: 00A544AA
GetWindowLongW.USER32 ref: 00A544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A544D7

Strings

SysTreeView32, xrefs: 00A5447C

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7ed6edb7fd848e59af766d9156ad6c6c7272d63c3994e352b8e7e2be933d5183
Instruction ID: afc0a6f45c03992b88f11e742896d36f62e879f6055727f2dd284c2aee548638
Opcode Fuzzy Hash: 7ed6edb7fd848e59af766d9156ad6c6c7272d63c3994e352b8e7e2be933d5183
Instruction Fuzzy Hash: C8318931240605AFDB209F78DC45BEA7BA9FB48339F208715F979A21E0D770AC959B50

Function 00A4304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A4335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A43077,?,?), ref: 00A43378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A4307A
_wcslen.LIBCMT ref: 00A4309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00A43106

Strings

255.255.255.255, xrefs: 00A43095, 00A4309A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: d18004c70f5b8da6f1e840abceeb22cce954dec559b677805f08821874b5cd87
Instruction ID: eeb2a2c18ecbbb49d858941990843bd7a0af4c5f347cf913a72c158685388348
Opcode Fuzzy Hash: d18004c70f5b8da6f1e840abceeb22cce954dec559b677805f08821874b5cd87
Instruction Fuzzy Hash: 8E31C13A600201DFDF10CF68C585EAA77F0EF94318F248299E9159B392DB72EE41C761

Function 00A53EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A53F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A53F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A53F78

Strings

SysMonthCal32, xrefs: 00A53F0B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 317b52e753431150decf0ee6dd74b21ad2f8aa6647d1abff56ed3c70e4e80a45
Instruction ID: 9f5765cb64a3f727b214fd28642afd9d162fdfb8bfe17bb3854e2761ad84d2e5
Opcode Fuzzy Hash: 317b52e753431150decf0ee6dd74b21ad2f8aa6647d1abff56ed3c70e4e80a45
Instruction Fuzzy Hash: 1421AB33600219BFDF21CF90DC46FEA3BB9FB88764F110214FE156B190D6B5A9598BA0

Function 00A54653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A54705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A54713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A5471A

Strings

msctls_updown32, xrefs: 00A54684

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b14c5a94726d8383e8f6d36cfc7c2d540afd39818bfbbf60fe6416a0cfbf454a
Instruction ID: 2300a7a3147f9c736ba6924a1dc503722a4a431f37ec885c762b147895e5412a
Opcode Fuzzy Hash: b14c5a94726d8383e8f6d36cfc7c2d540afd39818bfbbf60fe6416a0cfbf454a
Instruction Fuzzy Hash: 0E215EB5600209AFEB11DF64DCC1EA737ADFB8E3A9B040459FA009B251DB30EC56CB60

Function 00A295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A2961D

Strings

#requireadmin, xrefs: 00A295D9
#notrayicon, xrefs: 00A295B7
#OnAutoItStartRegister, xrefs: 00A295F3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 326dd5ab23cebde9bb0c5d989c737a347df1b8ffbdcc3f6dd5e25548cfe3d0f4
Instruction ID: ed643237be7f61e51794f524c9b032acd1badc0d89641f8d6aa541c44d3ae06c
Opcode Fuzzy Hash: 326dd5ab23cebde9bb0c5d989c737a347df1b8ffbdcc3f6dd5e25548cfe3d0f4
Instruction Fuzzy Hash: 0D215B32204130AAD331BB2DEC12FB7B3E8AF95B00F10443AF94997141EB619D45C2E6

Function 00A537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A53840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A53850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A53876

Strings

Listbox, xrefs: 00A5380F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ef904f3056c329fae8e80d51847ad37f6f307ef4a401c3d18483335bf827df0f
Instruction ID: 110f55c756dca100c9047d3728e6972b235e36c5ad1619946b43405c0469dfc1
Opcode Fuzzy Hash: ef904f3056c329fae8e80d51847ad37f6f307ef4a401c3d18483335bf827df0f
Instruction Fuzzy Hash: 2921AF72600218BBEF11CFA5CC81FAB376AFFC97A1F108114F9109B190CA71DC568BA0

Function 00A349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A34A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A34A5C
SetErrorMode.KERNEL32(00000000,?,?,00A5CC08), ref: 00A34AD0

Strings

%lu, xrefs: 00A34A6F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: c3bc25d2d3473183998de80534b19a5ffff43c93d3b1d728b4a1769971584248
Instruction ID: a7644bbdda5331169dc8139c09caef42639b8ab59d98ab5292f1d47107ca718d
Opcode Fuzzy Hash: c3bc25d2d3473183998de80534b19a5ffff43c93d3b1d728b4a1769971584248
Instruction Fuzzy Hash: 69314F75A00209AFDB10DF54C985EAA7BF8FF48318F1480A9F909DB252D771ED46CB61

Function 00A541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A5424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A54264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A54271

Strings

msctls_trackbar32, xrefs: 00A54226

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e0811af686bd19f396f18ce705686df39802acb31f13788500fa5ac8b7ef608d
Instruction ID: f9955291a6881d82ce47819f55d9c62f2fb518ff4019c3f32b1f56b8afd9b5ca
Opcode Fuzzy Hash: e0811af686bd19f396f18ce705686df39802acb31f13788500fa5ac8b7ef608d
Instruction Fuzzy Hash: FB11E371240208BEEF209F69CC46FEB3BACFF89B69F114514FA55E2090D671D8529B20

Function 00A22F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A

Part of subcall function 00A22DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A22DC5
Part of subcall function 00A22DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A22DD6
Part of subcall function 00A22DA7: GetCurrentThreadId.KERNEL32 ref: 00A22DDD
Part of subcall function 00A22DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A22DE4

GetFocus.USER32 ref: 00A22F78

Part of subcall function 00A22DEE: GetParent.USER32(00000000), ref: 00A22DF9

GetClassNameW.USER32(?,?,00000100), ref: 00A22FC3
EnumChildWindows.USER32(?,00A2303B), ref: 00A22FEB

Strings

%s%d, xrefs: 00A22FFF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 0f309c96e997ab2c9a9870b5aa565b5d859294584d3ece8a62dfc0dac4810285
Instruction ID: c8ace0de0752b722e8e7599ec272b01cc9e130058a32125895468c459a276668
Opcode Fuzzy Hash: 0f309c96e997ab2c9a9870b5aa565b5d859294584d3ece8a62dfc0dac4810285
Instruction Fuzzy Hash: 7111B4716002157BDF14BF78AC95FED37AAAF85314F048079FD099B252DE349A498B70

Function 00A55882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A558EE
DrawMenuBar.USER32(?), ref: 00A558FD

Strings

0, xrefs: 00A5588F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 76c0b3a42bed491bcc2920b44f44dc3b5e4dc971d7b931d2d98d71c80f28851c
Instruction ID: 6231c9b1a113d3c9d0cfb8f2ebf064cfa68dec906b32a4b8e419845e23b2ae09
Opcode Fuzzy Hash: 76c0b3a42bed491bcc2920b44f44dc3b5e4dc971d7b931d2d98d71c80f28851c
Instruction Fuzzy Hash: AE018431900218EFDB119FA1DC45BAEBBB5FF45362F10C099E849D6261DB348A84DF71

Function 00A2007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fb29d325a360bc5aa34c1d7f37a0fb3fe1abb1df235c57b60aa5bc5d6d446e
Instruction ID: 2a83828d7f7f1e41f4575aa486016dba4e205d5c855ed5360ece5abef6bcad3b
Opcode Fuzzy Hash: 91fb29d325a360bc5aa34c1d7f37a0fb3fe1abb1df235c57b60aa5bc5d6d446e
Instruction Fuzzy Hash: 11C15A75A0021AEFDB04CFA8D894EAEB7B5FF48304F1185A8E505EB252D731ED41CB90

Function 009F3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 009F3F0B
__alldvrm.LIBCMT ref: 009F410C
__alldvrm.LIBCMT ref: 009F412E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 54ee9608c613ab45b7f0d05c81d495d01138b7d5bc7e8af7982f810fc321bbb9
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 5CA12671E0438E9FEB25CF18C8917BFBBE9EF65350F18426DE6959B281C6388981C750

Function 00A4342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A43459
CoUninitialize.OLE32 ref: 00A43463
VariantInit.OLEAUT32(?), ref: 00A4346E
VariantClear.OLEAUT32(?), ref: 00A4371B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 6729a13852c2e3208659b061317b0938150a45abfd9a3c842d796148f93c42f4
Instruction ID: 351c875c3a89c5538d431846ebbd33ab36e2c9ca6a8ef2487dbc8b7245236a09
Opcode Fuzzy Hash: 6729a13852c2e3208659b061317b0938150a45abfd9a3c842d796148f93c42f4
Instruction Fuzzy Hash: 69A1E67A6043119FCB10DF68C595A2AB7E5EF88714F05885DF98A9B362DB30EE01CB52

Function 00A20436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A5FC08,?), ref: 00A205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A5FC08,?), ref: 00A20608
CLSIDFromProgID.OLE32(?,?,00000000,00A5CC40,000000FF,?,00000000,00000800,00000000,?,00A5FC08,?), ref: 00A2062D
_memcmp.LIBVCRUNTIME ref: 00A2064E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c6bca80b2ee3ce2d19f8fdf6cd788cc93747f3a3abf9c729b162084bad570d84
Instruction ID: acda06f566bba021b1d43284564a0c12f3cb4fbe37de4f0380a0ecee3941c41a
Opcode Fuzzy Hash: c6bca80b2ee3ce2d19f8fdf6cd788cc93747f3a3abf9c729b162084bad570d84
Instruction Fuzzy Hash: 77810E71A00119EFCB04DF98C984EEEB7B9FF89315F104568F516AB251DB71AE06CB60

Function 00A4A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A4A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00A4A6BA

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00A4A79C
CloseHandle.KERNEL32(00000000), ref: 00A4A7AB

Part of subcall function 009DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00A03303,?), ref: 009DCE8A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 2d24689848ec1043eae5403c2cd9c0776561cd267ea23f73094bb3e6fdeb4e6d
Instruction ID: b810c9ba41773712b269a67a0cd7eabf4b837221e67ae634a78418a7ec20bf92
Opcode Fuzzy Hash: 2d24689848ec1043eae5403c2cd9c0776561cd267ea23f73094bb3e6fdeb4e6d
Instruction Fuzzy Hash: A851F6B59083009FD710EF64C886E6ABBE8FFC9754F40891DF59697251EB30D905CBA2

Function 00A01391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A014C0

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e10996a30dc93d13265c39cc5ebedb73158b6be2efa0f4ed17c30ad20f458438
Instruction ID: e95ea97cac3f7aa3e329cf9dcb4436d1baece2e7985a65b99b0897b4b23d8731
Opcode Fuzzy Hash: e10996a30dc93d13265c39cc5ebedb73158b6be2efa0f4ed17c30ad20f458438
Instruction Fuzzy Hash: B3412B7160051CABDB216BB9AC457FE3AA4EF81370F144226F529D72E1E7768C415362

Function 00A56278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A562E2
ScreenToClient.USER32(?,?), ref: 00A56315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00A56382

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: a2d7cc5f96c3a5667b33470adec5fca774bcef985c8f32b8947edbc56c8b0fb1
Instruction ID: faf668d16d3db13ef0bfbed2051ed44ee64c16ead8917f2bae9ae251693b6354
Opcode Fuzzy Hash: a2d7cc5f96c3a5667b33470adec5fca774bcef985c8f32b8947edbc56c8b0fb1
Instruction Fuzzy Hash: E2512B74A00209EFDF10DF68D981AAE7BB5FF45361F508269F8159B2A0D730EE85CB50

Function 00A41AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A41AFD
WSAGetLastError.WSOCK32 ref: 00A41B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A41B8A
WSAGetLastError.WSOCK32 ref: 00A41B94

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 65f45b242ab6d4242a521d9ba686797377a3be9041da7b69a6a9b6afcbdf1e3a
Instruction ID: b08b398fc47170b2270adaf252ffec7ef6c43da24b3c1deb22984c99ede0122e
Opcode Fuzzy Hash: 65f45b242ab6d4242a521d9ba686797377a3be9041da7b69a6a9b6afcbdf1e3a
Instruction Fuzzy Hash: 40417078640200AFE720AF24C886F2977E5EB84718F54C45CF95A9F7D2E672DD828B91

Function 009FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f503e9d4cbb5af5edf23345c92d4f855beb28f23045bba68981fee54dcf6b5
Instruction ID: faf49edd565fb5766fdae4c8e0ed742535881f194fa00918592c706d6bec2862
Opcode Fuzzy Hash: e5f503e9d4cbb5af5edf23345c92d4f855beb28f23045bba68981fee54dcf6b5
Instruction Fuzzy Hash: 76410875A00708AFD724AF38CD41BBABBA9EB84710F10452AF655DB691D775A9018B80

Function 00A356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A35783
GetLastError.KERNEL32(?,00000000), ref: 00A357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A357FA

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e6cb710953c3e394868556dd3b6de9f75f4903a9c9cf31f04afc638ce7cdd1da
Instruction ID: 01441727b5dffd3aa8eb0732067e4bf55d13a62db23f395e46e59b7f1f2fdd5b
Opcode Fuzzy Hash: e6cb710953c3e394868556dd3b6de9f75f4903a9c9cf31f04afc638ce7cdd1da
Instruction Fuzzy Hash: E441FA35A00610DFCB11EF55C545B5DBBE1AF89720F198888F84A5B362CB34FD41DB91

Function 009FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,009E6D71,00000000,00000000,009E82D9,?,009E82D9,?,00000001,009E6D71,8BE85006,00000001,009E82D9,009E82D9), ref: 009FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 009FD9AB
__freea.LIBCMT ref: 009FD9B4

Part of subcall function 009F3820: RtlAllocateHeap.NTDLL(00000000,?,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6,?,009C1129), ref: 009F3852

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 357912f26d35624ca4e02ab032d40becf854b0c9d80fe08b29e3f4aeeb4f120f
Instruction ID: dbe8175b166120de6f993d9c4fd952745b4226f69c4c8f3211c3b8e9d3ffaaae
Opcode Fuzzy Hash: 357912f26d35624ca4e02ab032d40becf854b0c9d80fe08b29e3f4aeeb4f120f
Instruction Fuzzy Hash: B231E172A0220AABDF25DFA5DC45EBE7BAAEB40710F054168FD04D7150EB75CE90CBA0

Function 00A552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00A55352
GetWindowLongW.USER32(?,000000F0), ref: 00A55375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A55382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A553A8

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 3e3d8a5d38547c5cab148cad6336b9cfc5e419f8129731c88b5319ddaa5acf96
Instruction ID: 45ec7bd349ac0a22a69865bed9b7fe94c4215d0bbb535225f5f23a09f4120beb
Opcode Fuzzy Hash: 3e3d8a5d38547c5cab148cad6336b9cfc5e419f8129731c88b5319ddaa5acf96
Instruction Fuzzy Hash: 2131C134E55A08EFEB249B74CC35BE83761BB053B2F584012FE199A1E1C7B499889B41

Function 00A2AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00A2ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A2AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A2AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00A2ACC6

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: efb86569349b3a2c141a9b7d634add910a0941f32edc134248d646cdb0c28061
Instruction ID: 34847ba1880eed40669a61601a58a2f5e250783b4dc5f6ca771124da4fb15e06
Opcode Fuzzy Hash: efb86569349b3a2c141a9b7d634add910a0941f32edc134248d646cdb0c28061
Instruction Fuzzy Hash: 84312830A00328AFFF34CBACEC047FE7BB5ABA5320F04423AE485521D1C37489858752

Function 00A57674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A5769A
GetWindowRect.USER32(?,?), ref: 00A57710
PtInRect.USER32(?,?,00A58B89), ref: 00A57720
MessageBeep.USER32(00000000), ref: 00A5778C

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 616fa75ff5c8cb208fc5a363e40995a8520a23e38edd226872ef30ea09a6c07c
Instruction ID: efae6b171dc930fb1a2f46c189f66b6992975a61cf6ab148bdc047b725678e98
Opcode Fuzzy Hash: 616fa75ff5c8cb208fc5a363e40995a8520a23e38edd226872ef30ea09a6c07c
Instruction Fuzzy Hash: 22418D34A09215EFCB02CF98F894EAD77F5FB49316F1540A9E815AB261D730A94ACF90

Function 00A516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A516EB

Part of subcall function 00A23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A23A57
Part of subcall function 00A23A3D: GetCurrentThreadId.KERNEL32 ref: 00A23A5E
Part of subcall function 00A23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A225B3), ref: 00A23A65

GetCaretPos.USER32(?), ref: 00A516FF
ClientToScreen.USER32(00000000,?), ref: 00A5174C
GetForegroundWindow.USER32 ref: 00A51752

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 61bb3f80a4a858823ea1793e1a952c5a72bb28acfbf072f67738f7d6bb25e3e5
Instruction ID: a94ff88760457feda7240ba7e420b1ab6f6131c908fad5b1c3fd20b72ce052f4
Opcode Fuzzy Hash: 61bb3f80a4a858823ea1793e1a952c5a72bb28acfbf072f67738f7d6bb25e3e5
Instruction Fuzzy Hash: 83311075D00249AFC700DFA9C981EAEBBF9FF88304B5480A9E415E7251D6359E45CFA1

Function 00A58FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2

GetCursorPos.USER32(?), ref: 00A59001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A17711,?,?,?,?,?), ref: 00A59016
GetCursorPos.USER32(?), ref: 00A5905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A17711,?,?,?), ref: 00A59094

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 95b52762464dbf8b79d83b20abddc7504df1a545d6b8a4af648795590af1e608
Instruction ID: eea132024bd23a67266ad61ed92cab0698fcf3004c893cdeae047ef9143c9b12
Opcode Fuzzy Hash: 95b52762464dbf8b79d83b20abddc7504df1a545d6b8a4af648795590af1e608
Instruction Fuzzy Hash: 4821BF31600118FFCB25CF94CC58EEB3BB9FB89362F004455F9054B2A1C7319951EB61

Function 00A2D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A5CB68), ref: 00A2D2FB
GetLastError.KERNEL32 ref: 00A2D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A2D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A5CB68), ref: 00A2D376

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 810af2aea0101a005fd83faf4f94b797e1c069ee202d6fe5227585dbf5a4f5c4
Instruction ID: 6a0513c618c4bc49b8dcb81dbc1570f6756f3a8f61754e1e24b916fd03dad38b
Opcode Fuzzy Hash: 810af2aea0101a005fd83faf4f94b797e1c069ee202d6fe5227585dbf5a4f5c4
Instruction Fuzzy Hash: 272180709083119FC300EF68D9859AE77E4FF95324F104A2DF499DB2A2E7309946CB93

Function 00A21571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A21014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A2102A
Part of subcall function 00A21014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A21036
Part of subcall function 00A21014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A21045
Part of subcall function 00A21014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A2104C
Part of subcall function 00A21014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A21062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A215BE
_memcmp.LIBVCRUNTIME ref: 00A215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A21617
HeapFree.KERNEL32(00000000), ref: 00A2161E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 7d54c7e6ca1bf75e3949e56e9cb7fc092ba76fae2b726191c4ce5c81d59e1e52
Instruction ID: 235e40c54be4bbcb513a2abce75bda11699f0cdb9813db51d889f829a6ce064a
Opcode Fuzzy Hash: 7d54c7e6ca1bf75e3949e56e9cb7fc092ba76fae2b726191c4ce5c81d59e1e52
Instruction Fuzzy Hash: 3B216A71E00219EFDF10DFA9D945BEEB7B8FF94355F1844A9E441AB241E730AA05CBA0

Function 00A52782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A5280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A52824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A52832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A52840

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 037b02cc6aafacace0275434f42ff166c86fe918356318f3b92ec4fbc7c5c1aa
Instruction ID: 90935a09ae63e810f7e0e1fd1917fd3269cc0c1b9a1ec4fb7f00e7656074d7f7
Opcode Fuzzy Hash: 037b02cc6aafacace0275434f42ff166c86fe918356318f3b92ec4fbc7c5c1aa
Instruction Fuzzy Hash: 7621C131604211AFD714DB64C845FAA7BA5FF86325F148158F8268B6E2C771FC86C7D0

Function 00A278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A28D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00A2790A,?,000000FF,?,00A28754,00000000,?,0000001C,?,?), ref: 00A28D8C
Part of subcall function 00A28D7D: lstrcpyW.KERNEL32(00000000,?,?,00A2790A,?,000000FF,?,00A28754,00000000,?,0000001C,?,?,00000000), ref: 00A28DB2
Part of subcall function 00A28D7D: lstrcmpiW.KERNEL32(00000000,?,00A2790A,?,000000FF,?,00A28754,00000000,?,0000001C,?,?), ref: 00A28DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00A28754,00000000,?,0000001C,?,?,00000000), ref: 00A27923
lstrcpyW.KERNEL32(00000000,?,?,00A28754,00000000,?,0000001C,?,?,00000000), ref: 00A27949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A28754,00000000,?,0000001C,?,?,00000000), ref: 00A27984

Strings

cdecl, xrefs: 00A2797B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8bf7c796c3b87d2317dccdf87e9ef439096faa592c82964f02b563a245f211fb
Instruction ID: 6e67bb6a744927d28480a6bdb65a6ad5fa6a9819275e0376f5d3336a16c7d2b2
Opcode Fuzzy Hash: 8bf7c796c3b87d2317dccdf87e9ef439096faa592c82964f02b563a245f211fb
Instruction Fuzzy Hash: C811E63A200312AFDB159F38E845E7E77A9FF85350B50803AF946CB3A4EB319951C7A1

Function 00A57CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A57D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00A57D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A57D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A3B7AD,00000000), ref: 00A57D6B

Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 454c4e17abbea663f6774d2b4ed9236a12901262674dc85ecd2ede7d2e08400a
Instruction ID: c17e2fd2a3d2c2bc6fd1e307a9bd4ff44b75f9933a1c65ae3ce52353dafdbf5e
Opcode Fuzzy Hash: 454c4e17abbea663f6774d2b4ed9236a12901262674dc85ecd2ede7d2e08400a
Instruction Fuzzy Hash: 1411CD32204615AFCB10DFA8EC44AAA3BA5BF45372B118325FC39E72F0E7319955CB40

Function 00A55660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00A556BB
_wcslen.LIBCMT ref: 00A556CD
_wcslen.LIBCMT ref: 00A556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A55816

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: eb1d90080cbaf7368073c67c26df857b64f32252e68eae97676be6e613d719fc
Instruction ID: c7efe0ccc56c20c57a6595a8288a6265b8b6b4c0405ee27dde6196425fdf2261
Opcode Fuzzy Hash: eb1d90080cbaf7368073c67c26df857b64f32252e68eae97676be6e613d719fc
Instruction Fuzzy Hash: 1511B471E0060496DF20DFB1CC95AEE77BCFF51762B108026FD15D6081E7748A88CBA0

Function 009F1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87184ded072c972463dfc62b76ccd0dac1c424bd5c095f7eaf60a91a155b45db
Instruction ID: a8affd096f236287117c6829937bc3993c4df52602e74f81d9acd85589095ef7
Opcode Fuzzy Hash: 87184ded072c972463dfc62b76ccd0dac1c424bd5c095f7eaf60a91a155b45db
Instruction Fuzzy Hash: 3B014FB2209A1EBEF71116B86CC1F77662DEF817B8B341725F731A11D6DB608C4153A0

Function 00A21A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A21A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A21A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A21A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A21A8A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cc379e2066379b05ab59e8aa2ac3e0a598a6ed20410a073db9a4d25c78abe05d
Instruction ID: ca9b0c819589f2d3312fad1ff4da2430939407d5221c9923e897da6c04598b7c
Opcode Fuzzy Hash: cc379e2066379b05ab59e8aa2ac3e0a598a6ed20410a073db9a4d25c78abe05d
Instruction Fuzzy Hash: D8113C3AD01229FFEB10DBA8CD85FADBB78FB18750F2000A1E600B7290D6716E51DB94

Function 00A2E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A2E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00A2E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A2E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A2E24D

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 4441058a4dae8967f619445262597c2bbef4b09cff413e61cf589a36fd4dfb1c
Instruction ID: 39e5cff70f4d215def3624040955599f5aea32b567684ccc1cc9b07ac3ef5afc
Opcode Fuzzy Hash: 4441058a4dae8967f619445262597c2bbef4b09cff413e61cf589a36fd4dfb1c
Instruction Fuzzy Hash: B111E572A04365FFCB01DBECAC05A9B7BACAB45321F104226F925E7290D670894187A0

Function 009ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,009ECFF9,00000000,00000004,00000000), ref: 009ED218
GetLastError.KERNEL32 ref: 009ED224
__dosmaperr.LIBCMT ref: 009ED22B
ResumeThread.KERNEL32(00000000), ref: 009ED249

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 7f4645d2260e825826635f5fac30ca9cfc4b76df7dcc1d5b0124c0d56dbe9ad3
Instruction ID: 7779051a2dc4eed75465a7dade77b9c6ca935fd54bb3fd9472a0833bafd548a8
Opcode Fuzzy Hash: 7f4645d2260e825826635f5fac30ca9cfc4b76df7dcc1d5b0124c0d56dbe9ad3
Instruction Fuzzy Hash: 4701D636806248BFC7125BA7DC05BAE7A6DEFC1731F104219FA35962D0DB718D01C7A0

Function 00A59EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2

GetClientRect.USER32(?,?), ref: 00A59F31
GetCursorPos.USER32(?), ref: 00A59F3B
ScreenToClient.USER32(?,?), ref: 00A59F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00A59F7A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1e64494769d3661a000cb995542ee6fe74b288497f6ea86d2c6eac18789063ba
Instruction ID: d756c4060b3e2a42655620b2198d85f2244025c3b3f9e6d90509ac5362007265
Opcode Fuzzy Hash: 1e64494769d3661a000cb995542ee6fe74b288497f6ea86d2c6eac18789063ba
Instruction Fuzzy Hash: 4211483290021AEFDB00DFA8D8859EE77B8FB45312F000455F901E7140D730BA8ACBA1

Function 009C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009C604C
GetStockObject.GDI32(00000011), ref: 009C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 009C606A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 56b7c417928b91f6fef2ea5ac346e2ca6c125ff3bdea2eb3d0aee2c30ec19e12
Instruction ID: 71fd74ba6fcf375e87dff4f5e8019cb7c77923cef1c8fa4f4e491809f13a7ac2
Opcode Fuzzy Hash: 56b7c417928b91f6fef2ea5ac346e2ca6c125ff3bdea2eb3d0aee2c30ec19e12
Instruction Fuzzy Hash: D5115E72501609BFEF128F959C54FEA7B6DFF0C3A5F050215FA1462110D7369C619B91

Function 009E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 009E3B56

Part of subcall function 009E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 009E3AD2
Part of subcall function 009E3AA3: ___AdjustPointer.LIBCMT ref: 009E3AED

_UnwindNestedFrames.LIBCMT ref: 009E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 009E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 009E3BA4

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 7fcff65aed567fea1e9b5d2ef7236205692c6bcecb67fd6d9c96e879b31113e7
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: BA01E932100189BBDF126E96CC46EEB7B6EEF98754F048054FE58A6121D732ED61DBA0

Function 009F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009C13C6,00000000,00000000,?,009F301A,009C13C6,00000000,00000000,00000000,?,009F328B,00000006,FlsSetValue), ref: 009F30A5
GetLastError.KERNEL32(?,009F301A,009C13C6,00000000,00000000,00000000,?,009F328B,00000006,FlsSetValue,00A62290,FlsSetValue,00000000,00000364,?,009F2E46), ref: 009F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009F301A,009C13C6,00000000,00000000,00000000,?,009F328B,00000006,FlsSetValue,00A62290,FlsSetValue,00000000), ref: 009F30BF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: def06930bae7c9bc035dadeac535e5b8581610d486d9ed16488bbf98aa0125df
Instruction ID: 6741bf9b2f76b311de09ce1dc1edfa253a8c96ae5dea70b50ca2e3fdc5bb85ba
Opcode Fuzzy Hash: def06930bae7c9bc035dadeac535e5b8581610d486d9ed16488bbf98aa0125df
Instruction Fuzzy Hash: E101D83230132AAFC7218BB99C44D7B7B9CAF05BB1B188621FA05D7240CF29D942C7D0

Function 00A27464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00A2747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A27497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A274CA

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 0bb02f8018af937454bab496cc20fe8e2303b127a92607345e33036bc488c95a
Instruction ID: 33e0688b32da5d8e3073ff50f1e0d2e8860b477e33b26092a152a3ac3a889448
Opcode Fuzzy Hash: 0bb02f8018af937454bab496cc20fe8e2303b127a92607345e33036bc488c95a
Instruction Fuzzy Hash: 0611A1B52053209FE720DF58EC08F9A7BFCFB00B10F508569E616D6151D770EA04DB51

Function 00A2B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A2ACD3,?,00008000), ref: 00A2B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A2ACD3,?,00008000), ref: 00A2B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A2ACD3,?,00008000), ref: 00A2B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A2ACD3,?,00008000), ref: 00A2B126

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: cbe4695100f90a721e806e71f1b197a43d03281d4b3e5a264f8491769f5d1d69
Instruction ID: 96b5ff0bc261e185d36605a8ea8056466a0dde03870baf9cf1df8f1f67977091
Opcode Fuzzy Hash: cbe4695100f90a721e806e71f1b197a43d03281d4b3e5a264f8491769f5d1d69
Instruction Fuzzy Hash: 88116131C11A3DDBCF00EFE8E9686EEBB78FF49711F1042A5D941B2145CB3055518B61

Function 00A57E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A57E33
ScreenToClient.USER32(?,?), ref: 00A57E4B
ScreenToClient.USER32(?,?), ref: 00A57E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A57E8A

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0ec6936cc5a39101c64516d2b63947eed2a8caf3164db13db30acceac48c6ed5
Instruction ID: cee25e19f60491bfab40e9cb6a50275812828c6afce6771e00c6ad73a8ccc461
Opcode Fuzzy Hash: 0ec6936cc5a39101c64516d2b63947eed2a8caf3164db13db30acceac48c6ed5
Instruction Fuzzy Hash: 8D1172B9D0020AAFDB41CF98C884AEEBBF9FF08311F109066E911E3614D734AA55CF90

Function 00A22DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A22DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A22DD6
GetCurrentThreadId.KERNEL32 ref: 00A22DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A22DE4

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d99e7b4b3a7d4e7e193922e3fca184f4f7342a363bfdfcb7a9a6e6e1c70aba9c
Instruction ID: 7f27a3bbb1a0d8a053f925f5935f1e4a0a002ab57013acd4c39165847751b4f9
Opcode Fuzzy Hash: d99e7b4b3a7d4e7e193922e3fca184f4f7342a363bfdfcb7a9a6e6e1c70aba9c
Instruction Fuzzy Hash: 1CE06D721013347BD7205BB6AC0DFEB7E6CFB42BB2F001125F105D10809AA4CA42C6B0

Function 00A58863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 009D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009D9693
Part of subcall function 009D9639: SelectObject.GDI32(?,00000000), ref: 009D96A2
Part of subcall function 009D9639: BeginPath.GDI32(?), ref: 009D96B9
Part of subcall function 009D9639: SelectObject.GDI32(?,00000000), ref: 009D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A58887
LineTo.GDI32(?,?,?), ref: 00A58894
EndPath.GDI32(?), ref: 00A588A4
StrokePath.GDI32(?), ref: 00A588B2

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0c8d8ee6aa5b68e0c131a45f104404c5e26cd964817dda284cf01bc3f52d5e3b
Instruction ID: 90cf7f0431769ab17402854d9e1b1d6b4c1058c45676ace9914cca42e30a1d2a
Opcode Fuzzy Hash: 0c8d8ee6aa5b68e0c131a45f104404c5e26cd964817dda284cf01bc3f52d5e3b
Instruction Fuzzy Hash: 28F03A36141359BADB12AFD4AC09FCA3B59BF06362F448101FA21650E2CB795512CBA5

Function 009D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009D98CC
SetTextColor.GDI32(?,?), ref: 009D98D6
SetBkMode.GDI32(?,00000001), ref: 009D98E9
GetStockObject.GDI32(00000005), ref: 009D98F1

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f434315db7bd961d119271a77df9d8de57594d3e172d80cdf7d08a082c4ff273
Instruction ID: 4c816f8f01f5e707a39922e1ca7152ea4ac340d0c48528d81efb35ce7b9fbf5e
Opcode Fuzzy Hash: f434315db7bd961d119271a77df9d8de57594d3e172d80cdf7d08a082c4ff273
Instruction Fuzzy Hash: 57E06D31284780AEDB219BB8BC09BEC3F21BB12336F04831AF6FA590E5C77146819B10

Function 00A2162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A21634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A211D9), ref: 00A2163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A211D9), ref: 00A21648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A211D9), ref: 00A2164F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 8bf9fc18626c2bbbb469ae7ef74d87280994652b83d119181dc5ce8af4a5fc26
Instruction ID: a76a1ff5f3d4df33130a93c056000f54d1734d6dd05f4ce71daf67d5e3a7c700
Opcode Fuzzy Hash: 8bf9fc18626c2bbbb469ae7ef74d87280994652b83d119181dc5ce8af4a5fc26
Instruction Fuzzy Hash: 66E04F71602321AFD7205BE4AD0DB8A3B68BF54BA6F144818F245C9084D6244542C750

Function 00A1D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A1D858
GetDC.USER32(00000000), ref: 00A1D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A1D882
ReleaseDC.USER32(?), ref: 00A1D8A3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ddf7934fb3b4020db0549a93fa5b9d6d26f730ddef91f22cc808f9fe0a11a112
Instruction ID: 4be4d21fbc0f6dbd04f380a4dc43be617a09555b2bcd3e7efb75a27bb64860b1
Opcode Fuzzy Hash: ddf7934fb3b4020db0549a93fa5b9d6d26f730ddef91f22cc808f9fe0a11a112
Instruction Fuzzy Hash: FBE075B5800305DFCB419FE0D908A6DBBB5FB48722B149459E84AE7654C7385A42AF51

Function 00A1D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A1D86C
GetDC.USER32(00000000), ref: 00A1D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A1D882
ReleaseDC.USER32(?), ref: 00A1D8A3

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 639cffdfa0aaf890a08edde8c8646a85fc4a66e5ab42717b974f5e292efce43a
Instruction ID: dcd6af519eb08746324e0b7d1f4a7ca906c0b16251b2bb4430e4b906990f6394
Opcode Fuzzy Hash: 639cffdfa0aaf890a08edde8c8646a85fc4a66e5ab42717b974f5e292efce43a
Instruction Fuzzy Hash: E2E092B5C00304EFCF51EFE0E808A6DBBB5FB48722B149449E94AE7654CB385A02EF50

Function 00A34D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 009C7620: _wcslen.LIBCMT ref: 009C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00A34ED4

Strings

LPT, xrefs: 00A34DFB
*, xrefs: 00A34E10

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 9f1d2b30b67dfb77008c44370d8939f99bd5a21e88e7fa80bb9a31894bdfe89a
Instruction ID: 86f51391733095f67223552f7479db240d5d4ad67b1636f40c5d87a7679ff26f
Opcode Fuzzy Hash: 9f1d2b30b67dfb77008c44370d8939f99bd5a21e88e7fa80bb9a31894bdfe89a
Instruction Fuzzy Hash: 21915C75A002449FCB14DF58C484EAABBF1BF49704F188099F80A9F3A2D735EE85CB91

Function 009EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 009EE30D

Strings

pow, xrefs: 009EE2E5, 009EE302

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1c3f8216804f73f06b3116d5ca996e017889b7e8e6edb72e9bbcae8d09131a0b
Instruction ID: ed0c46b9fbf186df881965e9d0943752370137aa3330c368a9fc86ce2014b4ec
Opcode Fuzzy Hash: 1c3f8216804f73f06b3116d5ca996e017889b7e8e6edb72e9bbcae8d09131a0b
Instruction Fuzzy Hash: 2F51AF61A0C60A96CB13BB95CD01379BBACEB40740F304D59E1E5833F9EF348C929B46

Function 009DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 009DE1B1

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 15e6f394031c4341d8587ce65426b114123f17c58b26f14f05837dd9ce2c646a
Instruction ID: ea3c39bb60b016057d04d1f10528a3f4906bb1db1d142d59c3322704c9ea7b8d
Opcode Fuzzy Hash: 15e6f394031c4341d8587ce65426b114123f17c58b26f14f05837dd9ce2c646a
Instruction Fuzzy Hash: 7B514735940346DFEB15EF68C481AFA7BA8EF55310F24805AECA19F2D0D7349D82CB90

Function 009DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 009DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 009DF2BB

Strings

@, xrefs: 009DF2AF

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: bac4a7fa71e966a6602821ca76fbb1835fde8bf81a4fb67fb048d39460869185
Instruction ID: 1d7311080420bc086890f101576d701f761cbda6c09f5d2dbd4f9585cbfc2269
Opcode Fuzzy Hash: bac4a7fa71e966a6602821ca76fbb1835fde8bf81a4fb67fb048d39460869185
Instruction Fuzzy Hash: 255114718087449BD320EF54DC86BABBBF8FBC4300F81885DF199411A5EB71956ACB67

Function 00A45745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00A457E0
_wcslen.LIBCMT ref: 00A457EC

Strings

CALLARGARRAY, xrefs: 00A457E6, 00A457EB

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 84028bc96e27618889da6a77a8d24fa1fc96ca7c5a28a19bba121a40594c4408
Instruction ID: 8fc7f7d4ed14c42ecda458320e2b2b44f0cb452f5c8448eeaae19606a60f3cc9
Opcode Fuzzy Hash: 84028bc96e27618889da6a77a8d24fa1fc96ca7c5a28a19bba121a40594c4408
Instruction Fuzzy Hash: 0D419275E002099FCB14EFB9C885ABEBBF5FF99324F104069E505A7252EB309D81DB90

Function 00A3D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A3D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A3D13A

Strings

|, xrefs: 00A3D10B

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: fcaf7a9d028674ff602d144c3d1ecf0a520a3910be1a1aed9544762b29b2d443
Instruction ID: 61c0a1de2d1b51bb44ecc876923b75b418ee522b01e49e9fa327a03b949d1924
Opcode Fuzzy Hash: fcaf7a9d028674ff602d144c3d1ecf0a520a3910be1a1aed9544762b29b2d443
Instruction Fuzzy Hash: C031F571D00209ABCF15EFA5DC85FEEBFB9FF45340F00011AF815A6166E631AA56CB61

Function 00A5356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A53621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A5365C

Strings

static, xrefs: 00A535BC

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0f8cd5df6f51c77f1fa2074dbb3c209d554f143800bf1eb3d56c972f327b245f
Instruction ID: dd06020509e00acd2057dc61719bc3aa9d2cf086394f3c34abd483df9d3d1151
Opcode Fuzzy Hash: 0f8cd5df6f51c77f1fa2074dbb3c209d554f143800bf1eb3d56c972f327b245f
Instruction Fuzzy Hash: 65318B72100604AEDB10DF68DC80FBB73A9FF88761F10961DFCA597290DA30AD86DB60

Function 00A54537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00A5461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A54634

Strings

', xrefs: 00A5458E

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: af35196d4b32341ab2cf54dba1c1887a84f4ae57f9854aecdd47c337538bff11
Instruction ID: 0fe4024e672451c5a890b9be6c8804c625a9ebc95896eef125c28fd956e7a760
Opcode Fuzzy Hash: af35196d4b32341ab2cf54dba1c1887a84f4ae57f9854aecdd47c337538bff11
Instruction Fuzzy Hash: 7E3118B4A0130AAFDB14CFA9C990BDA7BB5FF49305F14406AED05AB351E770A985CF90

Function 00A531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A5327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A53287

Strings

Combobox, xrefs: 00A53249

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 1e054631ab96b5c0eda77d5b4badd8c0f4a0904443cdacccd5f6ddca9b532d00
Instruction ID: e58708349fd3e7b4057e40bd8e79446cfe100a55909d230c709ba62b27e4950f
Opcode Fuzzy Hash: 1e054631ab96b5c0eda77d5b4badd8c0f4a0904443cdacccd5f6ddca9b532d00
Instruction Fuzzy Hash: 46119D723006087FEF219F94DC80EFF3B6AFBA83A5F104229F919A7290D6759D558760

Function 00A53710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 009C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009C604C
Part of subcall function 009C600E: GetStockObject.GDI32(00000011), ref: 009C6060
Part of subcall function 009C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009C606A

GetWindowRect.USER32(00000000,?), ref: 00A5377A
GetSysColor.USER32(00000012), ref: 00A53794

Strings

static, xrefs: 00A53757

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 128df34688ca146bd967afe703820b8e549f1f75ea2a936b70668a168fb790da
Instruction ID: 49d5ccef6947c9352fe2f7f14505064c62c8bf5808a089a28bc38190803cdba2
Opcode Fuzzy Hash: 128df34688ca146bd967afe703820b8e549f1f75ea2a936b70668a168fb790da
Instruction Fuzzy Hash: 951126B2A1020AAFDF00DFA8CC46EEA7BB8FB48355F004915FD56E2250E735E955DB60

Function 00A3CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A3CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A3CDA6

Strings

<local>, xrefs: 00A3CD66

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 27e6e21814333f8754a21e4ae27cc93441bbefa5d28c3163b9ca191748c5c120
Instruction ID: cd85e3331dc0a5f86715f5985081d9e04a49c26a83cfab249a25daa632b81675
Opcode Fuzzy Hash: 27e6e21814333f8754a21e4ae27cc93441bbefa5d28c3163b9ca191748c5c120
Instruction Fuzzy Hash: D311C2B5205631BED7384B668C49EE7BEACEF127F4F00422AB109A3080D7749941D7F0

Function 00A53429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A534BA

Strings

edit, xrefs: 00A5348F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 57f83cf12ff57cc984d31da7167704bd75913ca7e27bbb3e6db2375e7050e6f3
Instruction ID: c9b90657e301b163d6147612fc2112e3a7c8cfd2247eeef15d798b15db31a213
Opcode Fuzzy Hash: 57f83cf12ff57cc984d31da7167704bd75913ca7e27bbb3e6db2375e7050e6f3
Instruction Fuzzy Hash: EE118B72100208AFEF118FA49C40AAA376AFB843B6F504724FD61931D4C735DC9A9750

Function 00A26C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00A26CB6
_wcslen.LIBCMT ref: 00A26CC2

Strings

STOP, xrefs: 00A26CBC, 00A26CC1

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: a11be7230e3af0686cd3ebad85048125584d36036021b08cc9571b0f05ab33be
Instruction ID: d70c76a0aae0d6ca94551687efa28009d1f47a07c7d9d89f4629b2d6cb3d3c1b
Opcode Fuzzy Hash: a11be7230e3af0686cd3ebad85048125584d36036021b08cc9571b0f05ab33be
Instruction Fuzzy Hash: 1501D232A0193A8BCB21AFFDEC80ABF77B5FBA57147500539E86297195EB31D900C650

Function 00A21CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

Part of subcall function 00A23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A23CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A21D4C

Strings

ComboBox, xrefs: 00A21CEB
ListBox, xrefs: 00A21D16

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 20eacb678fc82b65d0397a48854c09cdfddc6b78fb5669a7a6b59cc4268f8872
Instruction ID: 7ba8cc3cf23519f96ba421eaaa84ddc2ce6812869970d37e1af3c25e26276e03
Opcode Fuzzy Hash: 20eacb678fc82b65d0397a48854c09cdfddc6b78fb5669a7a6b59cc4268f8872
Instruction Fuzzy Hash: BF012871A00224ABCF08EFA8ED15EFE73A8FB62350B400929F872572C1EA3459088761

Function 00A21BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

Part of subcall function 00A23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A23CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A21C46

Strings

ComboBox, xrefs: 00A21BE5
ListBox, xrefs: 00A21C10

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: de8e890a52b8cd2728ad694be6464840c80e453732e2d812a30faf444b49b622
Instruction ID: 1d06d3ded91c26974c075481abd95cc6c905dbbe97bbacd51629852fcc431166
Opcode Fuzzy Hash: de8e890a52b8cd2728ad694be6464840c80e453732e2d812a30faf444b49b622
Instruction Fuzzy Hash: 71018475A811187BCB08EBA4DA55FFF77A89B62340F140029A816772C1EA249E1886B2

Function 00A21C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

Part of subcall function 00A23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A23CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A21CC8

Strings

ComboBox, xrefs: 00A21C69
ListBox, xrefs: 00A21C94

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 262b4a8ac51e2abb72cecefd0cfafc92aa9f80dca8c1a88b2bb123d8c9093104
Instruction ID: 92747c737c8893acd6f09a140d8b01a326b9e119c485a61e4961a1c44d586880
Opcode Fuzzy Hash: 262b4a8ac51e2abb72cecefd0cfafc92aa9f80dca8c1a88b2bb123d8c9093104
Instruction Fuzzy Hash: 8B01DB75E8012467CF04FBA8DB15FFE77A8AB21340F140439B80673281EA249F18C672

Function 00A21D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD

Part of subcall function 00A23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A23CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00A21DD3

Strings

ComboBox, xrefs: 00A21D75
ListBox, xrefs: 00A21DA0

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 73c0afbf3d584a746d16b80e35b8e15883e3d1cc200f8dc5f3db4cfa60928f42
Instruction ID: 6304778e90e28b75a6f54bc97f5e613ea257cd8ad415e1a1fca7c3966d939dfd
Opcode Fuzzy Hash: 73c0afbf3d584a746d16b80e35b8e15883e3d1cc200f8dc5f3db4cfa60928f42
Instruction Fuzzy Hash: 05F0CD71F41224A7DB18F7A8DD55FFF7778BB52350F040D29F862632C1EA64590C8261

Function 00A4747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A47493
_wcslen.LIBCMT ref: 00A474B9

Strings

3, 3, 16, 1, xrefs: 00A47483

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 7714bbd2e46d7a0f6c98c8d350a262fd84d77e299e8f94b10067f4d0e8ce3ae7
Instruction ID: 4d7e9763ef290122826587824e7a51617618e2bd12e80f50a0095166ecd7399b
Opcode Fuzzy Hash: 7714bbd2e46d7a0f6c98c8d350a262fd84d77e299e8f94b10067f4d0e8ce3ae7
Instruction Fuzzy Hash: BDE02B0A2042A0209232237A9CC1A7F5789DFC9B91710182BF981D6267EB94CD9193F1

Function 00A20B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A20B23

Strings

Error allocating memory., xrefs: 00A20B1C
AutoIt, xrefs: 00A20B17

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 240328025acb3633ec788db3951f9bdeed0f3bee885909750952e03798239e7e
Instruction ID: 50c0d40225461533142dfa413d258859245f923c31fe07d594a0223415a95436
Opcode Fuzzy Hash: 240328025acb3633ec788db3951f9bdeed0f3bee885909750952e03798239e7e
Instruction Fuzzy Hash: A0E0D8312843183ED21037957C03F897F84EF09F61F10482BFB88955C38AE1685046A9

Function 009E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 009DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009E0D71,?,?,?,009C100A), ref: 009DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,009C100A), ref: 009E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,009C100A), ref: 009E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009E0D7F

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 5b75aafe0e6aa728bc31748685febcb981067f1da01e762ba1becb88212d0939
Instruction ID: da159851db3c8b367d956c45d1b3a104a67ab89e9b91c9277624ab30d23e6cff
Opcode Fuzzy Hash: 5b75aafe0e6aa728bc31748685febcb981067f1da01e762ba1becb88212d0939
Instruction Fuzzy Hash: FEE06D702003418FD371EFB9E80578A7BE4BB40745F00892DE882C7695DBF0E889CBA1

Function 00A33017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00A3302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00A33044

Strings

aut, xrefs: 00A33038

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b10c57a4abadc6547898064ea9ed7dc6b6ee8a0a1f671dc8489c3917b8e764e7
Instruction ID: 08a610a79147774b4aa50418f13c790ba52eb6e060caf3cf16cba49aa534020c
Opcode Fuzzy Hash: b10c57a4abadc6547898064ea9ed7dc6b6ee8a0a1f671dc8489c3917b8e764e7
Instruction Fuzzy Hash: E3D05E725003287BDA20F7E4AC4EFCB7A6CEB04761F0006A1B655E2095EAB09985CBD0

Function 00A52322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A5232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A5233F

Part of subcall function 00A2E97B: Sleep.KERNEL32 ref: 00A2E9F3

Strings

Shell_TrayWnd, xrefs: 00A52325

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2ffa984c5d750d6af02ebd1e0951de130f21050ae729f9af6e7b6099805c7186
Instruction ID: 2d63dc13b102921bb690f79d62a7dca35cf135305862f91f940075ea895b0193
Opcode Fuzzy Hash: 2ffa984c5d750d6af02ebd1e0951de130f21050ae729f9af6e7b6099805c7186
Instruction Fuzzy Hash: 40D012763D4310BBE664F7B0ED1FFC6BA14BB00B21F0049167745AA1D4D9F4A842CB54

Function 00A52356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A5236C
PostMessageW.USER32(00000000), ref: 00A52373

Part of subcall function 00A2E97B: Sleep.KERNEL32 ref: 00A2E9F3

Strings

Shell_TrayWnd, xrefs: 00A52365

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c2fa820f661dc520790992be051a232a75c2a2d56232fdc7f44a5379de92883a
Instruction ID: f06c07b333be2a754f73efbf7f6783ff241464a44f5906d838307a4f12b73e85
Opcode Fuzzy Hash: c2fa820f661dc520790992be051a232a75c2a2d56232fdc7f44a5379de92883a
Instruction Fuzzy Hash: 9ED0C9723C13107AE664F7B0AD1FFC6A614AB04B21F4049167645AA1D4D9A4A8428A54

Function 009FBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 009FBE93
GetLastError.KERNEL32 ref: 009FBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009FBEFC

Memory Dump Source

Source File: 00000000.00000002.1763016376.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000000.00000002.1762984571.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763133803.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763234994.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763268268.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 3fe1b8ecdbac3aebe82e4fc5886336700ebf6bdbc0045c541e8c6caa7c5eb694
Instruction ID: d043f7311d4307ac971acbefa3b67ca1b94aa00f919fe0b7a439219412d267b1
Opcode Fuzzy Hash: 3fe1b8ecdbac3aebe82e4fc5886336700ebf6bdbc0045c541e8c6caa7c5eb694
Instruction Fuzzy Hash: 8241083460020EAFCF21AFA5CC54BBABBA9EF41720F144169FB599B2A1DB308D01CB50

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1941329667.000001924C7CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1900433916.000001925994E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884189639.000001925994E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903189823.0000019254DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1900433916.000001925994E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884189639.000001925994E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903189823.0000019254DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1941329667.000001924C7CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1792295721.000001924BC6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ^[a-z0-9-._]*@[a-z0-9-._]+$https://www.facebook.com/__MSG_extensionDescription__OptionalPermissionOrOriginhttps://www.google.com/search1tog0cdkasggly29o8xqc6p37https://www.aliexpress.com/main/nimbus-desktop-experimentsimages/duckduckgo-com@2x.svghttps://www.amazon.co.uk/favicons/duckduckgo-com.ico equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1900433916.000001925994E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792295721.000001924BC6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884189639.000001925994E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1900433916.000001925994E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884189639.000001925994E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903189823.0000019254DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2935896638.000001F032D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2935390514.0000020AEAC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2935896638.000001F032D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2935390514.0000020AEAC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2935896638.000001F032D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2935390514.0000020AEAC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1932848760.000001924C9A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1940399580.000001924C9A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1941329667.000001924C7CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846106482.000001924CB27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1941921998.000001924C7A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49800 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0c85571a-b00f-4e52-8f7a-ad8de11b9487.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_0c85571a-b00f-4e52-8f7a-ad8de11b9487.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre