Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1532865
MD5:	39ef3cbb09537bea4c8779f80f42495f
SHA1:	c727758f89379a2f6b0ab836e75709d17415fc1b
SHA256:	2c49a8d0996a872f68c525405f547cf7f0cba662cb7079dc27ba032c4e1b7638
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 39EF3CBB09537BEA4C8779F80F42495F)

taskkill.exe (PID: 7312 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7412 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7468 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7532 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7596 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7652 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7688 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7704 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7960 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a418fc79-5b10-472b-b3cd-23cdedc49dfe} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1ade8070b10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7492 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4028 -parentBuildID 20230927232528 -prefsHandle 4392 -prefMapHandle 4388 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {047d8eaa-463a-4f5e-ba84-be975c9a4469} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1adf7ed0610 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3548 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 5364 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c385fcad-3934-4ff5-b833-6d8b82e95124} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1adfa339310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7292	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0088EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0088EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0088ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0088ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0088EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0087AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_008A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1691171922.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e983d524-0
Source: file.exe, 00000000.00000000.1691171922.00000000008D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_adb38b83-4
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0359f9dd-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d58c4a7d-7

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000026DBAC88437 NtQuerySystemInformation,		16_2_0000026DBAC88437
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000026DBACB3332 NtQuerySystemInformation,		16_2_0000026DBACB3332

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0087D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00871201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00871201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0087E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00882046	0_2_00882046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00818060	0_2_00818060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00878298	0_2_00878298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084E4FF	0_2_0084E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084676B	0_2_0084676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A4873	0_2_008A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083CAA0	0_2_0083CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081CAF0	0_2_0081CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082CC39	0_2_0082CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00846DD9	0_2_00846DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008191C0	0_2_008191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082B119	0_2_0082B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00831394	0_2_00831394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00831706	0_2_00831706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083781B	0_2_0083781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008319B0	0_2_008319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00817920	0_2_00817920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082997D	0_2_0082997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00837A4A	0_2_00837A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00837CA7	0_2_00837CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00831C77	0_2_00831C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00849EEE	0_2_00849EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089BE44	0_2_0089BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00831F32	0_2_00831F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000026DBAC88437	16_2_0000026DBAC88437
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000026DBACB3332	16_2_0000026DBACB3332
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000026DBACB3A5C	16_2_0000026DBACB3A5C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000026DBACB3372	16_2_0000026DBACB3372

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0082F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00830A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@76/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008837B5 GetLastError,FormatMessageW,

0_2_008837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008710BF AdjustTokenPrivileges,CloseHandle,		0_2_008710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0087D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0088648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0088648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

Virustotal: Detection: 37%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a418fc79-5b10-472b-b3cd-23cdedc49dfe} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1ade8070b10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4028 -parentBuildID 20230927232528 -prefsHandle 4392 -prefMapHandle 4388 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {047d8eaa-463a-4f5e-ba84-be975c9a4469} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1adf7ed0610 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 5364 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c385fcad-3934-4ff5-b833-6d8b82e95124} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1adfa339310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a418fc79-5b10-472b-b3cd-23cdedc49dfe} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1ade8070b10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4028 -parentBuildID 20230927232528 -prefsHandle 4392 -prefMapHandle 4388 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {047d8eaa-463a-4f5e-ba84-be975c9a4469} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1adf7ed0610 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 5364 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c385fcad-3934-4ff5-b833-6d8b82e95124} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1adfa339310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 0000000D.00000003.1929580943.000001ADF96FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000D.00000003.1928507580.000001ADFA06A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938106649.000001ADFA090000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000D.00000003.1928344903.000001ADFA0D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000D.00000003.1928410508.000001ADFA0B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1946989254.000001ADF77BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000D.00000003.1928507580.000001ADFA06A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938106649.000001ADFA090000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1946439168.000001ADF77BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1946989254.000001ADF77BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1945221295.000001ADF77BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbB source: firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1943428811.000001AE02B11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 0000000D.00000003.1929580943.000001ADF96FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000D.00000003.1928507580.000001ADFA06A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000D.00000003.1928344903.000001ADFA0D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 0000000D.00000003.1929580943.000001ADF96FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000D.00000003.1928410508.000001ADFA0B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000D.00000003.1929580943.000001ADF96FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb@ source: firefox.exe, 0000000D.00000003.1928410508.000001ADFA0B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000D.00000003.1928507580.000001ADFA06A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938106649.000001ADFA090000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1945221295.000001ADF77BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 0000000D.00000003.1938162411.000001ADF9E74000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000D.00000003.1928507580.000001ADFA06A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 0000000D.00000003.1929580943.000001ADF96FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb@ source: firefox.exe, 0000000D.00000003.1928410508.000001ADFA0B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1944236524.000001AE02B11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdbP4O source: firefox.exe, 0000000D.00000003.1928507580.000001ADFA06A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938106649.000001ADFA090000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000D.00000003.1928410508.000001ADFA0B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000D.00000003.1928556386.000001ADF9FDE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1944236524.000001AE02B11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000D.00000003.1928507580.000001ADFA06A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938106649.000001ADFA090000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: firefox.exe, 0000000D.00000003.1930320427.000001ADF94E3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000D.00000003.1928507580.000001ADFA06A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938106649.000001ADFA090000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000D.00000003.1929580943.000001ADF96FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1943428811.000001AE02B11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000D.00000003.1928410508.000001ADFA0B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 0000000D.00000003.1929187442.000001ADF977A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000D.00000003.1928410508.000001ADFA0B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 0000000D.00000003.1929580943.000001ADF96FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb`rc source: firefox.exe, 0000000D.00000003.1928507580.000001ADFA06A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938106649.000001ADFA090000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 0000000D.00000003.1938162411.000001ADF9E74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: nssckbi.pdb@ source: firefox.exe, 0000000D.00000003.1928410508.000001ADFA0B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb@ source: firefox.exe, 0000000D.00000003.1928344903.000001ADFA0D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000D.00000003.1928556386.000001ADF9FDE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 0000000D.00000003.1929580943.000001ADF96FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000D.00000003.1928507580.000001ADFA06A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000D.00000003.1928556386.000001ADF9FDE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: combase.pdb source: firefox.exe, 0000000D.00000003.1929580943.000001ADF96FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000D.00000003.1928507580.000001ADFA06A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1946439168.000001ADF77BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 0000000D.00000003.1929580943.000001ADF96FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000D.00000003.1928410508.000001ADFA0B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000D.00000003.1929187442.000001ADF977A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: firefox.exe, 0000000D.00000003.1929618052.000001ADF96DE000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00830A76 push ecx; ret

0_2_00830A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0082F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95839

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000026DBAC88437 rdtsc

16_2_0000026DBAC88437

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0087DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008868EE FindFirstFileW,FindClose,	0_2_008868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0088698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0087D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00889642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00889642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0088979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00889B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00889B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00885C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00885C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: firefox.exe, 00000012.00000002.2955141272.0000017ECD12A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=P
Source: firefox.exe, 0000000F.00000002.2956473438.0000029236E2A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2955209258.0000026DBA3AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2961744518.0000026DBAB60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2962144209.0000017ECD500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2962224681.0000029237314000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.2956473438.0000029236E2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: firefox.exe, 0000000F.00000002.2963551466.0000029237740000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2961744518.0000026DBAB60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000026DBAC88437 rdtsc

16_2_0000026DBAC88437

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0088EAA2 BlockInput,

0_2_0088EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00842622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00842622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00834CE8 mov eax, dword ptr fs:[00000030h]

0_2_00834CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00870B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00870B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00842622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00842622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0083083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008309D5 SetUnhandledExceptionFilter,	0_2_008309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00830C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00830C21

Source: C:\Users\user\Desktop\file.exe

0_2_00871201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00852BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00852BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0087B226 SendInput,keybd_event,

0_2_0087B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00870B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00871663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00871663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00830698 cpuid

0_2_00830698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00888195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00888195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086D27A GetUserNameW,

0_2_0086D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0084BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7292, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7292, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00891204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00891204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00891806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00891806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	38%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse
dyna.wikimedia.org	0%	Virustotal	Browse
prod.content-signature-chains.prod.webservices.mozgcp.net	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse
contile.services.mozilla.com	0%	Virustotal	Browse
us-west1.prod.sumo.prod.webservices.mozgcp.net	0%	Virustotal	Browse
prod.detectportal.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.remote-settings.prod.webservices.mozgcp.net	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
prod.ads.prod.webservices.mozgcp.net	0%	Virustotal	Browse
ipv4only.arpa	0%	Virustotal	Browse
www.reddit.com	0%	Virustotal	Browse
reddit.map.fastly.net	0%	Virustotal	Browse
normandy-cdn.services.mozilla.com	0%	Virustotal	Browse
content-signature-2.cdn.mozilla.net	0%	Virustotal	Browse
206.23.85.13.in-addr.arpa	1%	Virustotal	Browse
firefox.settings.services.mozilla.com	0%	Virustotal	Browse
detectportal.firefox.com	0%	Virustotal	Browse
spocs.getpocket.com	0%	Virustotal	Browse
push.services.mozilla.com	0%	Virustotal	Browse
www.facebook.com	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
support.mozilla.org	0%	Virustotal	Browse
telemetry-incoming.r53-2.services.mozilla.com	0%	Virustotal	Browse
www.wikipedia.org	0%	Virustotal	Browse
normandy.cdn.mozilla.net	0%	Virustotal	Browse
shavar.services.mozilla.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	0%	Virustotal		Browse
http://detectportal.firefox.com/	0%	Virustotal		Browse
https://github.com/mozilla-services/screenshots	0%	Virustotal		Browse
https://www.amazon.com/exec/obidos/external-search/	0%	Virustotal		Browse
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	0%	Virustotal		Browse
https://github.com/w3c/csswg-drafts/issues/4650	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.65	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	0%, Virustotal, Browse	unknown
services.addons.mozilla.org	52.222.236.80	true	false	0%, Virustotal, Browse	unknown
dyna.wikimedia.org	185.15.59.224	true	false	0%, Virustotal, Browse	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	0%, Virustotal, Browse	unknown
contile.services.mozilla.com	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
youtube.com	142.250.185.142	true	false	0%, Virustotal, Browse	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	0%, Virustotal, Browse	unknown
youtube-ui.l.google.com	142.250.186.142	true	false	0%, Virustotal, Browse	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	0%, Virustotal, Browse	unknown
reddit.map.fastly.net	151.101.65.140	true	false	0%, Virustotal, Browse	unknown
ipv4only.arpa	192.0.0.171	true	false	0%, Virustotal, Browse	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
push.services.mozilla.com	34.107.243.93	true	false	0%, Virustotal, Browse	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	0%, Virustotal, Browse	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	0%, Virustotal, Browse	unknown
www.reddit.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
spocs.getpocket.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
support.mozilla.org	unknown	unknown	false	0%, Virustotal, Browse	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
206.23.85.13.in-addr.arpa	unknown	unknown	false	1%, Virustotal, Browse	unknown
www.facebook.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
detectportal.firefox.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
shavar.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.wikipedia.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 0000000D.00000003.1883611388.000001ADF8B8D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1892423512.000001ADFB793000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937172292.000001ADFB7A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA6C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2958052034.0000017ECD4C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1919593707.000001AE00210000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1917917920.000001AE008F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890626726.000001AE008F6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2958430159.00000292371C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA6E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2962658668.0000017ECD703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1889084360.000001ADFFE4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863904195.000001ADFFE40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887038667.000001ADFFE44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960142966.000001ADFFE4A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 0000000F.00000002.2958430159.0000029237172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2958052034.0000017ECD48F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1890842372.000001AE00227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795384460.000001AE002FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919352310.000001AE00231000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797573827.000001ADF9864000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1919352310.000001AE00231000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1930242658.000001ADF94F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918150962.000001AE008DA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1751601407.000001ADF7900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752271545.000001ADF7B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752445839.000001ADF7B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751944876.000001ADF7B3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751758757.000001ADF7B1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1928978741.000001ADF97E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1933367590.000001ADF8DAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796133805.000001ADF9789000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1891854103.000001ADFFD4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922446130.000001ADFFD4F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1921979475.000001ADFFD8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891538161.000001ADFFD8A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1751601407.000001ADF7900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884866474.000001ADF8BFE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899355598.000001ADF8BF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752271545.000001ADF7B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752445839.000001ADF7B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751944876.000001ADF7B3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751758757.000001ADF7B1F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.google.com/complete/searchdf070348-e771-4bd5-964e-d19d82c1384ee98c663d-408d-4901-9666-66	firefox.exe, 0000000D.00000003.1797573827.000001ADF9864000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1751601407.000001ADF7900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752271545.000001ADF7B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752445839.000001ADF7B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751944876.000001ADF7B3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751758757.000001ADF7B1F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2958430159.00000292371C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA6E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2962658668.0000017ECD703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1894390407.000001ADF96A3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1921979475.000001ADFFD8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891538161.000001ADFFD8A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2958430159.00000292371C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA6E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2962658668.0000017ECD703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000D.00000003.1929187442.000001ADF9789000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796133805.000001ADF9789000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2958052034.0000017ECD40C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1890842372.000001AE00227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795384460.000001AE002FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919352310.000001AE00231000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1935849631.000001ADFFF8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937172292.000001ADFB7A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA6C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2958052034.0000017ECD4C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1868915892.000001ADF8B2B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956405772.000001ADF8B2D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1926372827.000001ADFB0A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928476258.000001ADFA0A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928410508.000001ADFA0B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1933367590.000001ADF8DAA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1890626726.000001AE008DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1917155099.000001AE01367000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1919352310.000001AE00231000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795746138.000001ADFBCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1937172292.000001ADFB7A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2958052034.0000017ECD413000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1890842372.000001AE00227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795384460.000001AE002FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919352310.000001AE00231000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000010.00000002.2958242672.0000026DBA686000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1891854103.000001ADFFD4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922446130.000001ADFFD4F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1890760923.000001AE002DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934999800.000001AE002F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918666849.000001AE002F5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1923018140.000001ADFFD2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887038667.000001ADFFE38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1816248461.000001ADF8EBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887596479.000001ADFB5AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926835858.000001ADFA388000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898189457.000001ADF823F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957743900.000001ADF8B29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1955030554.000001ADF8EC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850045894.000001ADF8FF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895069106.000001ADF85F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1880633668.000001ADF8FF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921878068.000001ADFFDAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1956405772.000001ADF8B37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929719110.000001ADF96D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861594992.000001ADF823E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925985797.000001ADFB0CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1957743900.000001ADF8B1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890190346.000001ADF823F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847393287.000001ADF8F0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878074377.000001ADF8E63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893352285.000001ADFB254000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1924344002.000001ADFB4E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795384460.000001AE002FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1928689343.000001ADF9E9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929187442.000001ADF9789000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796133805.000001ADF9789000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1928689343.000001ADF9E9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929187442.000001ADF9789000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796133805.000001ADF9789000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1890760923.000001AE002DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934999800.000001AE002F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918666849.000001AE002F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1889084360.000001ADFFE4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863904195.000001ADFFE40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887038667.000001ADFFE44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1960142966.000001ADFFE4A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1921979475.000001ADFFD8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891538161.000001ADFFD8A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1939733486.000001ADF8912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797573827.000001ADF9864000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1921979475.000001ADFFD8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891538161.000001ADFFD8A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1893946542.000001ADF9FC0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1956749761.000001ADF7334000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887721606.000001ADF7338000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888327599.000001ADF7339000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754027484.000001ADF7333000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1894390407.000001ADF96B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1929752692.000001ADF96B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1892692605.000001ADFB296000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925146150.000001ADFB2AC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1887925046.000001ADF7B8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1956749761.000001ADF7334000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887721606.000001ADF7338000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888327599.000001ADF7339000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754027484.000001ADF7333000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2958430159.00000292371C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA6E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2962658668.0000017ECD703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1921387503.000001ADFFF6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891290355.000001ADFFDC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1890842372.000001AE00227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795384460.000001AE002FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919352310.000001AE00231000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797573827.000001ADF9864000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1751758757.000001ADF7B1F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1890842372.000001AE00227000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751601407.000001ADF7900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884866474.000001ADF8BFE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899355598.000001ADF8BF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752271545.000001ADF7B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752445839.000001ADF7B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751944876.000001ADF7B3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751758757.000001ADF7B1F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1891854103.000001ADFFD4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922446130.000001ADFFD4F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2957900281.0000029236F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2957696916.0000026DBA590000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2962303112.0000017ECD600000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.1795384460.000001AE002FB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1894390407.000001ADF96A3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://vk.com/	firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureWebExtensionUncheckedLastErr	firefox.exe, 0000000D.00000003.1917155099.000001AE0135B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1924344002.000001ADFB4E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795384460.000001AE002FB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
52.222.236.80	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.185.142	youtube.com	United States	15169	GOOGLEUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532865
Start date and time:	2024-10-14 03:31:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@76/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 44 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.26.161.5, 35.83.8.120, 52.25.49.43, 2.22.61.59, 2.22.61.56, 142.250.186.174, 172.217.18.110, 142.250.185.138, 142.250.185.74
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7704 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:32:21	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
52.222.236.80	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	157.240.0.35
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.0.35
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.253.35
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.251.35
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	http://bancolombia-personas-co.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://bancolombia-seguridad-co.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://telegiraum.club/	Get hash	malicious	Telegram Phisher	Browse	34.117.59.81
	SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
AMAZON-02US	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	52.210.33.116
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	Unknown	Browse	52.210.33.116
	https://payrollruntimesheet.weebly.com/verify.html	Get hash	malicious	HTMLPhisher	Browse	50.112.173.192
	https://john17237.wixsite.com/my-site	Get hash	malicious	HTMLPhisher	Browse	108.156.60.94
	http://chwcs91azo1jf8f6b6acu6sf7da7lxazxwg6fo8epa.sbxaccountants.com.au/	Get hash	malicious	Captcha Phish	Browse	18.245.78.122
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	52.36.31.154
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://john17237.wixsite.com/my-site	Get hash	malicious	HTMLPhisher	Browse	34.149.206.255
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.49.241.189
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.170.150.109
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.160.46.1
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://john17237.wixsite.com/my-site	Get hash	malicious	HTMLPhisher	Browse	34.149.206.255
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.49.241.189
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.170.150.109
	https://currenntlyattyah06.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.160.46.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f8de9437-4d1e-4f17-aa03-f198cdf45683.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179157426041667
Encrypted:	false
SSDEEP:	192:FjMXaEPcbhbVbTbfbRbObtbyEl7nMrsJA6WnSrDtTUd/SkDr8:FYzcNhnzFSJsr/BnSrDhUd/C
MD5:	3CDD730009FBEEC4058589600B8D1498
SHA1:	26D15D711CA5D16D79E5317D2F545F7B6070CB8C
SHA-256:	F39DF9522B2987A54825941D94D335A6775AC794E55DBA4E17584C5578DCE7B4
SHA-512:	26139862587CDE6AB5337839C4B42929EFBC3989CA955353960D8548F7B4C2BC340DDA3254A522A008932136A5714DB1F1BB909848D281027CF692DB8B8DF26E
Malicious:	false
Preview:	{"type":"uninstall","id":"f8de9437-4d1e-4f17-aa03-f198cdf45683","creationDate":"2024-10-14T03:31:29.741Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f8de9437-4d1e-4f17-aa03-f198cdf45683.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.179157426041667
Encrypted:	false
SSDEEP:	192:FjMXaEPcbhbVbTbfbRbObtbyEl7nMrsJA6WnSrDtTUd/SkDr8:FYzcNhnzFSJsr/BnSrDhUd/C
MD5:	3CDD730009FBEEC4058589600B8D1498
SHA1:	26D15D711CA5D16D79E5317D2F545F7B6070CB8C
SHA-256:	F39DF9522B2987A54825941D94D335A6775AC794E55DBA4E17584C5578DCE7B4
SHA-512:	26139862587CDE6AB5337839C4B42929EFBC3989CA955353960D8548F7B4C2BC340DDA3254A522A008932136A5714DB1F1BB909848D281027CF692DB8B8DF26E
Malicious:	false
Preview:	{"type":"uninstall","id":"f8de9437-4d1e-4f17-aa03-f198cdf45683","creationDate":"2024-10-14T03:31:29.741Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9238741193712565
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNYDo:8S+OfJQPUFpOdwNIOdYVjvYcXaNL/F8P
MD5:	F07D39F94524E20F4EBB5F21ACD506F2
SHA1:	402CCAAB64CD553FB8AF3C2344BC2A1A7D473C7C
SHA-256:	7F2F1FEAEF461B150E5DC4C41DF24148F2DD94C667B14473C686708D49E05763
SHA-512:	25C27BF37E76296D6750711F503E5B0E1614BAD1B78AC71860225E82E3133C896C242302EA0A16E09306D559FA2F007CDD510075D708027001C3BC37F30F53CD
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.9238741193712565
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNYDo:8S+OfJQPUFpOdwNIOdYVjvYcXaNL/F8P
MD5:	F07D39F94524E20F4EBB5F21ACD506F2
SHA1:	402CCAAB64CD553FB8AF3C2344BC2A1A7D473C7C
SHA-256:	7F2F1FEAEF461B150E5DC4C41DF24148F2DD94C667B14473C686708D49E05763
SHA-512:	25C27BF37E76296D6750711F503E5B0E1614BAD1B78AC71860225E82E3133C896C242302EA0A16E09306D559FA2F007CDD510075D708027001C3BC37F30F53CD
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6075
Entropy (8bit):	6.623258976790648
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j2+:JTx2x2t0FDJ4NF6ILPd+Md0k+uj
MD5:	0EE1DEA50353EF72B3983D45C0F79672
SHA1:	83A858B3793BD9B1C35A954FA71582F557DDAB01
SHA-256:	76D8DD378010DD3158633286B32FCEE00A63EA8E85EAF2E60A8B8B1F6FD32C87
SHA-512:	D08B7A1C9EBF2C277662EA7314B371EE114153AE8CA840100D9EA053210BD20188CE591CA247C7E541590C6AAD925AD10F84F1AA025ACB2F01BC37B1DBC57EBD
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6075
Entropy (8bit):	6.623258976790648
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1j2+:JTx2x2t0FDJ4NF6ILPd+Md0k+uj
MD5:	0EE1DEA50353EF72B3983D45C0F79672
SHA1:	83A858B3793BD9B1C35A954FA71582F557DDAB01
SHA-256:	76D8DD378010DD3158633286B32FCEE00A63EA8E85EAF2E60A8B8B1F6FD32C87
SHA-512:	D08B7A1C9EBF2C277662EA7314B371EE114153AE8CA840100D9EA053210BD20188CE591CA247C7E541590C6AAD925AD10F84F1AA025ACB2F01BC37B1DBC57EBD
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07321939076235841
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkihAi:DLhesh7Owd4+jiW
MD5:	FBE5E7DBB87F09890AC3D89E46E4DF24
SHA1:	3646EB57B8D46B620FAE7FC84AE0134A3FFE7089
SHA-256:	C40BCAB0037A626D7259F274A58170CADD93C07B3E1B7FD44F091CC849FEF40A
SHA-512:	6C13D2E271D6BC692D8CC47C99A513C1277D95DE35790A51CB6FC208DA420A5D84A5548AB86FA460EEB2DE77D38D70B9DE1EC6D7FB5C636C6556C1724FD29318
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03527958441686221
Encrypted:	false
SSDEEP:	3:GtlstFk8xO4ov2/9V/tlstFk8xO4ov2/9C89//alEl:GtWtmKUu/9V/tWtmKUu/9C89XuM
MD5:	A6452E949FB929AF22D58071467AD8E5
SHA1:	7FE579FE1B160934FA5070B2A06BC5DD54C427CE
SHA-256:	C130FD2FDA10B63CCE3DBE92C862515E685E1AAE839934FFC57ECA731C0F1750
SHA-512:	2B4194532D0329308E502C79B250F8383FE9011823476E59369139DCFC511BE1FCD3D0864534B8668E526403CEDEBF87F4962CA4EA6B816CE4B73385F73F11A3
Malicious:	false
Preview:	..-.....................3Y.@.).x...tk......Z....-.....................3Y.@.).x...tk......Z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03989725522705737
Encrypted:	false
SSDEEP:	3:Ol18ufKZlJllof/VUtoIfQF57l8rEXsxdwhml8XW3R2:K6uKlJa+y0QFll8dMhm93w
MD5:	E744798D3A9B0ABC1D96AA5AE008B5E8
SHA1:	DA95C283F5B12BAFBE30922A56063C0600182B69
SHA-256:	976536A93EB77D1515D38D6C1B43E23DE29B62A404043A16A150D03C3C3971AC
SHA-512:	D5207833F282E905A98F0E3DF10E5B700B64AECDE1CA2D3AB9EC62492EFF593D258A15B57769F2EFF5291A56937451FD3A0DD732B606A1227EFDD2CA76B07170
Malicious:	false
Preview:	7....-.............tk.....R\|@............tk.@.Y3x.).................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495467336058525
Encrypted:	false
SSDEEP:	192:KnaRtLYbBp6Uhj4qyaaXv6KlON3I5RfGNBw8dLSl:Pe2qhy6YcwA0
MD5:	D2955FBB2331FA349D02C40240016BC9
SHA1:	BF0E6421114A50AAB6AE4F580454E298328E35B5
SHA-256:	B6B7C880EDDC318E3B7D19E81B8C343AC304230841B2CE16C54A0DA78A8F7240
SHA-512:	0280BBC7691B55A964AC897D89F8FB0F071BD2DF05CAFB06D559DCA3A80910C35244414B4F3DF8ABEF3147DC62E99AA41AF873CB2B6991233EAD67D98D17DECE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728876659);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728876659);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728876659);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172887

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495467336058525
Encrypted:	false
SSDEEP:	192:KnaRtLYbBp6Uhj4qyaaXv6KlON3I5RfGNBw8dLSl:Pe2qhy6YcwA0
MD5:	D2955FBB2331FA349D02C40240016BC9
SHA1:	BF0E6421114A50AAB6AE4F580454E298328E35B5
SHA-256:	B6B7C880EDDC318E3B7D19E81B8C343AC304230841B2CE16C54A0DA78A8F7240
SHA-512:	0280BBC7691B55A964AC897D89F8FB0F071BD2DF05CAFB06D559DCA3A80910C35244414B4F3DF8ABEF3147DC62E99AA41AF873CB2B6991233EAD67D98D17DECE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728876659);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728876659);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728876659);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172887

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.330894967341538
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSWLXnI8/pnxQwRlszT5sKt0Z3eHVQj6TEJamhujJlOsIomNVr0aDgX:GUpOx35nR6c3eHTU4JlIquR4
MD5:	B589F711E0B82526D5D12BCA096B89BC
SHA1:	A427F2F678743E3B9E0D6404F0E71B07EA7A61F9
SHA-256:	7FF3CC23EAA4506051F7856CF479260E94DDE1FCCC030B31C1C6C153C727647B
SHA-512:	6265EF57B2895C162B1EA18581C98078AEFCDB9D6D6C65C2CEFE4749F96A51091F051110E5D23A364B90346982BE761970A44D8BC9E99327B75C9EC183E3EA2D
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ebf5d56a-e8f5-435c-825a-3a429c4b708d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK...}],"lastAccessed":1728876....78,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P29365...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...43397,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.330894967341538
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSWLXnI8/pnxQwRlszT5sKt0Z3eHVQj6TEJamhujJlOsIomNVr0aDgX:GUpOx35nR6c3eHTU4JlIquR4
MD5:	B589F711E0B82526D5D12BCA096B89BC
SHA1:	A427F2F678743E3B9E0D6404F0E71B07EA7A61F9
SHA-256:	7FF3CC23EAA4506051F7856CF479260E94DDE1FCCC030B31C1C6C153C727647B
SHA-512:	6265EF57B2895C162B1EA18581C98078AEFCDB9D6D6C65C2CEFE4749F96A51091F051110E5D23A364B90346982BE761970A44D8BC9E99327B75C9EC183E3EA2D
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ebf5d56a-e8f5-435c-825a-3a429c4b708d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK...}],"lastAccessed":1728876....78,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P29365...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...43397,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.330894967341538
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSWLXnI8/pnxQwRlszT5sKt0Z3eHVQj6TEJamhujJlOsIomNVr0aDgX:GUpOx35nR6c3eHTU4JlIquR4
MD5:	B589F711E0B82526D5D12BCA096B89BC
SHA1:	A427F2F678743E3B9E0D6404F0E71B07EA7A61F9
SHA-256:	7FF3CC23EAA4506051F7856CF479260E94DDE1FCCC030B31C1C6C153C727647B
SHA-512:	6265EF57B2895C162B1EA18581C98078AEFCDB9D6D6C65C2CEFE4749F96A51091F051110E5D23A364B90346982BE761970A44D8BC9E99327B75C9EC183E3EA2D
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ebf5d56a-e8f5-435c-825a-3a429c4b708d}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK...}],"lastAccessed":1728876....78,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P29365...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...43397,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033749103915331
Encrypted:	false
SSDEEP:	48:YrSAYh6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ychyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	FAC039BF0E743625A87403AEA64CDB6E
SHA1:	36A8CFF476EB6C807310FAA91BFB75796667B126
SHA-256:	196C799AE7579D401661EA75FBF9D55BD03874225C9BD7EFF5153359AA623A54
SHA-512:	5408304B31922AD035455479FB106BA74EB104CB7396E833DBB446F9C8570840F74C2AF37078CB8D02EEB6827F2A614AFCAB1962F803B113FA5096E3093ABCAC
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T03:30:48.590Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033749103915331
Encrypted:	false
SSDEEP:	48:YrSAYh6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ychyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	FAC039BF0E743625A87403AEA64CDB6E
SHA1:	36A8CFF476EB6C807310FAA91BFB75796667B126
SHA-256:	196C799AE7579D401661EA75FBF9D55BD03874225C9BD7EFF5153359AA623A54
SHA-512:	5408304B31922AD035455479FB106BA74EB104CB7396E833DBB446F9C8570840F74C2AF37078CB8D02EEB6827F2A614AFCAB1962F803B113FA5096E3093ABCAC
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T03:30:48.590Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584709455861516
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	39ef3cbb09537bea4c8779f80f42495f
SHA1:	c727758f89379a2f6b0ab836e75709d17415fc1b
SHA256:	2c49a8d0996a872f68c525405f547cf7f0cba662cb7079dc27ba032c4e1b7638
SHA512:	380912daf56281a5ed1efcacfc8d5a9afb7abfb44455847d8b6f360dd2c623e1de7eb3750a9fb497b180081dde4fe7eb584034752a2231dde240106783d8b03a
SSDEEP:	12288:LqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TF:LqDEvCTbMWu7rQYlBQcBiT6rprG8abF
TLSH:	C3159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x670C711B [Mon Oct 14 01:17:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FF5E07C7283h
jmp 00007FF5E07C6B8Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF5E07C6D6Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF5E07C6D3Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FF5E07C992Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FF5E07C9978h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FF5E07C9961h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	88808a9bd8e80f9897a5ae691dd6abe6	False	0.31561511075949367	data	5.373741270333461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 03:32:10.803339005 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:10.803400040 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 03:32:10.804686069 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:10.844126940 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:10.844149113 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 03:32:11.373883963 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 03:32:11.373956919 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:11.445693016 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:11.445717096 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 03:32:11.445827007 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:11.446321964 CEST	443	49736	35.190.72.216	192.168.2.4
Oct 14, 2024 03:32:11.461839914 CEST	49736	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:13.266648054 CEST	49738	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:13.266706944 CEST	443	49738	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:13.267010927 CEST	49738	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:13.270775080 CEST	49738	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:13.270803928 CEST	443	49738	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:13.278703928 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:13.281961918 CEST	49740	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:13.282054901 CEST	443	49740	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:13.282397985 CEST	49740	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:13.283631086 CEST	49740	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:13.283668995 CEST	443	49740	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:13.285370111 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:13.285629988 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:13.285777092 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:13.291307926 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:13.436714888 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:13.436772108 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:13.436935902 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:13.438113928 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:13.438148975 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:13.494327068 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:13.494366884 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:13.496687889 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:13.496913910 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:13.496927977 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:13.510745049 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:13.510819912 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:13.511454105 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:13.513415098 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:13.513446093 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:13.841150999 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:13.890870094 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:13.935853958 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:13.935911894 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:13.936038971 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:13.936186075 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:13.936208010 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:14.007411003 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.012981892 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.021543026 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.021559000 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.021687984 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.021827936 CEST	443	49741	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.021872044 CEST	443	49738	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.022105932 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.022130966 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.022224903 CEST	49741	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.022272110 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.022274971 CEST	49738	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.022866964 CEST	443	49738	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.025741100 CEST	443	49740	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.026745081 CEST	443	49740	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.027435064 CEST	443	49738	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.031402111 CEST	443	49740	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.034368038 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.034382105 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.038081884 CEST	49738	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.038115025 CEST	49740	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.042395115 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.051413059 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.052411079 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.053685904 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.056848049 CEST	49738	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.056864023 CEST	443	49738	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.056936026 CEST	49738	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.057432890 CEST	443	49738	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.058010101 CEST	49738	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.060149908 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:14.062724113 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:14.065849066 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:14.065853119 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:14.066271067 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:14.066402912 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:14.066724062 CEST	49740	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.066751003 CEST	443	49740	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.066823959 CEST	49740	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.067161083 CEST	49747	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.067177057 CEST	443	49747	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.067357063 CEST	443	49740	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.069360018 CEST	49740	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.069603920 CEST	49747	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.071099997 CEST	49747	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.071115971 CEST	443	49747	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.071233034 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:14.075850964 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.075864077 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.075947046 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.076117992 CEST	443	49743	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.076251030 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.076325893 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.077480078 CEST	49743	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.077502012 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:14.077650070 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.077738047 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:14.079183102 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.079212904 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.080182076 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:14.080241919 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:14.080581903 CEST	443	49742	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:14.080811977 CEST	49742	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:14.082519054 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:14.343296051 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:14.350173950 CEST	80	49739	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:14.367857933 CEST	49739	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:14.430649042 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:14.439413071 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:14.448335886 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:14.502132893 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:14.502156019 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:14.503115892 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:14.510947943 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:14.511082888 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:14.511379004 CEST	443	49744	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:14.511476994 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:14.511543989 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:14.519540071 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.525387049 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.525388956 CEST	49744	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:14.525394917 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:14.527409077 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:14.527437925 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:14.529551029 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.529557943 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.529611111 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.529695034 CEST	443	49745	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.529791117 CEST	49745	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.530186892 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:14.546648979 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:14.551964045 CEST	80	49746	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:14.560036898 CEST	49746	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:14.560760975 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.561561108 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.566332102 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.566359043 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.566420078 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.566895008 CEST	443	49748	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.567037106 CEST	49748	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.622670889 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:14.627845049 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.627896070 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.627895117 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:14.630861998 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:14.630948067 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.631139994 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:14.633073092 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:14.633104086 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:14.636507034 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:14.720031977 CEST	443	49747	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.720125914 CEST	49747	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.722511053 CEST	443	49747	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.732827902 CEST	49747	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.755431890 CEST	49747	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.755448103 CEST	443	49747	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.755549908 CEST	49747	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:14.756108999 CEST	443	49747	142.250.185.142	192.168.2.4
Oct 14, 2024 03:32:14.763945103 CEST	49747	443	192.168.2.4	142.250.185.142
Oct 14, 2024 03:32:15.011797905 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:15.011847973 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:15.011890888 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:15.014581919 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:15.014626026 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:15.015223026 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:15.017652988 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:15.017721891 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:15.017847061 CEST	443	49750	34.160.144.191	192.168.2.4
Oct 14, 2024 03:32:15.018105030 CEST	49750	443	192.168.2.4	34.160.144.191
Oct 14, 2024 03:32:15.255122900 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:15.264878988 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:15.269376993 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:15.273297071 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:15.273314953 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:15.273596048 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:15.273749113 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:15.273765087 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:15.274185896 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:15.274277925 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:15.274435997 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:15.276051998 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:15.276084900 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:15.313749075 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:15.479439974 CEST	443	49752	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:15.480001926 CEST	49752	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:15.517244101 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:15.522120953 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:15.522205114 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:15.522383928 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:15.527148962 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:15.756722927 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:15.756813049 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:15.762029886 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:15.762058973 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:15.762130022 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:15.762269020 CEST	443	49753	34.117.188.166	192.168.2.4
Oct 14, 2024 03:32:15.762470961 CEST	49753	443	192.168.2.4	34.117.188.166
Oct 14, 2024 03:32:15.977446079 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:16.023736000 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:18.843403101 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:18.848588943 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:18.946064949 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:18.995734930 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:19.774096012 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:19.779196978 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:19.871115923 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:19.918363094 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:22.880877018 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:22.886001110 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:22.983757019 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:23.033921003 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:23.535120010 CEST	49763	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:23.535211086 CEST	443	49763	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:23.535326004 CEST	49763	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:23.535561085 CEST	49763	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:23.535589933 CEST	443	49763	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:23.537126064 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:23.537215948 CEST	443	49764	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:23.537420034 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:23.538763046 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:23.538801908 CEST	443	49764	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:23.575079918 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:23.579989910 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:23.648405075 CEST	49765	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:23.648433924 CEST	443	49765	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:23.651314020 CEST	49765	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:23.653270006 CEST	49765	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:23.653291941 CEST	443	49765	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:23.671681881 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:23.713828087 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:24.029768944 CEST	443	49763	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:24.029901981 CEST	49763	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:24.032754898 CEST	49763	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:24.032808065 CEST	443	49763	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:24.033576012 CEST	443	49763	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:24.035970926 CEST	49763	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:24.036055088 CEST	49763	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:24.036154032 CEST	443	49763	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:24.036218882 CEST	49763	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:24.059849977 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:24.060188055 CEST	443	49764	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:24.060461044 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:24.064754009 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:24.064933062 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:24.064948082 CEST	443	49764	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:24.065018892 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:24.065217018 CEST	443	49764	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:24.065282106 CEST	49764	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:24.162189007 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:24.179555893 CEST	443	49765	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:24.179728985 CEST	49765	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:24.184027910 CEST	49765	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:24.184041977 CEST	443	49765	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:24.184081078 CEST	49765	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:24.184297085 CEST	443	49765	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:24.184664965 CEST	49765	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:24.210128069 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:24.210177898 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:24.210685968 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:24.211957932 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:24.211992979 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:24.215214968 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:24.376966953 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:24.381979942 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:24.393944979 CEST	49767	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:24.394027948 CEST	443	49767	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:24.394155025 CEST	49767	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:24.395531893 CEST	49767	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:24.395546913 CEST	443	49767	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:24.473609924 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:24.482326984 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:24.487262011 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:24.516062021 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:24.584774017 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:24.639987946 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:24.698354006 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:24.701018095 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:24.743894100 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:24.743956089 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:24.744009018 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:24.744563103 CEST	443	49766	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:24.754462957 CEST	49766	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:24.883995056 CEST	443	49767	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:24.884107113 CEST	49767	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:24.893920898 CEST	49767	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:24.893935919 CEST	443	49767	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:24.894048929 CEST	49767	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:24.894211054 CEST	443	49767	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:24.894463062 CEST	49768	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:24.894535065 CEST	443	49768	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:24.894664049 CEST	49767	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:24.894700050 CEST	49768	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:24.896086931 CEST	49768	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:24.896126032 CEST	443	49768	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:24.944665909 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:24.949691057 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:25.041424036 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:25.102226019 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:25.224402905 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:25.225949049 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:25.225971937 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:25.226799965 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:25.228287935 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:25.228303909 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:25.231321096 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:25.334285021 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:25.384210110 CEST	443	49768	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:25.384295940 CEST	49768	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:25.387340069 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:25.390095949 CEST	49768	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:25.390101910 CEST	443	49768	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:25.390218019 CEST	49768	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:25.390397072 CEST	443	49768	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:25.390489101 CEST	49768	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:25.476502895 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:25.481477976 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:25.512146950 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:25.517038107 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:25.519407034 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:25.519490004 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:25.531676054 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:25.566947937 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:25.566972017 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:25.569022894 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:25.569099903 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:25.570666075 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:25.573393106 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:25.614192963 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:25.628249884 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:25.659424067 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:25.740914106 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:25.741131067 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:26.081651926 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:26.081687927 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:26.081737041 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:26.129623890 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:27.430715084 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:27.430779934 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:27.437460899 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:27.437494993 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:27.438563108 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:27.486953020 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:27.929297924 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:27.929392099 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.036881924 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.036962986 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:28.037889004 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:28.039196014 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:28.043508053 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.043555975 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:28.043622017 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.043740034 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.044028044 CEST	443	49769	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:28.044112921 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.044276953 CEST	443	49770	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:28.044508934 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:28.044580936 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.044653893 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.045125008 CEST	443	49771	34.120.208.123	192.168.2.4
Oct 14, 2024 03:32:28.045730114 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.045757055 CEST	49769	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.045797110 CEST	49770	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.045805931 CEST	49771	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:32:28.111140013 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:28.116170883 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:28.136615038 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:28.189062119 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:28.213679075 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:28.217360973 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:28.222307920 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:28.267189980 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:28.314234018 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:28.367506981 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:29.497543097 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:29.497622967 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:29.497922897 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:29.499134064 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:29.499170065 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:29.976627111 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:29.976723909 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:29.979696989 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:29.979729891 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:29.979756117 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:29.979892969 CEST	443	49772	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:29.983756065 CEST	49772	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:30.497486115 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:30.502566099 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:30.599595070 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:30.602447987 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:30.607606888 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:30.642857075 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:30.699187040 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:30.743036985 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:38.248291969 CEST	51798	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:38.248320103 CEST	443	51798	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:38.248368979 CEST	51798	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:38.248445988 CEST	51798	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:38.248456955 CEST	443	51798	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:38.254278898 CEST	51799	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:38.254364967 CEST	443	51799	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:38.255031109 CEST	51799	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:38.255134106 CEST	51799	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:38.255162954 CEST	443	51799	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:38.257910967 CEST	51800	443	192.168.2.4	52.222.236.80
Oct 14, 2024 03:32:38.257967949 CEST	443	51800	52.222.236.80	192.168.2.4
Oct 14, 2024 03:32:38.258045912 CEST	51800	443	192.168.2.4	52.222.236.80
Oct 14, 2024 03:32:38.258131981 CEST	51800	443	192.168.2.4	52.222.236.80
Oct 14, 2024 03:32:38.258152962 CEST	443	51800	52.222.236.80	192.168.2.4
Oct 14, 2024 03:32:38.287405968 CEST	51801	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:38.287434101 CEST	443	51801	35.190.72.216	192.168.2.4
Oct 14, 2024 03:32:38.291188002 CEST	51801	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:38.292473078 CEST	51801	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:38.292483091 CEST	443	51801	35.190.72.216	192.168.2.4
Oct 14, 2024 03:32:38.302927017 CEST	51802	443	192.168.2.4	35.201.103.21
Oct 14, 2024 03:32:38.302983999 CEST	443	51802	35.201.103.21	192.168.2.4
Oct 14, 2024 03:32:38.304979086 CEST	51802	443	192.168.2.4	35.201.103.21
Oct 14, 2024 03:32:38.306969881 CEST	51802	443	192.168.2.4	35.201.103.21
Oct 14, 2024 03:32:38.307013988 CEST	443	51802	35.201.103.21	192.168.2.4
Oct 14, 2024 03:32:38.722403049 CEST	443	51798	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:38.723876953 CEST	51798	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:38.726598978 CEST	51798	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:38.726608038 CEST	443	51798	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:38.726927042 CEST	443	51798	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:38.729685068 CEST	51798	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:38.729772091 CEST	51798	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:38.729887962 CEST	443	51798	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:38.729943037 CEST	51798	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:38.734652042 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:38.739614010 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:38.758028984 CEST	443	51799	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:38.758128881 CEST	51799	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:38.760409117 CEST	51799	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:38.760436058 CEST	443	51799	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:38.760763884 CEST	443	51799	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:38.762495995 CEST	51799	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:38.762576103 CEST	51799	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:38.762685061 CEST	443	51799	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:38.762741089 CEST	51799	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:38.770644903 CEST	443	51801	35.190.72.216	192.168.2.4
Oct 14, 2024 03:32:38.770731926 CEST	51801	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:38.774395943 CEST	51801	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:38.774410963 CEST	443	51801	35.190.72.216	192.168.2.4
Oct 14, 2024 03:32:38.774472952 CEST	51801	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:38.774815083 CEST	443	51801	35.190.72.216	192.168.2.4
Oct 14, 2024 03:32:38.774930954 CEST	51801	443	192.168.2.4	35.190.72.216
Oct 14, 2024 03:32:38.789189100 CEST	443	51802	35.201.103.21	192.168.2.4
Oct 14, 2024 03:32:38.789349079 CEST	51802	443	192.168.2.4	35.201.103.21
Oct 14, 2024 03:32:38.792917967 CEST	51802	443	192.168.2.4	35.201.103.21
Oct 14, 2024 03:32:38.792948008 CEST	443	51802	35.201.103.21	192.168.2.4
Oct 14, 2024 03:32:38.793005943 CEST	51802	443	192.168.2.4	35.201.103.21
Oct 14, 2024 03:32:38.793163061 CEST	443	51802	35.201.103.21	192.168.2.4
Oct 14, 2024 03:32:38.793235064 CEST	51802	443	192.168.2.4	35.201.103.21
Oct 14, 2024 03:32:38.809222937 CEST	51803	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:38.809317112 CEST	443	51803	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:38.809423923 CEST	51803	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:38.809530973 CEST	51803	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:38.809566021 CEST	443	51803	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:38.837065935 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:38.840464115 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:38.845402002 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:38.886385918 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:38.937305927 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:38.982666016 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.006680965 CEST	443	51800	52.222.236.80	192.168.2.4
Oct 14, 2024 03:32:39.008352995 CEST	51800	443	192.168.2.4	52.222.236.80
Oct 14, 2024 03:32:39.011375904 CEST	51800	443	192.168.2.4	52.222.236.80
Oct 14, 2024 03:32:39.011408091 CEST	443	51800	52.222.236.80	192.168.2.4
Oct 14, 2024 03:32:39.011773109 CEST	443	51800	52.222.236.80	192.168.2.4
Oct 14, 2024 03:32:39.013812065 CEST	51800	443	192.168.2.4	52.222.236.80
Oct 14, 2024 03:32:39.013885975 CEST	51800	443	192.168.2.4	52.222.236.80
Oct 14, 2024 03:32:39.014002085 CEST	443	51800	52.222.236.80	192.168.2.4
Oct 14, 2024 03:32:39.017122984 CEST	51800	443	192.168.2.4	52.222.236.80
Oct 14, 2024 03:32:39.020781994 CEST	51804	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.020837069 CEST	443	51804	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.021331072 CEST	51804	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.021445036 CEST	51804	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.021464109 CEST	443	51804	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.022638083 CEST	51805	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.022715092 CEST	443	51805	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.023026943 CEST	51805	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.023113966 CEST	51805	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.023132086 CEST	443	51805	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.024895906 CEST	51806	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.024919987 CEST	443	51806	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.025204897 CEST	51806	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.025295019 CEST	51806	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.025306940 CEST	443	51806	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.026397943 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.031218052 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.128974915 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.131742954 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.137141943 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.171603918 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.228331089 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.271930933 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.290569067 CEST	443	51803	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:39.290653944 CEST	51803	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:39.293463945 CEST	51803	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:39.293493986 CEST	443	51803	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:39.294262886 CEST	443	51803	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:39.296103954 CEST	51803	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:39.296189070 CEST	51803	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:39.296540022 CEST	443	51803	34.149.100.209	192.168.2.4
Oct 14, 2024 03:32:39.297080994 CEST	51803	443	192.168.2.4	34.149.100.209
Oct 14, 2024 03:32:39.298441887 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.304088116 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.401115894 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.403979063 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.409579992 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.441240072 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.493465900 CEST	443	51804	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.493714094 CEST	51804	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.495982885 CEST	51804	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.496014118 CEST	443	51804	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.496355057 CEST	443	51804	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.497462034 CEST	443	51805	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.497606993 CEST	51805	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.499460936 CEST	51805	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.499469042 CEST	443	51805	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.499504089 CEST	51804	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.499680996 CEST	443	51804	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.499722958 CEST	51804	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.499782085 CEST	443	51805	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.501096010 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.501928091 CEST	51805	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.501980066 CEST	51805	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.502084970 CEST	443	51805	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.503736019 CEST	51804	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.503751993 CEST	51805	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.503751993 CEST	51805	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.506099939 CEST	443	51806	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.506146908 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.506551027 CEST	51806	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.509247065 CEST	51806	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.509251118 CEST	443	51806	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.509440899 CEST	443	51806	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.511117935 CEST	51806	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.511182070 CEST	51806	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.511217117 CEST	443	51806	35.244.181.201	192.168.2.4
Oct 14, 2024 03:32:39.511282921 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.511313915 CEST	51806	443	192.168.2.4	35.244.181.201
Oct 14, 2024 03:32:39.557136059 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.608591080 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.620254993 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.625161886 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.673041105 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:39.716747046 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:39.773349047 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:40.519637108 CEST	51810	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:40.519664049 CEST	443	51810	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:40.520076036 CEST	51810	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:40.521274090 CEST	51810	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:40.521289110 CEST	443	51810	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:41.002324104 CEST	443	51810	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:41.002398968 CEST	51810	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:41.007267952 CEST	51810	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:41.007277966 CEST	443	51810	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:41.007354021 CEST	51810	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:41.007874012 CEST	443	51810	34.107.243.93	192.168.2.4
Oct 14, 2024 03:32:41.008023977 CEST	51810	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:32:41.010147095 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:41.015098095 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:41.112137079 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:41.114860058 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:41.119841099 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:41.161756992 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:41.212064028 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:41.262089014 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:51.117399931 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:51.122545004 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:51.217668056 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:51.223278999 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:56.447021961 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:56.451913118 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:56.549550056 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:56.551810980 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:56.556708097 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:56.601691961 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:32:56.648428917 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:32:56.701984882 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:01.024988890 CEST	51823	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:01.025016069 CEST	443	51823	34.107.243.93	192.168.2.4
Oct 14, 2024 03:33:01.025315046 CEST	51823	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:01.026633978 CEST	51823	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:01.026644945 CEST	443	51823	34.107.243.93	192.168.2.4
Oct 14, 2024 03:33:01.515047073 CEST	443	51823	34.107.243.93	192.168.2.4
Oct 14, 2024 03:33:01.515888929 CEST	51823	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:01.519260883 CEST	51823	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:01.519268036 CEST	443	51823	34.107.243.93	192.168.2.4
Oct 14, 2024 03:33:01.519408941 CEST	443	51823	34.107.243.93	192.168.2.4
Oct 14, 2024 03:33:01.519896030 CEST	51823	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:01.519901991 CEST	443	51823	34.107.243.93	192.168.2.4
Oct 14, 2024 03:33:01.524651051 CEST	51823	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:01.525825024 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:01.530778885 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:01.627764940 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:01.630183935 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:01.635040998 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:01.686424971 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:01.727365017 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:01.785547018 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:08.613264084 CEST	51867	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:08.613298893 CEST	443	51867	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:08.615515947 CEST	51867	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:08.615686893 CEST	51867	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:08.615705013 CEST	443	51867	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:08.627171040 CEST	51870	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:08.627185106 CEST	443	51870	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:08.627361059 CEST	51871	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:08.627398014 CEST	443	51871	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:08.627501011 CEST	51871	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:08.627501965 CEST	51870	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:08.627680063 CEST	51870	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:08.627696991 CEST	443	51870	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:08.627832890 CEST	51871	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:08.627847910 CEST	443	51871	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.094660044 CEST	443	51867	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.102848053 CEST	51867	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.107033968 CEST	51867	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.107053041 CEST	443	51867	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.108037949 CEST	443	51867	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.108421087 CEST	443	51870	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.109889984 CEST	51867	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.110001087 CEST	51867	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.110336065 CEST	443	51867	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.119405031 CEST	443	51870	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.119427919 CEST	443	51867	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.120701075 CEST	51867	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.120717049 CEST	51867	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.120733976 CEST	51870	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.120755911 CEST	51867	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.125135899 CEST	51870	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.125150919 CEST	443	51870	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.125256062 CEST	443	51871	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.125477076 CEST	443	51870	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.129134893 CEST	51870	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.129247904 CEST	51870	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.129498959 CEST	443	51870	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.130486965 CEST	51870	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.130506039 CEST	51870	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.130522966 CEST	51871	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.135360956 CEST	51871	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.135370016 CEST	443	51871	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.135699034 CEST	443	51871	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.146826029 CEST	51871	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.146959066 CEST	51871	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.147195101 CEST	443	51871	34.120.208.123	192.168.2.4
Oct 14, 2024 03:33:09.147372007 CEST	51871	443	192.168.2.4	34.120.208.123
Oct 14, 2024 03:33:09.154880047 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:09.159993887 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:09.256802082 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:09.305213928 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:09.321180105 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:09.327101946 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:09.418725014 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:09.470366955 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:19.270744085 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:19.275576115 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:19.431283951 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:19.436117887 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:29.277348042 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:29.282618046 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:29.446563005 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:29.453124046 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:39.290792942 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:39.295736074 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:39.460149050 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:39.465017080 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:41.783350945 CEST	52077	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:41.783448935 CEST	443	52077	34.107.243.93	192.168.2.4
Oct 14, 2024 03:33:41.789493084 CEST	52077	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:41.800888062 CEST	52077	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:41.800925016 CEST	443	52077	34.107.243.93	192.168.2.4
Oct 14, 2024 03:33:42.301295996 CEST	443	52077	34.107.243.93	192.168.2.4
Oct 14, 2024 03:33:42.301424980 CEST	52077	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:42.307262897 CEST	52077	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:42.307264090 CEST	52077	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:42.307322025 CEST	443	52077	34.107.243.93	192.168.2.4
Oct 14, 2024 03:33:42.307624102 CEST	443	52077	34.107.243.93	192.168.2.4
Oct 14, 2024 03:33:42.308089018 CEST	52077	443	192.168.2.4	34.107.243.93
Oct 14, 2024 03:33:42.309880972 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:42.314712048 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:42.413764000 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:42.416848898 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:42.421721935 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:42.469448090 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:42.514159918 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:42.569735050 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:52.423650980 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:52.428853989 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:33:52.523957968 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:33:52.529093981 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:34:02.451837063 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:34:02.456742048 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:34:02.536519051 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:34:02.541775942 CEST	80	49755	34.107.221.82	192.168.2.4
Oct 14, 2024 03:34:12.458086014 CEST	49751	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:34:12.463341951 CEST	80	49751	34.107.221.82	192.168.2.4
Oct 14, 2024 03:34:12.542741060 CEST	49755	80	192.168.2.4	34.107.221.82
Oct 14, 2024 03:34:12.547857046 CEST	80	49755	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 03:32:10.803448915 CEST	60209	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:10.810945034 CEST	53	60209	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:10.831902981 CEST	65167	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:10.838846922 CEST	53	65167	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.122029066 CEST	57109	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.130426884 CEST	51517	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.137240887 CEST	53	51517	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.137727022 CEST	58391	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.144967079 CEST	53	58391	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.256547928 CEST	63060	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.263124943 CEST	53	63060	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.269671917 CEST	65388	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.277070999 CEST	53	65388	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.280479908 CEST	58321	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.287817955 CEST	53	58321	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.428432941 CEST	55723	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.435784101 CEST	53	55723	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.436841965 CEST	58705	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.443666935 CEST	53	58705	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.458270073 CEST	58045	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.465434074 CEST	53	58045	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.494857073 CEST	57080	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.496200085 CEST	58727	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.502048016 CEST	53	57080	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.503563881 CEST	53	58727	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.509191990 CEST	62348	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.511328936 CEST	56534	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.516427040 CEST	53	62348	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.518210888 CEST	53	56534	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.524135113 CEST	50879	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.531439066 CEST	53	50879	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.919367075 CEST	50736	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.919703960 CEST	61196	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.926403046 CEST	53	50736	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.926809072 CEST	53	61196	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.927624941 CEST	52467	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.934890032 CEST	53	52467	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.936758041 CEST	54463	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.943905115 CEST	53	54463	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:13.945755005 CEST	60635	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:13.952950954 CEST	53	60635	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:14.049315929 CEST	53108	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:18.853869915 CEST	50529	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:18.861298084 CEST	53	50529	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:18.883507013 CEST	64845	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:18.890567064 CEST	53	64845	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:18.897922039 CEST	61988	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:18.904968023 CEST	53	61988	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:19.775126934 CEST	53840	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:19.815030098 CEST	53	59404	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:22.881650925 CEST	55387	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:22.888362885 CEST	53	55387	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:22.889257908 CEST	64286	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:22.896644115 CEST	53	64286	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:22.897120953 CEST	59563	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:22.903954029 CEST	53	59563	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:23.520719051 CEST	49864	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:23.527861118 CEST	53	49864	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:23.538391113 CEST	50947	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:23.545414925 CEST	53	50947	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:23.545919895 CEST	65249	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:23.552566051 CEST	53	65249	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:24.380043030 CEST	61061	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:24.386861086 CEST	53	61061	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:24.394094944 CEST	54224	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:24.400964022 CEST	53	54224	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:24.401545048 CEST	52348	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:24.408447981 CEST	53	52348	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:28.040739059 CEST	59075	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:29.497879028 CEST	53452	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:29.504900932 CEST	53	53452	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.474348068 CEST	50042	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.474597931 CEST	52883	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.474894047 CEST	49392	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.481143951 CEST	53	50042	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.481244087 CEST	53	52883	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.481616020 CEST	53	49392	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.481904030 CEST	52554	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.482186079 CEST	54780	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.482294083 CEST	65221	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.488641977 CEST	53	52554	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.488831043 CEST	53	65221	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.489025116 CEST	53	54780	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.489165068 CEST	55000	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.489722967 CEST	53476	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.490067959 CEST	56245	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.495928049 CEST	53	55000	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.496654987 CEST	53	56245	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.496776104 CEST	53	53476	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.499953985 CEST	59673	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.500380993 CEST	53517	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.506742001 CEST	53	59673	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.507267952 CEST	53	53517	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.509366035 CEST	63674	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.509366035 CEST	63931	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.516242981 CEST	53	63674	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.516293049 CEST	53	63931	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.516665936 CEST	56261	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.516736984 CEST	59252	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:30.523715019 CEST	53	56261	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:30.524801970 CEST	53	59252	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:35.515223026 CEST	53	49517	162.159.36.2	192.168.2.4
Oct 14, 2024 03:32:36.046838999 CEST	51270	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:36.054143906 CEST	53	51270	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.247392893 CEST	54077	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.250255108 CEST	49165	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.257093906 CEST	53	49165	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.258445024 CEST	57952	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.265922070 CEST	53	54077	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.266460896 CEST	53837	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.267076015 CEST	53	57952	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.267518044 CEST	50297	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.273278952 CEST	53	53837	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.274492979 CEST	53	50297	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.295089006 CEST	49575	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.302028894 CEST	53	49575	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.304781914 CEST	57850	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.315854073 CEST	53	57850	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.316919088 CEST	58918	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.325268030 CEST	53	58918	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.734949112 CEST	52379	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.742825985 CEST	64846	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.749543905 CEST	53	64846	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.750019073 CEST	60336	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.756736040 CEST	53	60336	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.838149071 CEST	61474	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.838603973 CEST	54739	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:38.844907999 CEST	53	61474	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:38.845371962 CEST	53	54739	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:40.512211084 CEST	65084	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:40.518937111 CEST	53	65084	1.1.1.1	192.168.2.4
Oct 14, 2024 03:32:40.520544052 CEST	55135	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:32:40.527338028 CEST	53	55135	1.1.1.1	192.168.2.4
Oct 14, 2024 03:33:01.017112970 CEST	53903	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:33:01.024060011 CEST	53	53903	1.1.1.1	192.168.2.4
Oct 14, 2024 03:33:01.025230885 CEST	64854	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:33:01.031944036 CEST	53	64854	1.1.1.1	192.168.2.4
Oct 14, 2024 03:33:08.613823891 CEST	58726	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:33:08.621085882 CEST	53	58726	1.1.1.1	192.168.2.4
Oct 14, 2024 03:33:08.626998901 CEST	49183	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:33:08.633503914 CEST	53	49183	1.1.1.1	192.168.2.4
Oct 14, 2024 03:33:41.736020088 CEST	62178	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:33:41.742758036 CEST	53	62178	1.1.1.1	192.168.2.4
Oct 14, 2024 03:33:41.753622055 CEST	50201	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:33:41.760341883 CEST	53	50201	1.1.1.1	192.168.2.4
Oct 14, 2024 03:33:41.765451908 CEST	51442	53	192.168.2.4	1.1.1.1
Oct 14, 2024 03:33:41.771905899 CEST	53	51442	1.1.1.1	192.168.2.4
Oct 14, 2024 03:33:42.310080051 CEST	52805	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 03:32:10.803448915 CEST	192.168.2.4	1.1.1.1	0xce8b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:10.831902981 CEST	192.168.2.4	1.1.1.1	0xb91b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 03:32:13.122029066 CEST	192.168.2.4	1.1.1.1	0x8d7b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.130426884 CEST	192.168.2.4	1.1.1.1	0xb2dd	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.137727022 CEST	192.168.2.4	1.1.1.1	0x1608	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 03:32:13.256547928 CEST	192.168.2.4	1.1.1.1	0x68dc	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.269671917 CEST	192.168.2.4	1.1.1.1	0x8484	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.280479908 CEST	192.168.2.4	1.1.1.1	0x5474	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 14, 2024 03:32:13.428432941 CEST	192.168.2.4	1.1.1.1	0xfcd3	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.436841965 CEST	192.168.2.4	1.1.1.1	0x4a5e	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.458270073 CEST	192.168.2.4	1.1.1.1	0xe948	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 03:32:13.494857073 CEST	192.168.2.4	1.1.1.1	0xb13a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.496200085 CEST	192.168.2.4	1.1.1.1	0x8a4c	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.509191990 CEST	192.168.2.4	1.1.1.1	0x5f5	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 03:32:13.511328936 CEST	192.168.2.4	1.1.1.1	0xe555	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.524135113 CEST	192.168.2.4	1.1.1.1	0x785b	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 03:32:13.919367075 CEST	192.168.2.4	1.1.1.1	0x52bd	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.919703960 CEST	192.168.2.4	1.1.1.1	0x2a17	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.927624941 CEST	192.168.2.4	1.1.1.1	0x2ab7	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.936758041 CEST	192.168.2.4	1.1.1.1	0xbb38	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.945755005 CEST	192.168.2.4	1.1.1.1	0xcf98	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 03:32:14.049315929 CEST	192.168.2.4	1.1.1.1	0x2820	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:18.853869915 CEST	192.168.2.4	1.1.1.1	0xbeaa	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:18.883507013 CEST	192.168.2.4	1.1.1.1	0xdca4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:18.897922039 CEST	192.168.2.4	1.1.1.1	0xe707	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 03:32:19.775126934 CEST	192.168.2.4	1.1.1.1	0x4fd0	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:22.881650925 CEST	192.168.2.4	1.1.1.1	0x35c5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:22.889257908 CEST	192.168.2.4	1.1.1.1	0x2dee	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:22.897120953 CEST	192.168.2.4	1.1.1.1	0xd1f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 03:32:23.520719051 CEST	192.168.2.4	1.1.1.1	0x2bc0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 03:32:23.538391113 CEST	192.168.2.4	1.1.1.1	0xfcd4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:23.545919895 CEST	192.168.2.4	1.1.1.1	0x27b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 03:32:24.380043030 CEST	192.168.2.4	1.1.1.1	0x24e	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:24.394094944 CEST	192.168.2.4	1.1.1.1	0x8a5d	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:24.401545048 CEST	192.168.2.4	1.1.1.1	0x57f4	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 03:32:28.040739059 CEST	192.168.2.4	1.1.1.1	0xfc6a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:29.497879028 CEST	192.168.2.4	1.1.1.1	0xa62e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 03:32:30.474348068 CEST	192.168.2.4	1.1.1.1	0x9892	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.474597931 CEST	192.168.2.4	1.1.1.1	0x7b60	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.474894047 CEST	192.168.2.4	1.1.1.1	0x69f	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481904030 CEST	192.168.2.4	1.1.1.1	0xa17c	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.482186079 CEST	192.168.2.4	1.1.1.1	0xbf15	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.482294083 CEST	192.168.2.4	1.1.1.1	0xb9a9	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.489165068 CEST	192.168.2.4	1.1.1.1	0x4038	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 14, 2024 03:32:30.489722967 CEST	192.168.2.4	1.1.1.1	0x2a5f	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 14, 2024 03:32:30.490067959 CEST	192.168.2.4	1.1.1.1	0xeee0	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 14, 2024 03:32:30.499953985 CEST	192.168.2.4	1.1.1.1	0x1af7	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.500380993 CEST	192.168.2.4	1.1.1.1	0x6ceb	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.509366035 CEST	192.168.2.4	1.1.1.1	0xb2c6	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.509366035 CEST	192.168.2.4	1.1.1.1	0xcd3d	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.516665936 CEST	192.168.2.4	1.1.1.1	0x83bb	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 14, 2024 03:32:30.516736984 CEST	192.168.2.4	1.1.1.1	0x4510	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 14, 2024 03:32:36.046838999 CEST	192.168.2.4	1.1.1.1	0x4aaa	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 14, 2024 03:32:38.247392893 CEST	192.168.2.4	1.1.1.1	0xb8a	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.250255108 CEST	192.168.2.4	1.1.1.1	0xf248	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.258445024 CEST	192.168.2.4	1.1.1.1	0xb536	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.266460896 CEST	192.168.2.4	1.1.1.1	0x67fe	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 03:32:38.267518044 CEST	192.168.2.4	1.1.1.1	0x30be	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 14, 2024 03:32:38.295089006 CEST	192.168.2.4	1.1.1.1	0xb941	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.304781914 CEST	192.168.2.4	1.1.1.1	0xbb79	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.316919088 CEST	192.168.2.4	1.1.1.1	0x487e	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 03:32:38.734949112 CEST	192.168.2.4	1.1.1.1	0x1ec6	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.742825985 CEST	192.168.2.4	1.1.1.1	0x15f2	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.750019073 CEST	192.168.2.4	1.1.1.1	0x3f6c	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 03:32:38.838149071 CEST	192.168.2.4	1.1.1.1	0x2cc5	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.838603973 CEST	192.168.2.4	1.1.1.1	0x9b83	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:40.512211084 CEST	192.168.2.4	1.1.1.1	0xbb00	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:40.520544052 CEST	192.168.2.4	1.1.1.1	0xa7e4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 03:33:01.017112970 CEST	192.168.2.4	1.1.1.1	0x6d58	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:33:01.025230885 CEST	192.168.2.4	1.1.1.1	0x723a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 03:33:08.613823891 CEST	192.168.2.4	1.1.1.1	0x96ba	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:33:08.626998901 CEST	192.168.2.4	1.1.1.1	0x59d9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 03:33:41.736020088 CEST	192.168.2.4	1.1.1.1	0xca89	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:33:41.753622055 CEST	192.168.2.4	1.1.1.1	0x4638	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:33:41.765451908 CEST	192.168.2.4	1.1.1.1	0x2fb	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 03:33:42.310080051 CEST	192.168.2.4	1.1.1.1	0xe6c8	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 03:32:10.799245119 CEST	1.1.1.1	192.168.2.4	0x10b3	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:10.810945034 CEST	1.1.1.1	192.168.2.4	0xce8b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.129475117 CEST	1.1.1.1	192.168.2.4	0x8d7b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:13.129475117 CEST	1.1.1.1	192.168.2.4	0x8d7b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.137240887 CEST	1.1.1.1	192.168.2.4	0xb2dd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.144967079 CEST	1.1.1.1	192.168.2.4	0x1608	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 03:32:13.263124943 CEST	1.1.1.1	192.168.2.4	0x68dc	No error (0)	youtube.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.277070999 CEST	1.1.1.1	192.168.2.4	0x8484	No error (0)	youtube.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.287817955 CEST	1.1.1.1	192.168.2.4	0x5474	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 14, 2024 03:32:13.435784101 CEST	1.1.1.1	192.168.2.4	0xfcd3	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.443666935 CEST	1.1.1.1	192.168.2.4	0x4a5e	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.492162943 CEST	1.1.1.1	192.168.2.4	0x8180	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:13.492162943 CEST	1.1.1.1	192.168.2.4	0x8180	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.502048016 CEST	1.1.1.1	192.168.2.4	0xb13a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.503563881 CEST	1.1.1.1	192.168.2.4	0x8a4c	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:13.503563881 CEST	1.1.1.1	192.168.2.4	0x8a4c	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.518210888 CEST	1.1.1.1	192.168.2.4	0xe555	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.926403046 CEST	1.1.1.1	192.168.2.4	0x52bd	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.926809072 CEST	1.1.1.1	192.168.2.4	0x2a17	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.926809072 CEST	1.1.1.1	192.168.2.4	0x2a17	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.934890032 CEST	1.1.1.1	192.168.2.4	0x2ab7	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:13.934890032 CEST	1.1.1.1	192.168.2.4	0x2ab7	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:13.934890032 CEST	1.1.1.1	192.168.2.4	0x2ab7	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.943905115 CEST	1.1.1.1	192.168.2.4	0xbb38	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:13.952950954 CEST	1.1.1.1	192.168.2.4	0xcf98	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 03:32:14.056222916 CEST	1.1.1.1	192.168.2.4	0x2820	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:14.056222916 CEST	1.1.1.1	192.168.2.4	0x2820	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:18.861298084 CEST	1.1.1.1	192.168.2.4	0xbeaa	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:18.861298084 CEST	1.1.1.1	192.168.2.4	0xbeaa	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:18.861298084 CEST	1.1.1.1	192.168.2.4	0xbeaa	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:18.890567064 CEST	1.1.1.1	192.168.2.4	0xdca4	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:19.782166958 CEST	1.1.1.1	192.168.2.4	0x4fd0	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:22.888362885 CEST	1.1.1.1	192.168.2.4	0x35c5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:22.896644115 CEST	1.1.1.1	192.168.2.4	0x2dee	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:23.526382923 CEST	1.1.1.1	192.168.2.4	0xca9e	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:23.526382923 CEST	1.1.1.1	192.168.2.4	0xca9e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:23.533190966 CEST	1.1.1.1	192.168.2.4	0xbef4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:23.545414925 CEST	1.1.1.1	192.168.2.4	0xfcd4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:24.209264994 CEST	1.1.1.1	192.168.2.4	0xdd24	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:24.386861086 CEST	1.1.1.1	192.168.2.4	0x24e	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:24.386861086 CEST	1.1.1.1	192.168.2.4	0x24e	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:24.400964022 CEST	1.1.1.1	192.168.2.4	0x8a5d	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:28.047512054 CEST	1.1.1.1	192.168.2.4	0xfc6a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:28.047512054 CEST	1.1.1.1	192.168.2.4	0xfc6a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481143951 CEST	1.1.1.1	192.168.2.4	0x9892	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481244087 CEST	1.1.1.1	192.168.2.4	0x7b60	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481244087 CEST	1.1.1.1	192.168.2.4	0x7b60	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481616020 CEST	1.1.1.1	192.168.2.4	0x69f	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:30.481616020 CEST	1.1.1.1	192.168.2.4	0x69f	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488641977 CEST	1.1.1.1	192.168.2.4	0xa17c	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.488831043 CEST	1.1.1.1	192.168.2.4	0xb9a9	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.489025116 CEST	1.1.1.1	192.168.2.4	0xbf15	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.495928049 CEST	1.1.1.1	192.168.2.4	0x4038	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 03:32:30.495928049 CEST	1.1.1.1	192.168.2.4	0x4038	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 03:32:30.495928049 CEST	1.1.1.1	192.168.2.4	0x4038	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 03:32:30.495928049 CEST	1.1.1.1	192.168.2.4	0x4038	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 03:32:30.496654987 CEST	1.1.1.1	192.168.2.4	0xeee0	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 14, 2024 03:32:30.496776104 CEST	1.1.1.1	192.168.2.4	0x2a5f	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 14, 2024 03:32:30.506742001 CEST	1.1.1.1	192.168.2.4	0x1af7	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:30.506742001 CEST	1.1.1.1	192.168.2.4	0x1af7	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.506742001 CEST	1.1.1.1	192.168.2.4	0x1af7	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.506742001 CEST	1.1.1.1	192.168.2.4	0x1af7	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.506742001 CEST	1.1.1.1	192.168.2.4	0x1af7	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.507267952 CEST	1.1.1.1	192.168.2.4	0x6ceb	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.516242981 CEST	1.1.1.1	192.168.2.4	0xb2c6	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.516293049 CEST	1.1.1.1	192.168.2.4	0xcd3d	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.516293049 CEST	1.1.1.1	192.168.2.4	0xcd3d	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.516293049 CEST	1.1.1.1	192.168.2.4	0xcd3d	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:30.516293049 CEST	1.1.1.1	192.168.2.4	0xcd3d	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:36.054143906 CEST	1.1.1.1	192.168.2.4	0x4aaa	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 14, 2024 03:32:38.244541883 CEST	1.1.1.1	192.168.2.4	0xf98d	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:38.244541883 CEST	1.1.1.1	192.168.2.4	0xf98d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.257093906 CEST	1.1.1.1	192.168.2.4	0xf248	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.257093906 CEST	1.1.1.1	192.168.2.4	0xf248	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.257093906 CEST	1.1.1.1	192.168.2.4	0xf248	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.257093906 CEST	1.1.1.1	192.168.2.4	0xf248	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.265922070 CEST	1.1.1.1	192.168.2.4	0xb8a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.267076015 CEST	1.1.1.1	192.168.2.4	0xb536	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.267076015 CEST	1.1.1.1	192.168.2.4	0xb536	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.267076015 CEST	1.1.1.1	192.168.2.4	0xb536	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.267076015 CEST	1.1.1.1	192.168.2.4	0xb536	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.302028894 CEST	1.1.1.1	192.168.2.4	0xb941	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:38.302028894 CEST	1.1.1.1	192.168.2.4	0xb941	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.315854073 CEST	1.1.1.1	192.168.2.4	0xbb79	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.741816998 CEST	1.1.1.1	192.168.2.4	0x1ec6	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:38.741816998 CEST	1.1.1.1	192.168.2.4	0x1ec6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.749543905 CEST	1.1.1.1	192.168.2.4	0x15f2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.756736040 CEST	1.1.1.1	192.168.2.4	0x3f6c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 03:32:38.844907999 CEST	1.1.1.1	192.168.2.4	0x2cc5	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.845371962 CEST	1.1.1.1	192.168.2.4	0x9b83	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:38.845371962 CEST	1.1.1.1	192.168.2.4	0x9b83	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:32:39.515572071 CEST	1.1.1.1	192.168.2.4	0xcd7b	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:39.515572071 CEST	1.1.1.1	192.168.2.4	0xcd7b	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:32:40.518937111 CEST	1.1.1.1	192.168.2.4	0xbb00	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:33:01.024060011 CEST	1.1.1.1	192.168.2.4	0x6d58	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:33:08.612117052 CEST	1.1.1.1	192.168.2.4	0x1452	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:33:08.621085882 CEST	1.1.1.1	192.168.2.4	0x96ba	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:33:41.742758036 CEST	1.1.1.1	192.168.2.4	0xca89	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:33:41.760341883 CEST	1.1.1.1	192.168.2.4	0x4638	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 03:33:42.316688061 CEST	1.1.1.1	192.168.2.4	0xe6c8	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 03:33:42.316688061 CEST	1.1.1.1	192.168.2.4	0xe6c8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	7704	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 03:32:13.285777092 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:13.841150999 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84100 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	7704	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 03:32:14.077738047 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:14.530186892 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 09:44:15 GMT Age: 56879 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	34.107.221.82	80	7704	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 03:32:14.631139994 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:15.255122900 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84102 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:18.843403101 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:18.946064949 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84105 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:22.880877018 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:22.983757019 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84109 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:24.059849977 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:24.162189007 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84111 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:24.482326984 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:24.584774017 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84111 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:25.224402905 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:25.334285021 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84112 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:25.512146950 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:25.614192963 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84112 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:28.111140013 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:28.213679075 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84115 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:30.497486115 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:30.599595070 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84117 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:38.734652042 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:38.837065935 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84125 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:39.026397943 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:39.128974915 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84126 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:39.298441887 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:39.401115894 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84126 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:39.506146908 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:39.608591080 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84126 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:41.010147095 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:41.112137079 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84128 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:32:51.117399931 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:32:56.447021961 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:32:56.549550056 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84143 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:33:01.525825024 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:33:01.627764940 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84148 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:33:09.154880047 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:33:09.256802082 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84156 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:33:19.270744085 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:33:29.277348042 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:33:39.290792942 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:33:42.309880972 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 03:33:42.413764000 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 02:10:33 GMT Age: 84189 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 03:33:52.423650980 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:34:02.451837063 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:34:12.458086014 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49755	34.107.221.82	80	7704	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 03:32:15.522383928 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:15.977446079 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27559 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:19.774096012 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:19.871115923 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27563 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:23.575079918 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:23.671681881 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27567 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:24.376966953 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:24.473609924 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27568 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:24.944665909 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:25.041424036 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27568 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:25.476502895 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:25.573393106 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27569 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:28.039196014 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:28.136615038 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27572 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:28.217360973 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:28.314234018 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27572 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:30.602447987 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:30.699187040 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27574 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:38.840464115 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:38.937305927 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27582 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:39.131742954 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:39.228331089 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27583 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:39.403979063 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:39.501096010 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27583 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:39.620254993 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:39.716747046 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27583 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:41.114860058 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:41.212064028 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27585 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:32:51.217668056 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:32:56.551810980 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:32:56.648428917 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27600 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:33:01.630183935 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:33:01.727365017 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27605 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:33:09.321180105 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:33:09.418725014 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27613 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:33:19.431283951 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:33:29.446563005 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:33:39.460149050 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:33:42.416848898 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 03:33:42.514159918 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 27646 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 03:33:52.523957968 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:34:02.536519051 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 03:34:12.542741060 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	21:32:02
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x810000
File size:	919'552 bytes
MD5 hash:	39EF3CBB09537BEA4C8779F80F42495F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:32:02
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x690000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:32:02
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:32:04
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x690000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:32:04
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:32:05
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x690000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:32:05
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:32:05
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x690000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:32:05
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:32:05
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x690000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:32:05
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:32:05
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:32:06
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:32:06
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	21:32:07
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a418fc79-5b10-472b-b3cd-23cdedc49dfe} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1ade8070b10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	21:32:11
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4028 -parentBuildID 20230927232528 -prefsHandle 4392 -prefMapHandle 4388 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {047d8eaa-463a-4f5e-ba84-be975c9a4469} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1adf7ed0610 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	21:32:22
Start date:	13/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 5364 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c385fcad-3934-4ff5-b833-6d8b82e95124} 7704 "\\.\pipe\gecko-crash-server-pipe.7704" 1adfa339310 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1547
Total number of Limit Nodes:	51

Executed Functions

Function 008142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0081430D

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

GetCurrentProcess.KERNEL32(?,008ACB64,00000000,?,?), ref: 00814422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00814429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00814454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00814466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00814474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0081447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008144A0

Strings

kernel32.dll, xrefs: 0081444F
GetNativeSystemInfo, xrefs: 00814460
|O, xrefs: 008536F8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9faee72a2a55bbe90d7303b3da3e735a3651f48f8e7c83d054a1454f8bb3573a
Instruction ID: 83609f7703a0f45fb60c0adcb8e95cb608e57befc78751362fbb09c8a3d61a69
Opcode Fuzzy Hash: 9faee72a2a55bbe90d7303b3da3e735a3651f48f8e7c83d054a1454f8bb3573a
Instruction Fuzzy Hash: EEA1C37290A2C4EFCF11C7697CC85DA7FE8FB26745B0858A9D481DBB22D6384948CB35

Function 008142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008150AA,?,?,00000000,00000000), ref: 008142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008150AA,?,?,00000000,00000000), ref: 008142C9
LoadResource.KERNEL32(?,00000000,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20), ref: 008535BE
SizeofResource.KERNEL32(?,00000000,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20), ref: 008535D3
LockResource.KERNEL32(008150AA,?,?,008150AA,?,?,00000000,00000000,?,?,?,?,?,?,00814F20,?), ref: 008535E6

Strings

SCRIPT, xrefs: 008142BF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4420bf8b017cd4477b433d04a7f6e9f39d6b510a0ed5a9b8fa21bfcde4889206
Instruction ID: 69d716e3ada662d585f3211412857fb945031fe3a45963813708d1a083984510
Opcode Fuzzy Hash: 4420bf8b017cd4477b433d04a7f6e9f39d6b510a0ed5a9b8fa21bfcde4889206
Instruction Fuzzy Hash: FD117C70200701BFE7218B65DC48F677BBEFFC6B51F104169B412D6650DBB2D8408620

Function 00852BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00812B6B

Part of subcall function 00813A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008E1418,?,00812E7F,?,?,?,00000000), ref: 00813A78

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008D2224), ref: 00852C10
ShellExecuteW.SHELL32(00000000,?,?,008D2224), ref: 00852C17

Strings

runas, xrefs: 00852C0B

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 8590efc8e1a32710cae044ad2c52723985ae17ae4b4def6f2be09dfddb2d1c28
Instruction ID: 66f61813ab1327c40b520d8b595b8889a53824e410f03777f951900cf97477be
Opcode Fuzzy Hash: 8590efc8e1a32710cae044ad2c52723985ae17ae4b4def6f2be09dfddb2d1c28
Instruction Fuzzy Hash: 0A11D531108345AACB04FF68E8559EEB7ADFF96310F44042EF192C22A2CF318AC98753

Function 0087D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0087D501
Process32FirstW.KERNEL32(00000000,?), ref: 0087D50F
Process32NextW.KERNEL32(00000000,?), ref: 0087D52F
CloseHandle.KERNELBASE(00000000), ref: 0087D5DC

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 4a9c795a330b60eeed76e8a7a44629f56e50a13369fbf6acaceac617cdefa55d
Instruction ID: 5e645767f5cd8c65a4aeac6905b591086d8938d69c980a33b43514ca7f427a0d
Opcode Fuzzy Hash: 4a9c795a330b60eeed76e8a7a44629f56e50a13369fbf6acaceac617cdefa55d
Instruction Fuzzy Hash: DA318C711083009FD300EF58C881AAABBF8FF99344F10492DF585C21A1EB619985CB93

Function 0087DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00855222), ref: 0087DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0087DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0087DBEE
FindClose.KERNEL32(00000000), ref: 0087DBFA

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 79a831e996f4b30caced9c8f08668536dbe092cf4ce4f53e7358f5e694f794f9
Instruction ID: a5513b44b347b5da32322c2e019c3d4919a364a96d2411595eb2213206444bc7
Opcode Fuzzy Hash: 79a831e996f4b30caced9c8f08668536dbe092cf4ce4f53e7358f5e694f794f9
Instruction Fuzzy Hash: 7BF0E530810A145792216B7CAC0D8AA37BCFF82334B108702F83AC26F0EBB49D54C6D5

Function 00834CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000,?,008428E9), ref: 00834D09
TerminateProcess.KERNEL32(00000000,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000,?,008428E9), ref: 00834D10
ExitProcess.KERNEL32 ref: 00834D22

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8ef01821f8f036cae25588a51b705d70280ff6fac22d2747f3c7e099c1b7a0f5
Instruction ID: 7af196af8871434e553504a1213941ad50d3e31595d4d9ee324f94e6eafbbe51
Opcode Fuzzy Hash: 8ef01821f8f036cae25588a51b705d70280ff6fac22d2747f3c7e099c1b7a0f5
Instruction Fuzzy Hash: AEE0B631000548ABDF51AF54DD09A593B69FB82781F104414FC05DA632DB39ED42DA80

Function 0089AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0089B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0089B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0089B1D4
_wcslen.LIBCMT ref: 0089B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0089B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0089B236
_wcslen.LIBCMT ref: 0089B332

Part of subcall function 008805A7: GetStdHandle.KERNEL32(000000F6), ref: 008805C6

_wcslen.LIBCMT ref: 0089B34B
_wcslen.LIBCMT ref: 0089B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0089B3B6
GetLastError.KERNEL32(00000000), ref: 0089B407
CloseHandle.KERNEL32(?), ref: 0089B439
CloseHandle.KERNEL32(00000000), ref: 0089B44A
CloseHandle.KERNEL32(00000000), ref: 0089B45C
CloseHandle.KERNEL32(00000000), ref: 0089B46E
CloseHandle.KERNEL32(?), ref: 0089B4E3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: a593f20b5b3ab5f8dfffce0bafeaf61b908d16a17b2860cb11ef4d255bde63a8
Instruction ID: 4dd3e8505f845647dc21546c79113bc06b0acd2c3450e187c81829c775ef6119
Opcode Fuzzy Hash: a593f20b5b3ab5f8dfffce0bafeaf61b908d16a17b2860cb11ef4d255bde63a8
Instruction Fuzzy Hash: 31F17A316083409FCB14EF28D991B6ABBE5FF85314F18855DF8999B2A2DB31EC44CB52

Function 0081D730 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0081D807
timeGetTime.WINMM ref: 0081DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0081DB28
TranslateMessage.USER32(?), ref: 0081DB7B
DispatchMessageW.USER32(?), ref: 0081DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0081DB9F
Sleep.KERNELBASE(0000000A), ref: 0081DBB1

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 1ba2f3f5220b71aa8a44951850967f46f385e5c8d64bcd3a6c7cf6f030796c0d
Instruction ID: d87a02332ad2e66c82f2d7ae1ea759e4c9b6a081758c75e86d1e8f0a20b231cd
Opcode Fuzzy Hash: 1ba2f3f5220b71aa8a44951850967f46f385e5c8d64bcd3a6c7cf6f030796c0d
Instruction Fuzzy Hash: 66421430608745DFDB29CF28C884BAABBE8FF46314F15456DE456CB291D774E884CB92

Function 00812CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00812D07
RegisterClassExW.USER32(00000030), ref: 00812D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00812D42
InitCommonControlsEx.COMCTL32(?), ref: 00812D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00812D6F
LoadIconW.USER32(000000A9), ref: 00812D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00812D94

Strings

+, xrefs: 00812CF0
AutoIt v3 GUI, xrefs: 00812D23
TaskbarCreated, xrefs: 00812D37
0, xrefs: 00812CE9

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 682686a0f6687b36f11884cf974afd1c46cd5898393dfc308a56ce5c5cbced41
Instruction ID: 628822a5554d6cb8edb4362ea3450451fe2105f5ac1dc94147edf4f15b93f7f0
Opcode Fuzzy Hash: 682686a0f6687b36f11884cf974afd1c46cd5898393dfc308a56ce5c5cbced41
Instruction Fuzzy Hash: 9F21C3B5901258AFEF00EFA8E889BDDBFB4FB09700F00811AF611AA6A0D7B55544CF91

Function 0085065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0085039A: CreateFileW.KERNELBASE(00000000,00000000,?,00850704,?,?,00000000,?,00850704,00000000,0000000C), ref: 008503B7

GetLastError.KERNEL32 ref: 0085076F
__dosmaperr.LIBCMT ref: 00850776
GetFileType.KERNELBASE(00000000), ref: 00850782
GetLastError.KERNEL32 ref: 0085078C
__dosmaperr.LIBCMT ref: 00850795
CloseHandle.KERNEL32(00000000), ref: 008507B5
CloseHandle.KERNEL32(?), ref: 008508FF
GetLastError.KERNEL32 ref: 00850931
__dosmaperr.LIBCMT ref: 00850938

Strings

H, xrefs: 008508BD

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 3b8ccc0a1b299a2f75b48142b519e28bd13b8578578e8cfc0dc729c3b3d19f08
Instruction ID: 47fc44fd7cfb72e10186c9529a0974024ee4aa2580bce8a5832cd7e1a42ffff3
Opcode Fuzzy Hash: 3b8ccc0a1b299a2f75b48142b519e28bd13b8578578e8cfc0dc729c3b3d19f08
Instruction Fuzzy Hash: E0A10332A001488FDF19AF68D891BAE7BA0FB46325F140159FC11DF392DA71981ACF92

Function 0081344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00813A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008E1418,?,00812E7F,?,?,?,00000000), ref: 00813A78

Part of subcall function 00813357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00813379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0081356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0085318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008531CE
RegCloseKey.ADVAPI32(?), ref: 00853210
_wcslen.LIBCMT ref: 00853277
_wcslen.LIBCMT ref: 00853286

Strings

Include, xrefs: 00853184, 008531C5
\Include\, xrefs: 00813527
Software\AutoIt v3\AutoIt, xrefs: 00813560
\, xrefs: 0085328C

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: eb673380fd35d621a08dc04c35d04222fbea61f8e9ef4ec4588c0f64650e93fd
Instruction ID: f5a8d1759333075e14b3b029efbc512ade884b2e4a35cdfcecd61951b6ce5cc8
Opcode Fuzzy Hash: eb673380fd35d621a08dc04c35d04222fbea61f8e9ef4ec4588c0f64650e93fd
Instruction Fuzzy Hash: 697149714043419EC314EF69EC829ABBBECFF85750F40052EF595D6271EB749A88CB62

Function 00812B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00812B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00812B9D
LoadIconW.USER32(00000063), ref: 00812BB3
LoadIconW.USER32(000000A4), ref: 00812BC5
LoadIconW.USER32(000000A2), ref: 00812BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00812BEF
RegisterClassExW.USER32(?), ref: 00812C40

Part of subcall function 00812CD4: GetSysColorBrush.USER32(0000000F), ref: 00812D07
Part of subcall function 00812CD4: RegisterClassExW.USER32(00000030), ref: 00812D31
Part of subcall function 00812CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00812D42
Part of subcall function 00812CD4: InitCommonControlsEx.COMCTL32(?), ref: 00812D5F
Part of subcall function 00812CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00812D6F
Part of subcall function 00812CD4: LoadIconW.USER32(000000A9), ref: 00812D85
Part of subcall function 00812CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00812D94

Strings

AutoIt v3, xrefs: 00812C2F
0, xrefs: 00812C0F
#, xrefs: 00812C16

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 841ce70046bb376a8f7a34d3b337825a25546d0dcf586d5a8153c974930ca005
Instruction ID: 566497f35cd73b0777b6a1893f9670088470f49acf367bad21f69e2654847f03
Opcode Fuzzy Hash: 841ce70046bb376a8f7a34d3b337825a25546d0dcf586d5a8153c974930ca005
Instruction Fuzzy Hash: 8F211A74E00358AFDF109FA9EC99AAD7FB4FB48B50F04401AF600AABA0D7B91540CF90

Function 00813170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0081316A,?,?), ref: 008131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0081316A,?,?), ref: 00813204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00813227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0081316A,?,?), ref: 00813232
CreatePopupMenu.USER32 ref: 00813246
PostQuitMessage.USER32(00000000), ref: 00813267

Strings

TaskbarCreated, xrefs: 0081322D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 548b99494c44060f2b73c95ba3aefbbe98f41a96e9da40a48d86f9b84fbca4a4
Instruction ID: e8f68c7162b920a4dcbb59bf89ff49f55794255c27d25def45f7c6c9e18b1f70
Opcode Fuzzy Hash: 548b99494c44060f2b73c95ba3aefbbe98f41a96e9da40a48d86f9b84fbca4a4
Instruction Fuzzy Hash: 0A411531240248ABEF156B7C9D4EBFD3A5DFF06345F040125F912CA6A2CB759AC497A2

Function 00811410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00811459
CoUninitialize.COMBASE ref: 008114F8
UnregisterHotKey.USER32(?), ref: 008116DD
DestroyWindow.USER32(?), ref: 008524B9
FreeLibrary.KERNEL32(?), ref: 0085251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0085254B

Strings

close all, xrefs: 00811454

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 64e8a0e507f8352d7138312fc89d3d124a816dbb24613f9a9de85a926e491221
Instruction ID: 0121e52e40d1733420a2c099579fc18a332a37a9ad72994867a2798ca664cecb
Opcode Fuzzy Hash: 64e8a0e507f8352d7138312fc89d3d124a816dbb24613f9a9de85a926e491221
Instruction Fuzzy Hash: 75D16B317012228FDB19EF18C499A69F7A9FF06701F1441ADEA4AEB252DF30AC56CF51

Function 00812C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00812C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00812CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00811CAD,?), ref: 00812CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00811CAD,?), ref: 00812CCF

Strings

AutoIt v3, xrefs: 00812C89, 00812C8E, 00812C8F
edit, xrefs: 00812CAC

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ad81e5eb9d52156ebea3113c01fd9f0ac2ad7f11d57f8bf1234f731d13d37831
Instruction ID: 447cfe78fe1fbf10c62469f5e124a9c3062d706b740986cf57ab7e71c8df0eaa
Opcode Fuzzy Hash: ad81e5eb9d52156ebea3113c01fd9f0ac2ad7f11d57f8bf1234f731d13d37831
Instruction Fuzzy Hash: D4F0DA755402D07AEB311717AC8CE772EBDF7C7F50B04005AFA00AAAA0C6791851DBB0

Function 00813B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00813B0F,SwapMouseButtons,00000004,?), ref: 00813B83

Strings

Control Panel\Mouse, xrefs: 00813B3E

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 555d6b3fcd49969f67b2f031193bb0affcdf75a59aa527396e03a057a4bc27dd
Instruction ID: e4202eb08fc690a025dcae76af8a2a199f1c21b9492d0237cb49944bb0a52f58
Opcode Fuzzy Hash: 555d6b3fcd49969f67b2f031193bb0affcdf75a59aa527396e03a057a4bc27dd
Instruction Fuzzy Hash: 4A112AB5514208FFDB208FA5DC44AEFB7BCFF05754B104459A805D7110E2319E809760

Function 00813923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008533A2

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00813A04

Strings

Line: , xrefs: 008533EB

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 05029d0d2e381859ddcc1bb9a4d699e637988ec3bbb2c40fc7766d132366f7e9
Instruction ID: f7ad172ad9bc62a971c3ad22bb4163d1ca81f594d342531531b8b6e67d2663e2
Opcode Fuzzy Hash: 05029d0d2e381859ddcc1bb9a4d699e637988ec3bbb2c40fc7766d132366f7e9
Instruction Fuzzy Hash: 0C31C071408344AAD721EB24DC49BEBB7ECFF45710F00452AF5A9D2291EB749A88C7C3

Function 0082FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00830668

Part of subcall function 008332A4: RaiseException.KERNEL32(?,?,?,0083068A,?,008E1444,?,?,?,?,?,?,0083068A,00811129,008D8738,00811129), ref: 00833304

__CxxThrowException@8.LIBVCRUNTIME ref: 00830685

Strings

Unknown exception, xrefs: 00830692

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b349aa85ba7754f1ce463447f176c6fea66af6ac60b8cf84455cd6e920e2d1ee
Instruction ID: 1f9b1c075e757b0c57d5e5ec75beab75df3d570fc0cbec9dc52cbe26caf9fadc
Opcode Fuzzy Hash: b349aa85ba7754f1ce463447f176c6fea66af6ac60b8cf84455cd6e920e2d1ee
Instruction Fuzzy Hash: A9F04F2490030DA78B00B6A8E856D9E776CFE90354FA04531BA24D6696EF71EAA5C9C2

Function 008110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00811BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00811BF4
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00811BFC
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00811C07
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00811C12
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00811C1A
Part of subcall function 00811BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00811C22

Part of subcall function 00811B4A: RegisterWindowMessageW.USER32(00000004,?,008112C4), ref: 00811BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0081136A
OleInitialize.OLE32 ref: 00811388
CloseHandle.KERNEL32(00000000,00000000), ref: 008524AB

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 998398b89a6f6752857dea20c731cd0fb83fdf2336bc69f3057dd5f34f952a42
Instruction ID: 66d4253fc68642f6b399582e29ff7a58a7c123836cabdb7bf200b394822f1d9c
Opcode Fuzzy Hash: 998398b89a6f6752857dea20c731cd0fb83fdf2336bc69f3057dd5f34f952a42
Instruction Fuzzy Hash: 9071AFB49113908ECF84DFBAADCD6993AE5FB8A344754823AD51ACF361EB304485CF45

Function 0087C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00813923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00813A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0087C259
KillTimer.USER32(?,00000001,?,?), ref: 0087C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0087C270

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: a5a5731f31ef6acf8c2a49293ed20a0f34d829ccf674c62b240237fcc00fcc7f
Instruction ID: c009ba73a7c69c0937956ab86715b895477680b00d724b6b5521383b029389e2
Opcode Fuzzy Hash: a5a5731f31ef6acf8c2a49293ed20a0f34d829ccf674c62b240237fcc00fcc7f
Instruction Fuzzy Hash: E1318470904344AFEB22DF649895BE6BBECFB06308F04449ED69EE7246C7749A84CB51

Function 008486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008485CC,?,008D8CC8,0000000C), ref: 00848704
GetLastError.KERNEL32(?,008485CC,?,008D8CC8,0000000C), ref: 0084870E
__dosmaperr.LIBCMT ref: 00848739

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: db788b946ae34a1d4d492087b42fa33999ba9d5eb0589ff29ed1a6bd95a1e252
Instruction ID: abc4768bce2ce1454c727ceb15ec90634cc95136e9de1e95ad79b4375931a4f1
Opcode Fuzzy Hash: db788b946ae34a1d4d492087b42fa33999ba9d5eb0589ff29ed1a6bd95a1e252
Instruction Fuzzy Hash: 45016B33A04268A7D6A166386889B7F6749FB93778F3A0119F804CB2D3DEA08C818191

Function 0081DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0081DB7B
DispatchMessageW.USER32(?), ref: 0081DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0081DB9F
Sleep.KERNELBASE(0000000A), ref: 0081DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00861CC9

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 336826f6d84b022f3113c418befedf375498c13a8c9343a7eb4e3ce576e35404
Instruction ID: 8f8ef347d794a2a4f6fe5ee7f6b4fdb5a31440019b505093fab53ac0d7a85597
Opcode Fuzzy Hash: 336826f6d84b022f3113c418befedf375498c13a8c9343a7eb4e3ce576e35404
Instruction Fuzzy Hash: B8F0FE316443949BEB34CBA59C89FEA73ACFF85310F144929E65AC74D0DB30A4889B25

Function 00821310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008217F6

Strings

CALL, xrefs: 008217C6

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 31f71d5489f8e590c1471644d32617933efb843de37618551527653551c26f15
Instruction ID: 3965bec3a115e1f5181c90ba785362d21301c1595a8de88dc52a889709fe5612
Opcode Fuzzy Hash: 31f71d5489f8e590c1471644d32617933efb843de37618551527653551c26f15
Instruction Fuzzy Hash: AC229B706082519FCB14DF18D488A2ABBF1FF95314F25896DF496CB3A2D731E991CB82

Function 00812DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00852C8C

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 00812DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00812DC4

Strings

X, xrefs: 00852C5A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: c33de775d40a1e81797858fc4f541fcfa36956f51300283f8c6e20e2e4851625
Instruction ID: cee250f2fc234b8a31a18dd40ecb46e42e8a670ddd24d012f84a5adff0af0816
Opcode Fuzzy Hash: c33de775d40a1e81797858fc4f541fcfa36956f51300283f8c6e20e2e4851625
Instruction Fuzzy Hash: 9E21A170A0025C9ADB01DF98C845BEE7BBDFF49315F00405AE505E7241EBB45A9D8FA2

Function 00813837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00813908

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 647faa6e84bdeb8fa29244dbce2019c0cce651a2fec49cc9de8162826e1e6fa3
Instruction ID: d399aed171162f956e8d2645737aa476e3207b86ef8833c0e647f1d65b97f09c
Opcode Fuzzy Hash: 647faa6e84bdeb8fa29244dbce2019c0cce651a2fec49cc9de8162826e1e6fa3
Instruction Fuzzy Hash: D9315AB05043019FD721DF24D8847D6BBE8FF49708F00092EE99AD7250E775AA84CB52

Function 0082F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0082F661

Part of subcall function 0081D730: GetInputState.USER32 ref: 0081D807

Sleep.KERNEL32(00000000), ref: 0086F2DE

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 0dd12b64d514e892540dc2a62c47fd58f18700a07267119629bf3a267fa06624
Instruction ID: 3acd0b3632c744a67ac5ea0730c0e7dff78350d7080a9a4960dd43616f1c63d8
Opcode Fuzzy Hash: 0dd12b64d514e892540dc2a62c47fd58f18700a07267119629bf3a267fa06624
Instruction Fuzzy Hash: 99F0A0312402159FE350EF79E449BAAB7F9FF46760F000029E959C73A1EB70A840CF91

Function 00814ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00814E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E9C
Part of subcall function 00814E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00814EAE
Part of subcall function 00814E90: FreeLibrary.KERNEL32(00000000,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EFD

Part of subcall function 00814E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E62
Part of subcall function 00814E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00814E74
Part of subcall function 00814E59: FreeLibrary.KERNEL32(00000000,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E87

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 57e6fc8da7400435b92d09a6a4e05c468d0965430de2f2702a99dbcb5936e645
Instruction ID: de8c78b55d79c401d95d3b0d969eb9d37a8086281f29e238dc9b3a85e129710c
Opcode Fuzzy Hash: 57e6fc8da7400435b92d09a6a4e05c468d0965430de2f2702a99dbcb5936e645
Instruction Fuzzy Hash: A011C132600205AADB14AB68D802FED77A9FF80711F108429F542EA2C1EE719E869791

Function 00848402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00848440

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 301b2e9b5e4937eb5470090748ea86564ee219f8e5ff6613f8bb63f9146963dd
Instruction ID: 3df8fb578c682be63db6571dabd516916779af875029ff88f4314e761c1aa171
Opcode Fuzzy Hash: 301b2e9b5e4937eb5470090748ea86564ee219f8e5ff6613f8bb63f9146963dd
Instruction Fuzzy Hash: A311067590410AEFCB05DF58E94199E7BF9FF48314F144059FC08EB312DA31DA118BA5

Function 00845000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00844C7D: RtlAllocateHeap.NTDLL(00000008,00811129,00000000,?,00842E29,00000001,00000364,?,?,?,0083F2DE,00843863,008E1444,?,0082FDF5,?), ref: 00844CBE

_free.LIBCMT ref: 0084506C

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 0f18758eb191b3cdfaa40fd28130323f51691c15115ef54cae43d8614235fd88
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 51012676204B096BE321CE699881A9AFBE9FB89370F65051DE184C3281EA30A805C6B5

Function 0083E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 231308ad2812756c43b4de4a09d60189baed25adaaa97ff5c1b904fd74793ae9
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 73F08132511A1896D6313A6E9C06B5A3798FFE2335F100719F925D22D2EB749802C6E6

Function 00844C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00811129,00000000,?,00842E29,00000001,00000364,?,?,?,0083F2DE,00843863,008E1444,?,0082FDF5,?), ref: 00844CBE

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2aa3fb47fc82ce14220a2e99dc35e70d7a60c4c21aab380af832c93df6e09bea
Instruction ID: 94c889459cec5f5a962521b63eb299cc8657cd2311343df98edb4e018141c636
Opcode Fuzzy Hash: 2aa3fb47fc82ce14220a2e99dc35e70d7a60c4c21aab380af832c93df6e09bea
Instruction Fuzzy Hash: 8CF0E93160222CA7DB215F66AC89B5B3788FF917B1F1C6111BC15EA281CAB0D80046E1

Function 00843820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f436b4e79232ff988de3d4124e44c151ad51eacaa6d03ce959f0a8c741c685a3
Instruction ID: 1635e25d69729158aaa133496c9858856be944a5e75864bc188577a8e58dce99
Opcode Fuzzy Hash: f436b4e79232ff988de3d4124e44c151ad51eacaa6d03ce959f0a8c741c685a3
Instruction Fuzzy Hash: 8BE09B3150122C97E73126BB9C05B9BF749FF827B0F150131BD15D6591DB61EE0185E1

Function 00814F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814F6D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ae7243db99213ecdcc3ab93391b4124c3f9dcfeb0518dd586d61456993a6b272
Instruction ID: d82a193909895d7bf16177c18fb4c43477346477f9cb1f2229289b40fb69b5cf
Opcode Fuzzy Hash: ae7243db99213ecdcc3ab93391b4124c3f9dcfeb0518dd586d61456993a6b272
Instruction Fuzzy Hash: ABF03971105752CFDB349F64E4908A2BBE8FF15329324A97EE1EBC6621CB319889DF50

Function 008A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 008A2A66

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 877717898cd116ff94bc1f9d5466b801e9f33fb411a45d6159675d39159330db
Instruction ID: 43686b4aee2717147a73bf6bb180395c892861804b5be35abfd5ece4f5309bf5
Opcode Fuzzy Hash: 877717898cd116ff94bc1f9d5466b801e9f33fb411a45d6159675d39159330db
Instruction Fuzzy Hash: 6CE0DF3234012AAEE720EA38DC80AFA734CFB12394B10453AAC2AC2540DF30E98182A1

Function 008130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0081314E

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ea18cca9a8ffb21030f4912876672463c7a37528eb22c6528a716204acc948ce
Instruction ID: db0d3d8f962d29629480f028a8acf64bc206a5ee56dd39da1a9e26a427662c6c
Opcode Fuzzy Hash: ea18cca9a8ffb21030f4912876672463c7a37528eb22c6528a716204acc948ce
Instruction Fuzzy Hash: 32F0A7709003449FEB52DB24DC897D57BBCBB01708F0000E5A148D6291D77447C8CF41

Function 00812DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00812DC4

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0cb7537c54c74fe5393e9ba6933332054868f47ce6068f06fef42d026c313739
Instruction ID: c43fcfa17eca432eccbf0dbdf9c709b0a5d82f0b5126f965a4c81c94f7c8b133
Opcode Fuzzy Hash: 0cb7537c54c74fe5393e9ba6933332054868f47ce6068f06fef42d026c313739
Instruction Fuzzy Hash: B5E0CD726041245BCB10925C9C05FEA77DDFFC8791F050071FD09D7248DA64AD848551

Function 00812B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00813837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00813908

Part of subcall function 0081D730: GetInputState.USER32 ref: 0081D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00812B6B

Part of subcall function 008130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0081314E

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 18cabe6da66f165f2ea095e2e1e2bc2e7c1142fe3549630317ef920ff7ab1883
Instruction ID: 4a7389af0b92bb7c5eb8460d1d1269ddab480630e630ae231457812781227bb5
Opcode Fuzzy Hash: 18cabe6da66f165f2ea095e2e1e2bc2e7c1142fe3549630317ef920ff7ab1883
Instruction Fuzzy Hash: 6CE0863130424407CA05BB7DA8565EDA79EFFD6355F40153EF142C72A2CE6589C94353

Function 0085039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00850704,?,?,00000000,?,00850704,00000000,0000000C), ref: 008503B7

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a4c07dba16edf7d013aa759931aaca0d44724cdb8d41a43f900b2fdf6d208d51
Instruction ID: 5a7243399ac559722f235d3d9a048c0b017f5e78b1abd75efbfd3fa447b9b2cc
Opcode Fuzzy Hash: a4c07dba16edf7d013aa759931aaca0d44724cdb8d41a43f900b2fdf6d208d51
Instruction Fuzzy Hash: BBD06C3214010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C736E821AB90

Function 00811CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00811CBC

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 36e0f665b0f343dea0151516d2602ccdcb003ac4a4492c705c2d2defc406de31
Instruction ID: 9bec22163f6cb7edad410d8b1d945d7d683fcd6417c717fc0a24f9ff700c7abb
Opcode Fuzzy Hash: 36e0f665b0f343dea0151516d2602ccdcb003ac4a4492c705c2d2defc406de31
Instruction Fuzzy Hash: CEC09B352803449FF6144780BD8EF107754B348B00F444001F6095D5E3C7F11810D650

Non-executed Functions

Function 008A9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 008A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 008A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008A96C9
SendMessageW.USER32 ref: 008A96F2
GetKeyState.USER32(00000011), ref: 008A978B
GetKeyState.USER32(00000009), ref: 008A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008A97AE
GetKeyState.USER32(00000010), ref: 008A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008A97E9
SendMessageW.USER32 ref: 008A9810
SendMessageW.USER32(?,00001030,?,008A7E95), ref: 008A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 008A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 008A9941
SetCapture.USER32(?), ref: 008A994A
ClientToScreen.USER32(?,?), ref: 008A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008A99D6
ReleaseCapture.USER32 ref: 008A99E1
GetCursorPos.USER32(?), ref: 008A9A19
ScreenToClient.USER32(?,?), ref: 008A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 008A9A80
SendMessageW.USER32 ref: 008A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 008A9AEB
SendMessageW.USER32 ref: 008A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 008A9B4A
GetCursorPos.USER32(?), ref: 008A9B68
ScreenToClient.USER32(?,?), ref: 008A9B75
GetParent.USER32(?), ref: 008A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 008A9BFA
SendMessageW.USER32 ref: 008A9C2B
ClientToScreen.USER32(?,?), ref: 008A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 008A9CDE
SendMessageW.USER32 ref: 008A9D01
ClientToScreen.USER32(?,?), ref: 008A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008A9D82

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

GetWindowLongW.USER32(?,000000F0), ref: 008A9E05

Strings

F, xrefs: 008A9D07
@GUI_DRAGID, xrefs: 008A997D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 9cebe1d582776f0d0a9c4584e6edb8eb66aba905a03d038af11dbcd71521b070
Instruction ID: 430649a502f0b29e1ab9254312345104bff9884b75d4cc7afbe856634beeb5b0
Opcode Fuzzy Hash: 9cebe1d582776f0d0a9c4584e6edb8eb66aba905a03d038af11dbcd71521b070
Instruction Fuzzy Hash: 4B428034608241AFEB24CF68CC84AAABBE5FF5A314F14051DF695C7AA1D771E850CF51

Function 008A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 008A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 008A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 008A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 008A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 008A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 008A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 008A4A7E
IsMenu.USER32(?), ref: 008A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008A4B20
GetWindowLongW.USER32(?,000000F0), ref: 008A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 008A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 008A4C82
wsprintfW.USER32 ref: 008A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 008A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 008A4D5A

Strings

%d/%02d/%02d, xrefs: 008A4CA8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 203751b5b67bbdc0b1e8eb8802d500cc59a6a69657698c10f2cda218c14eabaf
Instruction ID: c69cd272b3f94ee06a02a7452982dd2c03e07ef2f1cdd81b08f44c9dbfb3dbcc
Opcode Fuzzy Hash: 203751b5b67bbdc0b1e8eb8802d500cc59a6a69657698c10f2cda218c14eabaf
Instruction Fuzzy Hash: BB12DC71600218ABFF258F28DC49FAE7BF8FF86314F105129F516EA6A1DBB49941CB50

Function 0082F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0082F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0086F474
IsIconic.USER32(00000000), ref: 0086F47D
ShowWindow.USER32(00000000,00000009), ref: 0086F48A
SetForegroundWindow.USER32(00000000), ref: 0086F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086F4AA
GetCurrentThreadId.KERNEL32 ref: 0086F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0086F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0086F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0086F4DE
SetForegroundWindow.USER32(00000000), ref: 0086F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F4F6
keybd_event.USER32(00000012,00000000), ref: 0086F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F50B
keybd_event.USER32(00000012,00000000), ref: 0086F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F519
keybd_event.USER32(00000012,00000000), ref: 0086F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0086F528
keybd_event.USER32(00000012,00000000), ref: 0086F52D
SetForegroundWindow.USER32(00000000), ref: 0086F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0086F557

Strings

Shell_TrayWnd, xrefs: 0086F46F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c43e5eba7bb8bbcb483dfec13e3bccce5a3bfdf53653402f16b03b691b518a63
Instruction ID: bbba0c5f667ea7f8af060f3decbadbff585188750c6d6a9de9f4381c163a062e
Opcode Fuzzy Hash: c43e5eba7bb8bbcb483dfec13e3bccce5a3bfdf53653402f16b03b691b518a63
Instruction Fuzzy Hash: 39311071A40218BFFB216BB55C4AFBF7E6CFB45B50F110065FB01E61D1DAB19D00AA60

Function 00871201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
Part of subcall function 008716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
Part of subcall function 008716C3: GetLastError.KERNEL32 ref: 0087174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00871286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008712A8
CloseHandle.KERNEL32(?), ref: 008712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008712D1
GetProcessWindowStation.USER32 ref: 008712EA
SetProcessWindowStation.USER32(00000000), ref: 008712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00871310

Part of subcall function 008710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008711FC), ref: 008710D4
Part of subcall function 008710BF: CloseHandle.KERNEL32(?,?,008711FC), ref: 008710E9

Strings

default, xrefs: 0087130B
, xrefs: 0087125A
winsta0, xrefs: 008712CC

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: d3a1219f2e4f67c6a6affef9030497d97a4c4a48d1361ad46df6f70294e48c6c
Instruction ID: fcda87ccc518b7deea5e1c8b655cf97664884e83f2236db6e13b48e44acd96d3
Opcode Fuzzy Hash: d3a1219f2e4f67c6a6affef9030497d97a4c4a48d1361ad46df6f70294e48c6c
Instruction Fuzzy Hash: 42819D71900208AFEF219FA8DC49BEE7BBAFF05704F148129F914E66A4D774C944CB65

Function 00870B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
Part of subcall function 008710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
Part of subcall function 008710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
Part of subcall function 008710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00870BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00870C00
GetLengthSid.ADVAPI32(?), ref: 00870C17
GetAce.ADVAPI32(?,00000000,?), ref: 00870C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00870C6D
GetLengthSid.ADVAPI32(?), ref: 00870C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00870C8C
HeapAlloc.KERNEL32(00000000), ref: 00870C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00870CB4
CopySid.ADVAPI32(00000000), ref: 00870CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00870CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00870D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00870D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D45
HeapFree.KERNEL32(00000000), ref: 00870D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D55
HeapFree.KERNEL32(00000000), ref: 00870D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870D65
HeapFree.KERNEL32(00000000), ref: 00870D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00870D78
HeapFree.KERNEL32(00000000), ref: 00870D7F

Part of subcall function 00871193: GetProcessHeap.KERNEL32(00000008,00870BB1,?,00000000,?,00870BB1,?), ref: 008711A1
Part of subcall function 00871193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00870BB1,?), ref: 008711A8
Part of subcall function 00871193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00870BB1,?), ref: 008711B7

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 45878661e8de86a8c88a90153f60b12486fc92120f7f742692ab7d5295d99260
Instruction ID: f04aa307d036dc1ea4e2f0ad3ba18c60c1f70765eab9db2d73ac6bf8261845d2
Opcode Fuzzy Hash: 45878661e8de86a8c88a90153f60b12486fc92120f7f742692ab7d5295d99260
Instruction Fuzzy Hash: 4B713C71A0020AEBEF10DFA4DC48BAEBBB8FF05310F148615E919E6295D775E905CF60

Function 0088EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(008ACC08), ref: 0088EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0088EB37
GetClipboardData.USER32(0000000D), ref: 0088EB43
CloseClipboard.USER32 ref: 0088EB4F
GlobalLock.KERNEL32(00000000), ref: 0088EB87
CloseClipboard.USER32 ref: 0088EB91
GlobalUnlock.KERNEL32(00000000), ref: 0088EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0088EBC9
GetClipboardData.USER32(00000001), ref: 0088EBD1
GlobalLock.KERNEL32(00000000), ref: 0088EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0088EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0088EC38
GetClipboardData.USER32(0000000F), ref: 0088EC44
GlobalLock.KERNEL32(00000000), ref: 0088EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0088EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0088EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0088ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0088ECF3
CountClipboardFormats.USER32 ref: 0088ED14
CloseClipboard.USER32 ref: 0088ED59

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 527503877cae71db8263cf0b58aa055d114de37d4355ba7c85f1f718c32c62f1
Instruction ID: 633a7cf0669e7108942ce50a8ff17b37dc466ab25bdbd8524c71ce7e867e3be0
Opcode Fuzzy Hash: 527503877cae71db8263cf0b58aa055d114de37d4355ba7c85f1f718c32c62f1
Instruction Fuzzy Hash: 2061BD342042059FE310EF28D894F6ABBA8FF85714F18451DF496D76A2DB31ED49CBA2

Function 0088698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008869BE
FindClose.KERNEL32(00000000), ref: 00886A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00886A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00886A75

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00886AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00886ADF

Strings

%03d, xrefs: 00886DA2
%02d, xrefs: 00886C00, 00886C0A, 00886C5A, 00886CAA, 00886CFA, 00886D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00886B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00886B32
%4d, xrefs: 00886BB1

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: cd539a2e872fbe50a9895a9c2ec7c0868bd1f2da7e3fbb00d0ca3de5d8ba32de
Instruction ID: 6d44530155ac059c145f82fe8597139afeab526d3e926450768e5ef87e6d4f5e
Opcode Fuzzy Hash: cd539a2e872fbe50a9895a9c2ec7c0868bd1f2da7e3fbb00d0ca3de5d8ba32de
Instruction Fuzzy Hash: 06D12C72508300AAC714EBA8D891EABB7ECFF88704F44491EF585D7291EB74DA44CB63

Function 00889642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00889663
GetFileAttributesW.KERNEL32(?), ref: 008896A1
SetFileAttributesW.KERNEL32(?,?), ref: 008896BB
FindNextFileW.KERNEL32(00000000,?), ref: 008896D3
FindClose.KERNEL32(00000000), ref: 008896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0088974A
SetCurrentDirectoryW.KERNEL32(008D6B7C), ref: 00889768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00889772
FindClose.KERNEL32(00000000), ref: 0088977F
FindClose.KERNEL32(00000000), ref: 0088978F

Strings

*.*, xrefs: 008896F5

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e81c4f1c5a21108f7ba14b21a741e3574d5e5cefa170ce81816fa471f7bcca4b
Instruction ID: 7a6813a68ac68ac39c4800058b60ea3f36b32e74ab9a25e210a598cb9248e469
Opcode Fuzzy Hash: e81c4f1c5a21108f7ba14b21a741e3574d5e5cefa170ce81816fa471f7bcca4b
Instruction Fuzzy Hash: 6331C0325412196AEF20FFB4DC08AEE77ACFF4A320F184156F855E22A0EB74DE408B54

Function 0088979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00889819
FindClose.KERNEL32(00000000), ref: 00889824
FindFirstFileW.KERNEL32(*.*,?), ref: 00889840
SetCurrentDirectoryW.KERNEL32(?), ref: 00889890
SetCurrentDirectoryW.KERNEL32(008D6B7C), ref: 008898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008898B8
FindClose.KERNEL32(00000000), ref: 008898C5
FindClose.KERNEL32(00000000), ref: 008898D5

Part of subcall function 0087DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0087DB00

Strings

*.*, xrefs: 0088983B

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b950f0f06f11aabe836724549331d907aacce1ba4713af246605aa39aef6f8ef
Instruction ID: 1421da529393fbbd0d4d7643d9c05ea0bba676cb1f48f1c7ec1583597b05a411
Opcode Fuzzy Hash: b950f0f06f11aabe836724549331d907aacce1ba4713af246605aa39aef6f8ef
Instruction Fuzzy Hash: 9831A33150061E6EEF10BFB4DC48AEE77ACFF46324F184166E894E2691EB75DE448B60

Function 0089BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0089BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0089BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0089C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0089C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0089C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0089C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0089C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0089C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0089C382
RegCloseKey.ADVAPI32(00000000), ref: 0089C38F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 5e97ecfd1c6691fab96e11803a9dc9cd0eb254923d95ad1be4e2e0f07f79e0e7
Instruction ID: 5600a84c766d8a2540b0a47f206f9f2c4d1df3fae04705cb80fd052309981e07
Opcode Fuzzy Hash: 5e97ecfd1c6691fab96e11803a9dc9cd0eb254923d95ad1be4e2e0f07f79e0e7
Instruction Fuzzy Hash: E1022E716042009FDB14DF28C895E2ABBE5FF49318F19849DF84ADB2A2DB31ED45CB52

Function 00888195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00888257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00888267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00888273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00888310
SetCurrentDirectoryW.KERNEL32(?), ref: 00888324
SetCurrentDirectoryW.KERNEL32(?), ref: 00888356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0088838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00888395

Strings

*.*, xrefs: 0088839B

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 02424f832d2ea5e739f452a789d861a90500819fd43231abc464ee0ce0fbc055
Instruction ID: 9bd259eb8d3483169038e16cfc408bb5c9460502cf9d5699998f62ff1459170f
Opcode Fuzzy Hash: 02424f832d2ea5e739f452a789d861a90500819fd43231abc464ee0ce0fbc055
Instruction Fuzzy Hash: C06169725043059FDB10EF68C8849AEB3E9FF89314F44892EF999C7251EB31E945CB92

Function 0087D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

FindFirstFileW.KERNEL32(?,?), ref: 0087D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0087D1DD
MoveFileW.KERNEL32(?,?), ref: 0087D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0087D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0087D237

Part of subcall function 0087D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0087D21C,?,?), ref: 0087D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0087D253
FindClose.KERNEL32(00000000), ref: 0087D264

Strings

\*.*, xrefs: 0087D0CD, 0087D0D6, 0087D0EB

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: fd514b4674f4aac4d4b316e8301e7aa8b3d05f16c33a1b13279e32909bf078a7
Instruction ID: f9880ab141660cc5a7733c83ab855e5758e04019233b317e66a701f521562e6b
Opcode Fuzzy Hash: fd514b4674f4aac4d4b316e8301e7aa8b3d05f16c33a1b13279e32909bf078a7
Instruction Fuzzy Hash: D7617E3180120D9ACF05EBE4D9529EDB7B9FF15300F248165E44AF7196EB31AF4ACB62

Function 0088ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0088ED91
EmptyClipboard.USER32 ref: 0088ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0088EDAC
CloseClipboard.USER32 ref: 0088EEA3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6afddd7c7075babbe31b5cbc6f32a2cdfa88d4217213d86a0fa81f974bba9bef
Instruction ID: c4769590371508fabd6540fcd51cdcc31d9222d27240fd0e199f47267cdcc307
Opcode Fuzzy Hash: 6afddd7c7075babbe31b5cbc6f32a2cdfa88d4217213d86a0fa81f974bba9bef
Instruction Fuzzy Hash: 16418D35208611AFE720EF19D888B59BBE5FF55318F14C09DE419CBAA2CB75EC42CB91

Function 0087E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
Part of subcall function 008716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
Part of subcall function 008716C3: GetLastError.KERNEL32 ref: 0087174A

ExitWindowsEx.USER32(?,00000000), ref: 0087E932

Strings

SeShutdownPrivilege, xrefs: 0087E902
@, xrefs: 0087E925
, xrefs: 0087E920
, xrefs: 0087E95C

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 7b513760314a0fb0039a20554f8adc4fc582eb44f8b45c22ccbff6819fe44eb1
Instruction ID: ed33613e9fe8b1d7641eaaf207c1f2b2daa2998334ea485910f841f1d088ddc5
Opcode Fuzzy Hash: 7b513760314a0fb0039a20554f8adc4fc582eb44f8b45c22ccbff6819fe44eb1
Instruction Fuzzy Hash: 92014933610214AFFB6466B89C8AFBF769CF719744F148462FE1BE31D5D6A0DC408290

Function 00891204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00891276
WSAGetLastError.WSOCK32 ref: 00891283
bind.WSOCK32(00000000,?,00000010), ref: 008912BA
WSAGetLastError.WSOCK32 ref: 008912C5
closesocket.WSOCK32(00000000), ref: 008912F4
listen.WSOCK32(00000000,00000005), ref: 00891303
WSAGetLastError.WSOCK32 ref: 0089130D
closesocket.WSOCK32(00000000), ref: 0089133C

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 70e39943a1120b97cb07078d6d3d50993a70432b3c8a748ac07b8d39e546fbdf
Instruction ID: 7c4c5c9326b48492d8c47b1bbcdd4b147839af500790e0f5eda8c3aac92c5c08
Opcode Fuzzy Hash: 70e39943a1120b97cb07078d6d3d50993a70432b3c8a748ac07b8d39e546fbdf
Instruction Fuzzy Hash: 62416E316041019FEB10EF68C488B69BBE6FF46318F188198E856DF296C775ED81CBA1

Function 0087D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

FindFirstFileW.KERNEL32(?,?), ref: 0087D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0087D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0087D481
FindClose.KERNEL32(00000000), ref: 0087D498
FindClose.KERNEL32(00000000), ref: 0087D4A1

Strings

\*.*, xrefs: 0087D3F2

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: dbf3f8351fb59d69aa546cf4f396c05097d5a8c8547d46df8b2c21f2bcf34e03
Instruction ID: 5fbcaa0f860aee7ad12e3d7cec2409ef96ea4cc83973e0b340ad352761a3718e
Opcode Fuzzy Hash: dbf3f8351fb59d69aa546cf4f396c05097d5a8c8547d46df8b2c21f2bcf34e03
Instruction Fuzzy Hash: 13316F710083459BC204EF68D8559EFB7ACFE92314F448A2DF4E5D2191EB20EA49D767

Function 0084E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0084E645

Strings

1#SNAN, xrefs: 0084F844
1#QNAN, xrefs: 0084F84B
1#INF, xrefs: 0084F852
1#IND, xrefs: 0084F83D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ef0ef7d62c2f6b6ab658af321834053647aad31f405d5ae8be2bcd182bb32946
Instruction ID: 90275f9f6f5757bdbecf5443cf373a04b143d6c6901470a5804ff7d31f321b81
Opcode Fuzzy Hash: ef0ef7d62c2f6b6ab658af321834053647aad31f405d5ae8be2bcd182bb32946
Instruction Fuzzy Hash: CDC22872E0462C8FDB25CE289D407EAB7B5FB88305F1541EAD94DE7241E778AE818F41

Function 0088648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008864DC
CoInitialize.OLE32(00000000), ref: 00886639
CoCreateInstance.OLE32(008AFCF8,00000000,00000001,008AFB68,?), ref: 00886650
CoUninitialize.OLE32 ref: 008868D4

Strings

.lnk, xrefs: 008864BA, 00886524, 008865E0

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 0996ca7053b17458bc0514cf94edb80bd99039ae1450c8b4188c986315c2d89b
Instruction ID: 3622fa213303c409e7b35e917ac7eb2557190a82d691d3d4a28ee2f28f676cb7
Opcode Fuzzy Hash: 0996ca7053b17458bc0514cf94edb80bd99039ae1450c8b4188c986315c2d89b
Instruction Fuzzy Hash: 3AD139715083019FD304EF28C891AABB7E9FF99704F10496DF595CB291EB70E946CB92

Function 008922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008922E8

Part of subcall function 0088E4EC: GetWindowRect.USER32(?,?), ref: 0088E504

GetDesktopWindow.USER32 ref: 00892312
GetWindowRect.USER32(00000000), ref: 00892319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00892355
GetCursorPos.USER32(?), ref: 00892381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008923DF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 3dc77ebf6d51a9f89fdea5b2214a86963387fe7439ee58600a8ec578b88dce82
Instruction ID: 915fcaadd45099f62c482e08fac491cd9e0f5a7f26ce41c3a69a42d30a1d1078
Opcode Fuzzy Hash: 3dc77ebf6d51a9f89fdea5b2214a86963387fe7439ee58600a8ec578b88dce82
Instruction Fuzzy Hash: 6331E072504315AFDB20EF58C849B5BBBA9FF89314F04091DF989D7291DB34EA08CB92

Function 00889B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00889B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00889C8B

Part of subcall function 00883874: GetInputState.USER32 ref: 008838CB
Part of subcall function 00883874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00883966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00889BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00889C75

Strings

*.*, xrefs: 00889B5D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: e6affcf0b4ee6940e02877b0619730d5f461a548aee624ba714b0694392e21aa
Instruction ID: 269e4de35f460f0a87444b13994afe44448478b9613ac4ae010d66618f43f646
Opcode Fuzzy Hash: e6affcf0b4ee6940e02877b0619730d5f461a548aee624ba714b0694392e21aa
Instruction Fuzzy Hash: A341827190020AAFDF15EFA8C845AEE7BB9FF45310F144156E855E2291EB31AE84CF61

Function 0082997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00829A4E
GetSysColor.USER32(0000000F), ref: 00829B23
SetBkColor.GDI32(?,00000000), ref: 00829B36

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 71918c04e86930b879b2dd05fbe4d7a575905b780092bff031dec608c10d27aa
Instruction ID: a81398d775928f81ac40f502fd09bb19fbe4c064f8d9963ffe30b5e33fe9d730
Opcode Fuzzy Hash: 71918c04e86930b879b2dd05fbe4d7a575905b780092bff031dec608c10d27aa
Instruction Fuzzy Hash: 05A12D70108578AEE724AA3CAC9CE7B3A9DFF43318F164119F583D69D1CA259D81D3B2

Function 00891806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
Part of subcall function 0089304E: _wcslen.LIBCMT ref: 0089309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0089185D
WSAGetLastError.WSOCK32 ref: 00891884
bind.WSOCK32(00000000,?,00000010), ref: 008918DB
WSAGetLastError.WSOCK32 ref: 008918E6
closesocket.WSOCK32(00000000), ref: 00891915

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: f30bb6cfc0179df843ad0386fede923eab226ede30629318ad47b0aca15e5a06
Instruction ID: 5877d5369995596257fc4caa8b3cffc95542356e7760dae39aba2230e68c09aa
Opcode Fuzzy Hash: f30bb6cfc0179df843ad0386fede923eab226ede30629318ad47b0aca15e5a06
Instruction Fuzzy Hash: 70519671A002105FEB10AF28D88AF6A77E5FF45718F088058F955AF3D3DB71AD818B92

Function 008A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 008A1CC0
IsWindowEnabled.USER32 ref: 008A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 008A1CDB
IsIconic.USER32 ref: 008A1CE9
IsZoomed.USER32 ref: 008A1CF7

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 211d2628861166353967e23b7234e9060e8bd2af85c794527a936bcc811f4ec6
Instruction ID: 4eb90dddcd8b453d1d5717e66cdff3021b6b0b672833f54202957d932f8a96cc
Opcode Fuzzy Hash: 211d2628861166353967e23b7234e9060e8bd2af85c794527a936bcc811f4ec6
Instruction Fuzzy Hash: C02191317406119FFB208F2AC848B6A7BE5FF96324F198058E846CBA51DB71EC42CB95

Function 00818060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008183FA
VUUU, xrefs: 0081843C
VUUU, xrefs: 008183E8
ERCP, xrefs: 0081813C
VUUU, xrefs: 00855DF0

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1a235cdec599ea831806ade56c68dcfc8ad3bb9819cefae649d12799d7f074b4
Instruction ID: f6ed3510bce12d766c6cdd333771aeedf7427cf30019443d3fedab949d82875c
Opcode Fuzzy Hash: 1a235cdec599ea831806ade56c68dcfc8ad3bb9819cefae649d12799d7f074b4
Instruction Fuzzy Hash: 6DA25770A0061ACBDF248F58C8957EEB7B6FF54315F6481AAEC15E7280EB309DD58B90

Function 0087AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0087AAAC
SetKeyboardState.USER32(00000080), ref: 0087AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0087AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0087AB88

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 280e5ea90575dffde57b4b8e4e6c4a69fe3620f89f59212378426c982db2c3b6
Instruction ID: e4d89d304964572152231b3674b480ef13043c721d7f85924c2283f983d4e755
Opcode Fuzzy Hash: 280e5ea90575dffde57b4b8e4e6c4a69fe3620f89f59212378426c982db2c3b6
Instruction Fuzzy Hash: FD31F730A40208AEFB29CA64C845BFE77A6FBC5320F04C21AF199D61D9D375D985C752

Function 0084BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0084BB7F

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

GetTimeZoneInformation.KERNEL32 ref: 0084BB91
WideCharToMultiByte.KERNEL32(00000000,?,008E121C,000000FF,?,0000003F,?,?), ref: 0084BC09
WideCharToMultiByte.KERNEL32(00000000,?,008E1270,000000FF,?,0000003F,?,?,?,008E121C,000000FF,?,0000003F,?,?), ref: 0084BC36

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: bfd3db76c2299b0b50b527ca78de783832e56ccd61457a075d0c40ec19f95117
Instruction ID: d2f00f8fa3b31b1e19000d1dc69358b4ff09fc651cc74e3d467c959265b50168
Opcode Fuzzy Hash: bfd3db76c2299b0b50b527ca78de783832e56ccd61457a075d0c40ec19f95117
Instruction Fuzzy Hash: BF31BE70A04289EFCB11DF69CCC492DBBB8FF5672071446AAE160DB2A1D730DE41CB90

Function 0088CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0088CE89
GetLastError.KERNEL32(?,00000000), ref: 0088CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0088CEFE

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 9ee61256e5bb22776ca1e2de2015163071ed9fff0ac9b8165960ae61222676c7
Instruction ID: b422cac32ce97d7bfca0a75494c64fafe71adddba90f3cd6573f66735f01e109
Opcode Fuzzy Hash: 9ee61256e5bb22776ca1e2de2015163071ed9fff0ac9b8165960ae61222676c7
Instruction Fuzzy Hash: 2B219DB1500305ABEB30EF65D949BA6B7F8FB50358F10441EE646D2151EBB4EE048BA0

Function 00878298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008782AA

Strings

(, xrefs: 008782F0
|, xrefs: 008782DA

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d67c11843ea49b21ecc00ca80bee6a47c3d18beb757a8d7b6d5983c900b530ff
Instruction ID: 3e4315dace8ae9acd4099724091ef9217bdbc8a5c60c4521efc749b1b1417eac
Opcode Fuzzy Hash: d67c11843ea49b21ecc00ca80bee6a47c3d18beb757a8d7b6d5983c900b530ff
Instruction Fuzzy Hash: C3324474A00605DFCB28CF69C084A6AB7F0FF48710B15C56EE59ADB7A5EB70E981CB40

Function 00885C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00885CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00885D17
FindClose.KERNEL32(?), ref: 00885D5F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 5844bd2835ab6826122dd459276e85080f3a1769b44eccc898907221b788f6b5
Instruction ID: bfa16de0fd5c0a47a935b305604b2fef47f2168c5a6dc33c218eb7ab6be4f3b9
Opcode Fuzzy Hash: 5844bd2835ab6826122dd459276e85080f3a1769b44eccc898907221b788f6b5
Instruction Fuzzy Hash: 0C519A346046019FC714DF28C494A96B7E4FF49324F14856EE96ACB3A2DB30ED45CF91

Function 00842622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0084271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00842724
UnhandledExceptionFilter.KERNEL32(?), ref: 00842731

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 103fa85694bd72516340e633bdd5b210db18f47ea86ac3f5f0dc8958976afcae
Instruction ID: a0ae00a625feae205408cdc14a079cac187cab6c32ae06a0e1ce871dd22fdaa0
Opcode Fuzzy Hash: 103fa85694bd72516340e633bdd5b210db18f47ea86ac3f5f0dc8958976afcae
Instruction Fuzzy Hash: 0E31B47491122C9BCB21DF68DD897D9BBB8FF48310F5041EAE41CA6261E7709F818F85

Function 008851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00885238
SetErrorMode.KERNEL32(00000000), ref: 008852A1

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2fe51de855f3dbccc717290ded37f22176f4346a376850aa26a566f18cf970d8
Instruction ID: 7585707be00c5a8b2584deec7bc277720e4d3f5f659d68fb85b20328f20c49a1
Opcode Fuzzy Hash: 2fe51de855f3dbccc717290ded37f22176f4346a376850aa26a566f18cf970d8
Instruction Fuzzy Hash: 02312C75A00518DFDB00EF54D884EADBBB5FF49314F048099E805EB362DB31E856CB91

Function 008716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0082FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00830668
Part of subcall function 0082FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00830685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087173A
GetLastError.KERNEL32 ref: 0087174A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: df6659531b2ea56fb9050b751370aa29072aabfffbd84fc5864df112e91214c5
Instruction ID: e4078a1d435ab052e038c9126f45bf5b16a499d4bed637ab125a941e1186aa11
Opcode Fuzzy Hash: df6659531b2ea56fb9050b751370aa29072aabfffbd84fc5864df112e91214c5
Instruction Fuzzy Hash: E41194B2414304AFE7189F58EC86D6AB7FDFB44754B20C52EE45697645EB70FC81CA20

Function 0087D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0087D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0087D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0087D650

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9ad26a22901c90ecb58950b11e34daeca8fa1ba67a7f94928a92ab273f135e8d
Instruction ID: a0da2529d917954f9e4f02ee1a0bd0d96d93c8aa645376bdb232864b3f8e7822
Opcode Fuzzy Hash: 9ad26a22901c90ecb58950b11e34daeca8fa1ba67a7f94928a92ab273f135e8d
Instruction Fuzzy Hash: 9A113C75E05228BBEB108F959C45FAFBBBCFB46B50F108115F908E7294D6704A058BA1

Function 00871663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0087168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008716A1
FreeSid.ADVAPI32(?), ref: 008716B1

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b2854324620d84566f6a67ff1ab0393319830a64b2d3ce7f5be490a297d300a7
Instruction ID: 14f975cc50021222f181a54d3cae474063be1a0995d89ef05a3f1a12e43fa8df
Opcode Fuzzy Hash: b2854324620d84566f6a67ff1ab0393319830a64b2d3ce7f5be490a297d300a7
Instruction Fuzzy Hash: E3F0F47195030DFBEF00DFE49C89AAEBBBCFB08604F508565E501E2181E774AA448A50

Function 0086D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0086D28C

Strings

X64, xrefs: 0086D2A8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: e0b270b6208a189c136f63fb34611c9d2dcd6390d35d155ccea51b54b2b2a23b
Instruction ID: 6e2c9c45aca7a1fd45289ba0722db5f21f1a33143aa9525a0e74249bd8353c5d
Opcode Fuzzy Hash: e0b270b6208a189c136f63fb34611c9d2dcd6390d35d155ccea51b54b2b2a23b
Instruction Fuzzy Hash: EBD0C9B580166DEACB90CB90EC88DD9B77CFB14309F100151F106E2100DB3095488F10

Function 0083CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c7ae74d5d22689fed4a7c95cebbc19c7bd414f0fb8af528d0a07f731c6078236
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 3E020D72E012199BDF14CFA9D8806ADFBF1FF88314F258169E919F7384D731AA418B94

Function 008868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00886918
FindClose.KERNEL32(00000000), ref: 00886961

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d367d2b83307971664c84a3a53e29c01c8e3d1d7063b31b51c89d007407b45ca
Instruction ID: fd57118e21a5d73800ea0b5f37bd52bfdaf92c5d90442436a58cd6d74e35f3a2
Opcode Fuzzy Hash: d367d2b83307971664c84a3a53e29c01c8e3d1d7063b31b51c89d007407b45ca
Instruction Fuzzy Hash: E2119D316042009FD710DF29D888A16BBE5FF89328F14C6A9E469CF7A2DB34EC45CB91

Function 008837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00894891,?,?,00000035,?), ref: 008837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00894891,?,?,00000035,?), ref: 008837F4

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1e4ae83ecc798407095051d9e96dacc85f234675a326f2d8f3f65fdb0174206a
Instruction ID: a66c83bad438ab707e690397428537efb982b10e193aeac3b4626188b74d48df
Opcode Fuzzy Hash: 1e4ae83ecc798407095051d9e96dacc85f234675a326f2d8f3f65fdb0174206a
Instruction Fuzzy Hash: FDF0E5B06042282AEB20276A8C4DFEB3AAEFFC5B61F000175F509D2281D9609944C7B1

Function 0087B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0087B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0087B270

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 524051892c3e4d217c366adbda91792be568011263a177677af199572bb8bb55
Instruction ID: 56517607f4ed18f5ec4bb18be493a894ea84a9584e88959372fc318eca270a43
Opcode Fuzzy Hash: 524051892c3e4d217c366adbda91792be568011263a177677af199572bb8bb55
Instruction Fuzzy Hash: 25F01D7181424DABEB059FA4C805BBE7BB5FF05309F048009F955E6192C379C6119F94

Function 008710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008711FC), ref: 008710D4
CloseHandle.KERNEL32(?,?,008711FC), ref: 008710E9

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 292b547ea473813a47ffe10d2c67211d5e01242e0019c2f8890e09521a3bb58d
Instruction ID: 159ef090f17797ad386ea1fd1ec5875bef9ec8d238261c917be51bd0882b5e4d
Opcode Fuzzy Hash: 292b547ea473813a47ffe10d2c67211d5e01242e0019c2f8890e09521a3bb58d
Instruction Fuzzy Hash: 9BE04F32004610AEFB252B15FC09E7377A9FF04310B10882DF5A6C08B1DB62ACD0DB10

Function 0081CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00860C40

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 30e85f9ab65b4e00310ffb0809c12bbb1ce07730918227b9926d977585bdcee0
Instruction ID: b774454dddc28c2762a82b47238c4f3cf5f0ae51ef3b2919cd4d3d47a5c8a9b0
Opcode Fuzzy Hash: 30e85f9ab65b4e00310ffb0809c12bbb1ce07730918227b9926d977585bdcee0
Instruction Fuzzy Hash: BC328D70940218DBCF14DF94D881AEEB7B9FF05308F148159E806EB292DB75AE86CF65

Function 0084676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00846766,?,?,00000008,?,?,0084FEFE,00000000), ref: 00846998

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cea1b9150f361c659902684389e7058cd1410a48798386b4049c0cef99ba48e3
Instruction ID: a642d05dabaa7eb16fe400253d06f9fa970551e5c75dc5a04351955ebeed5247
Opcode Fuzzy Hash: cea1b9150f361c659902684389e7058cd1410a48798386b4049c0cef99ba48e3
Instruction Fuzzy Hash: 8AB13B3161060D9FD715CF28C486B657FE0FF46368F298658E899CF2A2D335E9A1CB41

Function 0082B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0086851F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b212818d0b91b5ed7220222ddd69c2db6764735fc6f747ef757894932280415e
Instruction ID: 216920d801b8118a1d463272249d7e407a4e92af7020281f7621547972a460bb
Opcode Fuzzy Hash: b212818d0b91b5ed7220222ddd69c2db6764735fc6f747ef757894932280415e
Instruction Fuzzy Hash: CC125D71900229DBDB24DF58D880AEEB7F5FF48710F15819AE849EB355DB309E81CB94

Function 0088EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0088EABD

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ce588ee29a22f8555bbf39b71dd1544767d069b9a1f00d930e07580c95f61921
Instruction ID: 4c512078564a12f03963e9a6c230394c3ca346c48f19accb7df23dd2d3d3de31
Opcode Fuzzy Hash: ce588ee29a22f8555bbf39b71dd1544767d069b9a1f00d930e07580c95f61921
Instruction Fuzzy Hash: F8E01A312002149FD710EF59D804E9AB7EDFFA8760F00841AFC49C7251DAB0E8818B91

Function 008309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008303EE), ref: 008309DA

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bc919a8e2cf1ceac08001761b7f7edd08c4a54187c05fa91ea0ebd217892c5ff
Instruction ID: 20df7bdd77c022cd690da5cce05f22b331c7ac8e80e7d5dd8941b7f5ca93258c
Opcode Fuzzy Hash: bc919a8e2cf1ceac08001761b7f7edd08c4a54187c05fa91ea0ebd217892c5ff
Instruction Fuzzy Hash:

Function 0083781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0083798B

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 1b49fa875631ea889c9f200ae6ab626512ab636b6a6e1c4dc23dc3387ca48c4d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4D516AE160C749ABDB38552C845E7BE67C5FBD2304F180A39ED82D7682C619DE01D3DA

Function 00846DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e1d9d38be0a9137e8619b6063ed8a4132fdc80d7ecd34337e1c466149c9185
Instruction ID: fb81b05b4a5898cfc4bd33b73685602ab858eaa4dee5a6eccf17f0bd3b4e6417
Opcode Fuzzy Hash: f8e1d9d38be0a9137e8619b6063ed8a4132fdc80d7ecd34337e1c466149c9185
Instruction Fuzzy Hash: 6B320222D29F454DDB239635C822336A749FFB73C5F15D737E81AB5AA6EB29C4834100

Function 0082CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b262e182013ceb25a29c1af994b5f9018ca2059bb18a7ebe52985b5d463533fa
Instruction ID: e906d5ca14522cfc8a7d248986f17f46b357e028a35781b065360528bcd43354
Opcode Fuzzy Hash: b262e182013ceb25a29c1af994b5f9018ca2059bb18a7ebe52985b5d463533fa
Instruction Fuzzy Hash: 10323572A001698BCF28CF69D89467D7BA1FB45314F2A816BD8CACB391D734DE81DB41

Function 00817920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28b65d2503f05a43f7200c8e6118d3dfaa51c609fc6be0208bcebfaaf08f199
Instruction ID: 5a218a5b98cbf5a3f3e2b22221fd1c0603517c14f7f049625c065a6a9635e500
Opcode Fuzzy Hash: b28b65d2503f05a43f7200c8e6118d3dfaa51c609fc6be0208bcebfaaf08f199
Instruction Fuzzy Hash: 5222BFB0A04609DFDF14CF68D891AEEB7F9FF44314F204229E816E7291EB369994CB51

Function 008191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18deb4238056ccca744981b76c45932a3bd108439d729ee8809eed0f92ef395c
Instruction ID: f2290b465aeb1debf81ef7d1a53a3e6021522a065d55491f560358989eb0f6d7
Opcode Fuzzy Hash: 18deb4238056ccca744981b76c45932a3bd108439d729ee8809eed0f92ef395c
Instruction Fuzzy Hash: 9802D6B0E00119EBDB09DF68D981AAEB7B5FF44304F118169E856DB391EB31EE54CB81

Function 00849EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ca06e48a35345d1025dd428b3fa7213d197438489344e59d8dac0b6baca552
Instruction ID: e2d17bf45adf3dbbe5e3a9e99bf734cf63b1d32b83026841a0b153f135727fab
Opcode Fuzzy Hash: f4ca06e48a35345d1025dd428b3fa7213d197438489344e59d8dac0b6baca552
Instruction Fuzzy Hash: F9B1DF20D2AF554DD22396399821337B79CBFBB6D5F91D71BFC2674E22EB2286834140

Function 00831C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 7233a08605e71bea38fa3afce6ea0a94e46470858d457775c56973dc14477149
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5F9178722090A349DF69463A857C03DFFE1FAD2BA1B1A079DD8F2CA1C1EE14C554D660

Function 00831F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: a92f90688df5fdae5246a6f966f85d13eafd181203a231292633c3834e77241d
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 929199722090A349DB6D423D853803EFFE1FAD27A1B1A079DD4F2CB1C5EE24D558E6A0

Function 008319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5bd3cfd7bc3e020fdd26fb9e58f3014ff24f0365b232043a65fa3e5129125459
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 7D9153722090A34ADF69427A857C03DFFE1EAD2BB6B1A079DD4F2CA1C1FE1485649660

Function 00837A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8993e98e8b2801585ff3f3187af8f14567d2554357156b8ec6b6aaecf81f46
Instruction ID: 4fbabdcf2a005b60049a13f9edfb7f1fe59e270673dbdfca2964a3941707b248
Opcode Fuzzy Hash: cf8993e98e8b2801585ff3f3187af8f14567d2554357156b8ec6b6aaecf81f46
Instruction Fuzzy Hash: B16179F1208719A6DE349A2C8CA5BBEA3A4FFC1764F140D1AF943DB281D651DE42C3D6

Function 00837CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9559d90bb9049eccd817f4316904b2ed2e513dd0ade78bf26166ee9bc437f90
Instruction ID: d3cf7b5636e3d43d6c2b852d1beb03d554085a51f0154096a168c26123895f35
Opcode Fuzzy Hash: f9559d90bb9049eccd817f4316904b2ed2e513dd0ade78bf26166ee9bc437f90
Instruction Fuzzy Hash: A6616AF160C709A6DE389A2C9895BBF2398FFC1B04F100959F943DB285EA52DD4287D6

Function 00831706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d51ebd215d6352ae5dd3ae154b35713014a6449aa6e73c61c95f9234e349808
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: BF8184326090A309DF6D423A857C03EFFE1FAD2BA1B1A07ADD4F2CA1C5EE148554D6A0

Function 00882046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8e22dd85afc12a18eb60b4e5f0048fc0c44146c458c4b43d3fbc42cbf757af
Instruction ID: a67522e40ed37fcac2a56266aa90503e2a321e6c27a394e4c52d64206fd4cf85
Opcode Fuzzy Hash: 2c8e22dd85afc12a18eb60b4e5f0048fc0c44146c458c4b43d3fbc42cbf757af
Instruction Fuzzy Hash: B021A8326206518BDB28CE79C85267A73E9F7A4310F15862EE4A7C77D0DE75A904CB80

Function 00892ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00892B30
DeleteObject.GDI32(00000000), ref: 00892B43
DestroyWindow.USER32 ref: 00892B52
GetDesktopWindow.USER32 ref: 00892B6D
GetWindowRect.USER32(00000000), ref: 00892B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00892CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00892CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892CF8
GetClientRect.USER32(00000000,?), ref: 00892D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00892D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D80
GlobalLock.KERNEL32(00000000), ref: 00892D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892D98
GlobalUnlock.KERNEL32(00000000), ref: 00892DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892DA8
GlobalFree.KERNEL32(00000000), ref: 00892DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,008AFC38,00000000), ref: 00892DDB
GlobalFree.KERNEL32(00000000), ref: 00892DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00892E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00892E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00892E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089303F

Strings

DISPLAY, xrefs: 00892EA2
AutoIt v3, xrefs: 00892CF2
static, xrefs: 00892D3A, 00892E91
, xrefs: 00892FC5

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: fb38228d3c29fa54fdc59c342f3c8957a2f56fe094ee84cab5c3e5862b1c95e9
Instruction ID: 97de340f9f6b83ed04b2b2090e0cfc9363d2345b27cc8e2e4d2abfcd90d07a1e
Opcode Fuzzy Hash: fb38228d3c29fa54fdc59c342f3c8957a2f56fe094ee84cab5c3e5862b1c95e9
Instruction Fuzzy Hash: 04025B71A00209AFDB14DF68CC89EAE7BB9FF49714F048158F915EB2A1DB74AD41CB60

Function 008A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 008A712F
GetSysColorBrush.USER32(0000000F), ref: 008A7160
GetSysColor.USER32(0000000F), ref: 008A716C
SetBkColor.GDI32(?,000000FF), ref: 008A7186
SelectObject.GDI32(?,?), ref: 008A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 008A71C0
GetSysColor.USER32(00000010), ref: 008A71C8
CreateSolidBrush.GDI32(00000000), ref: 008A71CF
FrameRect.USER32(?,?,00000000), ref: 008A71DE
DeleteObject.GDI32(00000000), ref: 008A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 008A7230
FillRect.USER32(?,?,?), ref: 008A7262
GetWindowLongW.USER32(?,000000F0), ref: 008A7284

Part of subcall function 008A73E8: GetSysColor.USER32(00000012), ref: 008A7421
Part of subcall function 008A73E8: SetTextColor.GDI32(?,?), ref: 008A7425
Part of subcall function 008A73E8: GetSysColorBrush.USER32(0000000F), ref: 008A743B
Part of subcall function 008A73E8: GetSysColor.USER32(0000000F), ref: 008A7446
Part of subcall function 008A73E8: GetSysColor.USER32(00000011), ref: 008A7463
Part of subcall function 008A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008A7471
Part of subcall function 008A73E8: SelectObject.GDI32(?,00000000), ref: 008A7482
Part of subcall function 008A73E8: SetBkColor.GDI32(?,00000000), ref: 008A748B
Part of subcall function 008A73E8: SelectObject.GDI32(?,?), ref: 008A7498
Part of subcall function 008A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008A74B7
Part of subcall function 008A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008A74CE
Part of subcall function 008A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008A74DB

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8fe330a7d2b73aa2311182c166cfe88030cca1074134de41f88f8a0ac370cf28
Instruction ID: b3bb462dd0ce0a7ae6662ff588936cfd1ad9fdde6cffd59e1b205db197554190
Opcode Fuzzy Hash: 8fe330a7d2b73aa2311182c166cfe88030cca1074134de41f88f8a0ac370cf28
Instruction Fuzzy Hash: E5A1B172508301AFEB009F64DC48E6B7BE9FF4A320F100A19FA62D65E1D771E944DB51

Function 00828D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00828E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00866AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00866AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00866F43

Part of subcall function 00828F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00828BE8,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828FC5

SendMessageW.USER32(?,00001053), ref: 00866F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00866F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00866FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00866FB7

Strings

0, xrefs: 00866DCF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0dd8709217487b3a66ea32c62c09df53a7ab02f650b81c5a8a3a299a4e8895ff
Instruction ID: b70db125fb125cf0974ab0f53f6bc23a8959cc2a06a46a60c42d7903aff38419
Opcode Fuzzy Hash: 0dd8709217487b3a66ea32c62c09df53a7ab02f650b81c5a8a3a299a4e8895ff
Instruction Fuzzy Hash: 9112CD34201291DFDB25DF28D888BA9BBE1FB45310F564069F485CB662DB32ECA1CF91

Function 00892711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0089273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0089286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00892900
GetClientRect.USER32(00000000,?), ref: 0089290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00892955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00892964
GetStockObject.GDI32(00000011), ref: 00892974
SelectObject.GDI32(00000000,00000000), ref: 00892978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00892988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00892991
DeleteDC.GDI32(00000000), ref: 0089299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00892A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00892A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00892A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00892A77
GetStockObject.GDI32(00000011), ref: 00892A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00892A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00892A97

Strings

DISPLAY, xrefs: 0089295A
AutoIt v3, xrefs: 008928F8
msctls_progress32, xrefs: 00892A13
static, xrefs: 0089294F, 00892A71

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6a9f505a4b66626d54d2ff73e0a16dbd40530a03a39c8a3c252f0940388148a9
Instruction ID: b82ab0379efe228cf936f22c1adff8984c37dd5cce674eb522ec3d48bd23b061
Opcode Fuzzy Hash: 6a9f505a4b66626d54d2ff73e0a16dbd40530a03a39c8a3c252f0940388148a9
Instruction Fuzzy Hash: F1B13B71A00219BFEB14DFA8DC89EAE7BA9FB09714F044115F915EB690D774AD40CBA0

Function 00884ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00884AED
GetDriveTypeW.KERNEL32(?,008ACB68,?,\\.\,008ACC08), ref: 00884BCA
SetErrorMode.KERNEL32(00000000,008ACB68,?,\\.\,008ACC08), ref: 00884D36

Strings

PhysicalDrive, xrefs: 00884B76
ATAPI, xrefs: 00884C91
SSA, xrefs: 00884CA6
SSD, xrefs: 00884C4A
1394, xrefs: 00884C9F
RAID, xrefs: 00884CBB
MMC, xrefs: 00884CDE
SAS, xrefs: 00884CC9
Fixed, xrefs: 00884C09
SATA, xrefs: 00884CD0
Removable, xrefs: 00884C10, 00884C15
Virtual, xrefs: 00884CE5
USB, xrefs: 00884CB4
Fibre, xrefs: 00884CAD
iSCSI, xrefs: 00884CC2
FileBackedVirtual, xrefs: 00884CEC
\\.\, xrefs: 00884B3F
RAMDisk, xrefs: 00884BF4
SCSI, xrefs: 00884C8A
Network, xrefs: 00884C02
CDROM, xrefs: 00884BFB
Unknown, xrefs: 00884BED, 00884C83
ATA, xrefs: 00884C98

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4eba367b0bfe7ec1364a72479e4abfcb7f0aaee5c5d953821929e435b7f594e4
Instruction ID: 3b938c1218e075d32656273d48aea033e0317bb83a3a611492774d76d5b181e8
Opcode Fuzzy Hash: 4eba367b0bfe7ec1364a72479e4abfcb7f0aaee5c5d953821929e435b7f594e4
Instruction Fuzzy Hash: 7761B23260120F9BCB04EF58D9819A8B7BAFF04304B249116F816EB751EB7AED51DB42

Function 008A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 008A7421
SetTextColor.GDI32(?,?), ref: 008A7425
GetSysColorBrush.USER32(0000000F), ref: 008A743B
GetSysColor.USER32(0000000F), ref: 008A7446
CreateSolidBrush.GDI32(?), ref: 008A744B
GetSysColor.USER32(00000011), ref: 008A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 008A7471
SelectObject.GDI32(?,00000000), ref: 008A7482
SetBkColor.GDI32(?,00000000), ref: 008A748B
SelectObject.GDI32(?,?), ref: 008A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 008A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 008A7572
DrawFocusRect.USER32(?,?), ref: 008A757D
GetSysColor.USER32(00000011), ref: 008A758E
SetTextColor.GDI32(?,00000000), ref: 008A7596
DrawTextW.USER32(?,008A70F5,000000FF,?,00000000), ref: 008A75A8
SelectObject.GDI32(?,?), ref: 008A75BF
DeleteObject.GDI32(?), ref: 008A75CA
SelectObject.GDI32(?,?), ref: 008A75D0
DeleteObject.GDI32(?), ref: 008A75D5
SetTextColor.GDI32(?,?), ref: 008A75DB
SetBkColor.GDI32(?,?), ref: 008A75E5

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8d96c043a54c916231ecb35890336b2f425aec67769179f4cb329dc0346e60a8
Instruction ID: d812d1d982f2d7ba4756ad21e3d3513c687a419f784319ecacbfbd3f006acec0
Opcode Fuzzy Hash: 8d96c043a54c916231ecb35890336b2f425aec67769179f4cb329dc0346e60a8
Instruction Fuzzy Hash: 7D615C72D04218AFEF019FA4DC49EAEBFB9FF0A320F114125F915AB6A1D7749940DB90

Function 008A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008A1128
GetDesktopWindow.USER32 ref: 008A113D
GetWindowRect.USER32(00000000), ref: 008A1144
GetWindowLongW.USER32(?,000000F0), ref: 008A1199
DestroyWindow.USER32(?), ref: 008A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 008A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 008A1245
IsWindowVisible.USER32(00000000), ref: 008A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008A12D0
GetWindowRect.USER32(00000000,?), ref: 008A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 008A130E
GetMonitorInfoW.USER32(00000000,?), ref: 008A1328
CopyRect.USER32(?,?), ref: 008A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008A13AA

Strings

(, xrefs: 008A131B
tooltips_class32, xrefs: 008A11E6
0, xrefs: 008A10D3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6078defceadd444b0d5eac0661c077c7b7f743519df4ea511750deaef69ae3f7
Instruction ID: f32fd2b9dbf027f38fc0329020a0550b3bec858c9ad43adfe1e9bf9026f1051b
Opcode Fuzzy Hash: 6078defceadd444b0d5eac0661c077c7b7f743519df4ea511750deaef69ae3f7
Instruction Fuzzy Hash: EBB18F71608341AFEB04DF64C888BAABBE5FF85354F00891CF999DB661D771D844CB92

Function 00828891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00828968
GetSystemMetrics.USER32(00000007), ref: 00828970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0082899B
GetSystemMetrics.USER32(00000008), ref: 008289A3
GetSystemMetrics.USER32(00000004), ref: 008289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00828A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00828A3C
GetClientRect.USER32(00000000,000000FF), ref: 00828A5A
GetStockObject.GDI32(00000011), ref: 00828A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00828A81

Part of subcall function 0082912D: GetCursorPos.USER32(?), ref: 00829141
Part of subcall function 0082912D: ScreenToClient.USER32(00000000,?), ref: 0082915E
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000001), ref: 00829183
Part of subcall function 0082912D: GetAsyncKeyState.USER32(00000002), ref: 0082919D

SetTimer.USER32(00000000,00000000,00000028,008290FC), ref: 00828AA8

Strings

AutoIt v3 GUI, xrefs: 00828A20

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 32a28247a5dfe2c8866bb8f7c3f0a0b463e1c65e139570e618c52a64aa3f0ba8
Instruction ID: 1e7d297346fd8879c6207814d3185916310917603fdfc47effda89773e7b3b84
Opcode Fuzzy Hash: 32a28247a5dfe2c8866bb8f7c3f0a0b463e1c65e139570e618c52a64aa3f0ba8
Instruction Fuzzy Hash: 6DB18B31A00259DFDF14DFA8DC89BAE7BB5FB49314F114229FA15EB290DB34A880CB51

Function 00870D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
Part of subcall function 008710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
Part of subcall function 008710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
Part of subcall function 008710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
Part of subcall function 008710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00870DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00870E29
GetLengthSid.ADVAPI32(?), ref: 00870E40
GetAce.ADVAPI32(?,00000000,?), ref: 00870E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00870E96
GetLengthSid.ADVAPI32(?), ref: 00870EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00870EB5
HeapAlloc.KERNEL32(00000000), ref: 00870EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00870EDD
CopySid.ADVAPI32(00000000), ref: 00870EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00870F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00870F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00870F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F6E
HeapFree.KERNEL32(00000000), ref: 00870F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F7E
HeapFree.KERNEL32(00000000), ref: 00870F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00870F8E
HeapFree.KERNEL32(00000000), ref: 00870F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00870FA1
HeapFree.KERNEL32(00000000), ref: 00870FA8

Part of subcall function 00871193: GetProcessHeap.KERNEL32(00000008,00870BB1,?,00000000,?,00870BB1,?), ref: 008711A1
Part of subcall function 00871193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00870BB1,?), ref: 008711A8
Part of subcall function 00871193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00870BB1,?), ref: 008711B7

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8a70958244e7b9b1ea89b5fb30c31362f84d88e68bfe1bde3e9cc2b40f376da3
Instruction ID: b14e1bf5757deb1027f0da04fe830cea0fb39076fccd182a9704b252bed59697
Opcode Fuzzy Hash: 8a70958244e7b9b1ea89b5fb30c31362f84d88e68bfe1bde3e9cc2b40f376da3
Instruction Fuzzy Hash: BB712A7290020AEBEF20DFA4DC49BAEBBB8FF05310F148115E959E6195DB71D905CF60

Function 0089C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,008ACC08,00000000,?,00000000,?,?), ref: 0089C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0089C5A4
_wcslen.LIBCMT ref: 0089C5F4
_wcslen.LIBCMT ref: 0089C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0089C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0089C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0089C84D
RegCloseKey.ADVAPI32(?), ref: 0089C881
RegCloseKey.ADVAPI32(00000000), ref: 0089C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0089C960

Strings

REG_MULTI_SZ, xrefs: 0089C6F5
REG_DWORD, xrefs: 0089C804
REG_SZ, xrefs: 0089C644
REG_BINARY, xrefs: 0089C913
REG_EXPAND_SZ, xrefs: 0089C5CD
REG_QWORD, xrefs: 0089C8C3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 21cf8583f865449214236b70e26c26d3d64262738c5ce21bcd8db648be55216f
Instruction ID: 3592cf677bd1fdb2f3707b7949aa76978518516d903c92e6b052dafad841fb20
Opcode Fuzzy Hash: 21cf8583f865449214236b70e26c26d3d64262738c5ce21bcd8db648be55216f
Instruction Fuzzy Hash: 39124C356042019FDB14EF18C891A6AB7E5FF88714F09885DF85ADB3A2DB31ED41CB82

Function 008A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008A09C6
_wcslen.LIBCMT ref: 008A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008A0A54
_wcslen.LIBCMT ref: 008A0A8A
_wcslen.LIBCMT ref: 008A0B06
_wcslen.LIBCMT ref: 008A0B81

Part of subcall function 0082F9F2: _wcslen.LIBCMT ref: 0082F9FD

Part of subcall function 00872BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00872BFA

Strings

CHECK, xrefs: 008A0A85, 008A0AA0
GETTEXT, xrefs: 008A0C97
ISCHECKED, xrefs: 008A0CE1
COLLAPSE, xrefs: 008A0B01, 008A0B1C
EXPAND, xrefs: 008A0BF8
GETITEMCOUNT, xrefs: 008A0C1E
GETSELECTED, xrefs: 008A0C4E
UNCHECK, xrefs: 008A0D3E
SELECT, xrefs: 008A0D11
EXISTS, xrefs: 008A0B7C, 008A0B97
GETTOTALCOUNT, xrefs: 008A09F2, 008A0A17

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 716e9a4005f01f64d5895b919b6b49adda69139083b3da1deea875496948c684
Instruction ID: d2534ad2d83b0b296e046ab743acea7ecfaecec67bae64dd29afc931086d326d
Opcode Fuzzy Hash: 716e9a4005f01f64d5895b919b6b49adda69139083b3da1deea875496948c684
Instruction Fuzzy Hash: C2E16A312083118FD714DF28C45096AB7E2FF99314B148A5DF896DB7A2D731ED86CB92

Function 0089C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
_wcslen.LIBCMT ref: 0089C9F1
_wcslen.LIBCMT ref: 0089CA68
_wcslen.LIBCMT ref: 0089CA9E
_wcslen.LIBCMT ref: 0089CAF9
_wcslen.LIBCMT ref: 0089CB2F
_wcslen.LIBCMT ref: 0089CB7F

Strings

HKCR, xrefs: 0089CB29, 0089CB2E
HKEY_CLASSES_ROOT, xrefs: 0089CAF3, 0089CAF8
HKU, xrefs: 0089CBF0
HKEY_CURRENT_USER, xrefs: 0089CBBD
HKEY_USERS, xrefs: 0089CBDF
HKLM, xrefs: 0089CA98, 0089CA9D
HKCU, xrefs: 0089CBCE
HKEY_LOCAL_MACHINE, xrefs: 0089CA62, 0089CA67
HKEY_CURRENT_CONFIG, xrefs: 0089CB79, 0089CB7E
HKCC, xrefs: 0089CBAC

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a3bd66c0332dd3843bc65499351af19d5925b0f863c407315e2162c468fa2866
Instruction ID: e2dcc496cbc453e223f1c7aac6548b2724d889f6aeb33e00598e37133f5a0db2
Opcode Fuzzy Hash: a3bd66c0332dd3843bc65499351af19d5925b0f863c407315e2162c468fa2866
Instruction Fuzzy Hash: D371F27260016A8BCF20EE6CCD515BE3795FFA0764F590629F856D7284F636CD84C3A1

Function 008A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008A835A
_wcslen.LIBCMT ref: 008A836E
_wcslen.LIBCMT ref: 008A8391
_wcslen.LIBCMT ref: 008A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,008A361A,?), ref: 008A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008A8501
FreeLibrary.KERNEL32(?), ref: 008A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008A851D
DestroyIcon.USER32(?), ref: 008A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008A8555

Strings

.icl, xrefs: 008A8368
.dll, xrefs: 008A83AB
.exe, xrefs: 008A8388

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8d802d9fe56fe3c04bd826e91ae5089fb377b311fc1d91e6e1ec46e38be62a71
Instruction ID: 4b2ebc5ca45f76d45d4bc894b703365abf446d762a3b20b491cd2aba7895bf4b
Opcode Fuzzy Hash: 8d802d9fe56fe3c04bd826e91ae5089fb377b311fc1d91e6e1ec46e38be62a71
Instruction Fuzzy Hash: 7461BD71900219FEFB14DF68CC45BBE77A8FB09B21F104609F815D65D1EBB4A990CBA0

Function 00817778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include-once, xrefs: 0081782F
#requireadmin, xrefs: 008177FF
", xrefs: 00855153
#OnAutoItStartRegister, xrefs: 00817817
Unterminated group of comments, xrefs: 0085528C
#cs, xrefs: 00817873, 008178C5
Cannot parse #include, xrefs: 00855279
#notrayicon, xrefs: 008177E7
', xrefs: 00855169
#include, xrefs: 00817847
Bad directive syntax error, xrefs: 0085519A
#comments-start, xrefs: 0081785F, 008178B1
#comments-end, xrefs: 008178D9
#pragma compile, xrefs: 008177D3
#ce, xrefs: 008178ED

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 75fe9dcb434230c7d2388be25eee50cc6a1b0178d99725b8d0920e42a2b67bcb
Instruction ID: 921aab522a8fcdf0d3e9c881b381441dd966d4d0b9977d0fc1bf432ed46209bd
Opcode Fuzzy Hash: 75fe9dcb434230c7d2388be25eee50cc6a1b0178d99725b8d0920e42a2b67bcb
Instruction Fuzzy Hash: CF81F471644605ABDB20AF64DC52FEE3BB8FF55300F044428FD05EA292EB74D985C7A2

Function 00883E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00883EF8
_wcslen.LIBCMT ref: 00883F03
_wcslen.LIBCMT ref: 00883F5A
_wcslen.LIBCMT ref: 00883F98
GetDriveTypeW.KERNEL32(?), ref: 00883FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0088401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00884059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00884087

Strings

open, xrefs: 00883F54, 00883F59
type cdaudio alias cd wait, xrefs: 00884001
wait, xrefs: 00884044
close, xrefs: 00883EFE, 00883F18
closed, xrefs: 00883F08, 00883F2D, 00883F46, 00883F7E, 00883F97
close cd wait, xrefs: 00884072
open , xrefs: 00883FE5
set cd door , xrefs: 00884028

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: f9e0e79b9cb195e08bfeb32f655ab5dd8ad10706ce0f0d4e1c983d6b1090b707
Instruction ID: 710eff6418c2f940b0fc552006327a5e1a778ea6a51ffddde00c058044a8c870
Opcode Fuzzy Hash: f9e0e79b9cb195e08bfeb32f655ab5dd8ad10706ce0f0d4e1c983d6b1090b707
Instruction Fuzzy Hash: DB7190325046069FC310EF28C8419ABB7E4FF94764F104A2DF996D7251EB35ED45CB92

Function 00875A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00875A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00875A40
SetWindowTextW.USER32(?,?), ref: 00875A57
GetDlgItem.USER32(?,000003EA), ref: 00875A6C
SetWindowTextW.USER32(00000000,?), ref: 00875A72
GetDlgItem.USER32(?,000003E9), ref: 00875A82
SetWindowTextW.USER32(00000000,?), ref: 00875A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00875AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00875AC3
GetWindowRect.USER32(?,?), ref: 00875ACC
_wcslen.LIBCMT ref: 00875B33
SetWindowTextW.USER32(?,?), ref: 00875B6F
GetDesktopWindow.USER32 ref: 00875B75
GetWindowRect.USER32(00000000), ref: 00875B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00875BD3
GetClientRect.USER32(?,?), ref: 00875BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00875C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00875C2F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5ec44f65475793e90bbb4036ddc8eaa5710ffb147dcc64e457d2cec6093d6857
Instruction ID: decb5fe27f74074c58b1c895b8db9e27d5c8acc989b14fc29134acc17d1be862
Opcode Fuzzy Hash: 5ec44f65475793e90bbb4036ddc8eaa5710ffb147dcc64e457d2cec6093d6857
Instruction Fuzzy Hash: F9715E31900B09AFDB20DFA8CE85BAEBBF5FF48714F108918E546E25A4D7B5E944CB50

Function 0088FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0088FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0088FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0088FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0088FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0088FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0088FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0088FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0088FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0088FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0088FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0088FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0088FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0088FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0088FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0088FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0088FECC
GetCursorInfo.USER32(?), ref: 0088FEDC
GetLastError.KERNEL32 ref: 0088FF1E

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: e944feb679f4396ea115d81e09f9071dd909c3c9969ce255452382f39cf0fbc7
Instruction ID: a987ed559cfc71977b070cf561885416afc738ab54b992a563f33096dd23fb8f
Opcode Fuzzy Hash: e944feb679f4396ea115d81e09f9071dd909c3c9969ce255452382f39cf0fbc7
Instruction Fuzzy Hash: 6B4121B0D443196ADB109FBA8C8985EBFE8FF04754B54452AF219E7281DB78A9018F91

Function 008300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008300C6

Part of subcall function 008300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008E070C,00000FA0,0A6EEC29,?,?,?,?,008523B3,000000FF), ref: 0083011C
Part of subcall function 008300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008523B3,000000FF), ref: 00830127
Part of subcall function 008300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008523B3,000000FF), ref: 00830138
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0083014E
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0083015C
Part of subcall function 008300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0083016A
Part of subcall function 008300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00830195
Part of subcall function 008300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008301A0

___scrt_fastfail.LIBCMT ref: 008300E7

Part of subcall function 008300A3: __onexit.LIBCMT ref: 008300A9

Strings

WakeAllConditionVariable, xrefs: 00830162
kernel32.dll, xrefs: 00830133
SleepConditionVariableCS, xrefs: 00830154
InitializeConditionVariable, xrefs: 00830148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00830122

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c3c251404636fc06099979f8c8149035b012c3da4daf9f894b0b6eea584d1319
Instruction ID: 17f7e1443fda2fa0ec677dcbb0946c34fabf2283feb8192e018bf8bff7dc3f86
Opcode Fuzzy Hash: c3c251404636fc06099979f8c8149035b012c3da4daf9f894b0b6eea584d1319
Instruction Fuzzy Hash: C1212932A44710ABF7216BA4AC55B2E37E4FB86B51F000539F911E6B92DFB89C40CED1

Function 008730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087318D
_wcslen.LIBCMT ref: 008731F8

Strings

CLASSNN, xrefs: 008731F3, 00873204
INSTANCE, xrefs: 00873453
TEXT, xrefs: 0087347C
NAME, xrefs: 00873335, 00873346
CLASS, xrefs: 00873188, 008731A5
REGEXPCLASS, xrefs: 00873255, 00873266

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5ff9bb487eed4c1260b589676875ebbb50853c8ae9d75f33325765451c1b2c43
Instruction ID: a8903310516f2ce972266f22efa0093a4803da8f92431e932c1f5783b1840bc8
Opcode Fuzzy Hash: 5ff9bb487eed4c1260b589676875ebbb50853c8ae9d75f33325765451c1b2c43
Instruction Fuzzy Hash: 97E1F632A00516ABCB18DFB8C4516EDBBB4FF54710F54C22AE45AF7244DB30EE85A792

Function 008844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,008ACC08), ref: 00884527
_wcslen.LIBCMT ref: 0088453B
_wcslen.LIBCMT ref: 00884599
_wcslen.LIBCMT ref: 008845F4
_wcslen.LIBCMT ref: 0088463F
_wcslen.LIBCMT ref: 008846A7

Part of subcall function 0082F9F2: _wcslen.LIBCMT ref: 0082F9FD

GetDriveTypeW.KERNEL32(?,008D6BF0,00000061), ref: 00884743

Strings

cdrom, xrefs: 0088458F, 00884594
unknown, xrefs: 00884708
network, xrefs: 0088469D, 008846A2
all, xrefs: 00884531, 00884536
removable, xrefs: 008845EA, 008845EF
ramdisk, xrefs: 008846F1
fixed, xrefs: 00884635, 0088463A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ddb1a8cfdf1ff1b73d642f25a702947543775e649d05ffc1256f84b69294f9c4
Instruction ID: 1795809cc986bef12928970d469b6e2a3ffc1338b9a9737f148706994aad65aa
Opcode Fuzzy Hash: ddb1a8cfdf1ff1b73d642f25a702947543775e649d05ffc1256f84b69294f9c4
Instruction Fuzzy Hash: D6B1D2326083029FC710EF28C890A6EB7E5FFA5764F505A1DF596C7291E730D985CB92

Function 00893FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,008ACC08), ref: 008940BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008940CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,008ACC08), ref: 008940F2
FreeLibrary.KERNEL32(00000000,?,008ACC08), ref: 0089413E
StringFromGUID2.OLE32(?,?,00000028,?,008ACC08), ref: 008941A8
SysFreeString.OLEAUT32(00000009), ref: 00894262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008942C8
SysFreeString.OLEAUT32(?), ref: 008942F2

Strings

kernel32.dll, xrefs: 008940B6
GetModuleHandleExW, xrefs: 008940C7

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 5a3a76159222314b11c4724d7695fca1f3e5fc1636b04e729bac497a3723e994
Instruction ID: 84956f32ae246e787e3d8a868b3593b8f606840e260008ddd7afee3a8234801e
Opcode Fuzzy Hash: 5a3a76159222314b11c4724d7695fca1f3e5fc1636b04e729bac497a3723e994
Instruction Fuzzy Hash: A412F975A00119AFDF14DF94C884EAEB7B9FF49318F289098E905DB251D731ED86CBA0

Function 0081326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008E1990), ref: 00852F8D
GetMenuItemCount.USER32(008E1990), ref: 0085303D
GetCursorPos.USER32(?), ref: 00853081
SetForegroundWindow.USER32(00000000), ref: 0085308A
TrackPopupMenuEx.USER32(008E1990,00000000,?,00000000,00000000,00000000), ref: 0085309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008530A9

Strings

0, xrefs: 0081327D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 68ab7c185e59510dbf2861317bc81b4ad6dd928db80920d25c4f6c231c77c878
Instruction ID: cb3b0390b68c57d7d2da324077aaf78a8969b7e641042054a35b57374cabceee
Opcode Fuzzy Hash: 68ab7c185e59510dbf2861317bc81b4ad6dd928db80920d25c4f6c231c77c878
Instruction Fuzzy Hash: 20712A30640205BEFB319F68DC49F9ABF69FF06365F204216F925EA1E0CBB1A954C791

Function 008A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 008A6DEB

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A6E94
DestroyWindow.USER32(?), ref: 008A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00810000,00000000), ref: 008A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A6EFD
GetDesktopWindow.USER32 ref: 008A6F16
GetWindowRect.USER32(00000000), ref: 008A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008A6F4D

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

Strings

0, xrefs: 008A6D98
tooltips_class32, xrefs: 008A6E58, 008A6EDD

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 36bf41e064833c3b7152ed2fe760692d05b8d6530907f194ed238bf39f391d69
Instruction ID: 289da819b61a33a9371dd613b6a62aa1bd4a654517839610801de84502fa31fe
Opcode Fuzzy Hash: 36bf41e064833c3b7152ed2fe760692d05b8d6530907f194ed238bf39f391d69
Instruction Fuzzy Hash: 88718A70144244AFEB21DF18DC48FAABBE9FB8A304F58041DF999C76A1EB70A915CB11

Function 008A911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

DragQueryPoint.SHELL32(?,?), ref: 008A9147

Part of subcall function 008A7674: ClientToScreen.USER32(?,?), ref: 008A769A
Part of subcall function 008A7674: GetWindowRect.USER32(?,?), ref: 008A7710
Part of subcall function 008A7674: PtInRect.USER32(?,?,008A8B89), ref: 008A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 008A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 008A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 008A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 008A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 008A9277
DragFinish.SHELL32(?), ref: 008A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008A9371

Strings

@GUI_DROPID, xrefs: 008A929E
@GUI_DRAGID, xrefs: 008A92E9
@GUI_DRAGFILE, xrefs: 008A9320

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 24e99e23780710362b93303f704f44db71e22c4d8ab15237ccd7d12bf6b0d407
Instruction ID: 624af73d54d10553c33b979f34ffd718429212ee75017b73eda29cbdc8acb0c7
Opcode Fuzzy Hash: 24e99e23780710362b93303f704f44db71e22c4d8ab15237ccd7d12bf6b0d407
Instruction Fuzzy Hash: DF613971108301AFD701DF64DC85DAFBBE8FF99750F40092EF5A5922A1DB709A49CB92

Function 0088C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0088C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0088C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0088C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0088C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0088C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0088C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0088C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0088C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0088C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0088C5F0
InternetCloseHandle.WININET(00000000), ref: 0088C5FB

Strings

, xrefs: 0088C575

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: a4c70165717a8d843d91bad01e50f1d55076c0ac3c6bd6432236d323a1ceb987
Instruction ID: 63184e77b05627782cbb38657380b85fa893aee37ffb19a45f32875927373fd9
Opcode Fuzzy Hash: a4c70165717a8d843d91bad01e50f1d55076c0ac3c6bd6432236d323a1ceb987
Instruction Fuzzy Hash: 64516BB1500608BFEB21AF64C988AAB7BFCFF09754F00442AF945D6614DB34E944DBB0

Function 008A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 008A8592
GetFileSize.KERNEL32(00000000,00000000), ref: 008A85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 008A85AD
CloseHandle.KERNEL32(00000000), ref: 008A85BA
GlobalLock.KERNEL32(00000000), ref: 008A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008A85D7
GlobalUnlock.KERNEL32(00000000), ref: 008A85E0
CloseHandle.KERNEL32(00000000), ref: 008A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 008A85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,008AFC38,?), ref: 008A8611
GlobalFree.KERNEL32(00000000), ref: 008A8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 008A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 008A8671
DeleteObject.GDI32(00000000), ref: 008A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008A86AF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c2679540819a2cbe7381f3f1319e5b9ef488523b99e211982f8c49ef104f507c
Instruction ID: 42cd6b5193a319e3d9b5356e900d7d437a3778a5596c26dd4d6cf6c2285dafca
Opcode Fuzzy Hash: c2679540819a2cbe7381f3f1319e5b9ef488523b99e211982f8c49ef104f507c
Instruction Fuzzy Hash: 84410975600208EFEB119FA5CC48EAABBB8FF9AB15F104058F909E7660DB309901CB60

Function 008814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00881502
VariantCopy.OLEAUT32(?,?), ref: 0088150B
VariantClear.OLEAUT32(?), ref: 00881517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00881657
VariantInit.OLEAUT32(?), ref: 00881708
SysFreeString.OLEAUT32(?), ref: 0088178C
VariantClear.OLEAUT32(?), ref: 008817D8
VariantClear.OLEAUT32(?), ref: 008817E7
VariantInit.OLEAUT32(00000000), ref: 00881823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00881625
Default, xrefs: 008816AF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 5ba549e53e61418d0898b85b743e32552b88972a139976c9fdc7517c88784c5d
Instruction ID: c44098da40c5ee549eeaed36d892344f334570db31ed73c0a1cb95376cc85004
Opcode Fuzzy Hash: 5ba549e53e61418d0898b85b743e32552b88972a139976c9fdc7517c88784c5d
Instruction Fuzzy Hash: 8CD1D071A0011ADBDF10AF69E889B79B7B9FF46704F10805AE446EB581DF30DD82DB52

Function 0089B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0089B80A
RegCloseKey.ADVAPI32(?), ref: 0089B87E
RegCloseKey.ADVAPI32(?), ref: 0089B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0089B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0089B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0089B922
FreeLibrary.KERNEL32(00000000), ref: 0089B983
RegCloseKey.ADVAPI32(00000000), ref: 0089B994

Strings

RegDeleteKeyExW, xrefs: 0089B8FE
advapi32.dll, xrefs: 0089B8ED

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 99bb3aaf4456d66643bad439a067f862bdf7280824aa3b3cea5d75b62e115a58
Instruction ID: d4457c2886bc2d03499b830249e796574ffac36c1c4d1abf59f7af4defd28225
Opcode Fuzzy Hash: 99bb3aaf4456d66643bad439a067f862bdf7280824aa3b3cea5d75b62e115a58
Instruction Fuzzy Hash: 20C18F30204201AFDB14EF18D594F6ABBE5FF84308F18855CE5998B7A2DB71ED85CB92

Function 0089255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008925E8
CreateCompatibleDC.GDI32(?), ref: 008925F4
SelectObject.GDI32(00000000,?), ref: 00892601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0089266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008926D0
SelectObject.GDI32(?,?), ref: 008926D8
DeleteObject.GDI32(?), ref: 008926E1
DeleteDC.GDI32(?), ref: 008926E8
ReleaseDC.USER32(00000000,?), ref: 008926F3

Strings

(, xrefs: 0089268D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4c8981023517a7f827c3c31e5c245663779063fb909b19972bf11bc2745d13e6
Instruction ID: b6a258bdb6412bef341cd0ce997569fce399049b330e00f44595e6631db6f39b
Opcode Fuzzy Hash: 4c8981023517a7f827c3c31e5c245663779063fb909b19972bf11bc2745d13e6
Instruction Fuzzy Hash: D961F1B5E00219EFDF05DFA8D884AAEBBB5FF48310F248529E955A7250E770A941CF90

Function 0084DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0084DAA1

Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D659
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D66B
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D67D
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D68F
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6A1
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6B3
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6C5
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6D7
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6E9
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D6FB
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D70D
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D71F
Part of subcall function 0084D63C: _free.LIBCMT ref: 0084D731

_free.LIBCMT ref: 0084DA96

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084DAB8
_free.LIBCMT ref: 0084DACD
_free.LIBCMT ref: 0084DAD8
_free.LIBCMT ref: 0084DAFA
_free.LIBCMT ref: 0084DB0D
_free.LIBCMT ref: 0084DB1B
_free.LIBCMT ref: 0084DB26
_free.LIBCMT ref: 0084DB5E
_free.LIBCMT ref: 0084DB65
_free.LIBCMT ref: 0084DB82
_free.LIBCMT ref: 0084DB9A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 90dc60f91b231da797b2585f22d2533c472785bd85c4fd343504c9affc5f7828
Instruction ID: 065df8293dfc6e980e3349f81f4a4b17013db8badef4f2b824c51254c4d96de0
Opcode Fuzzy Hash: 90dc60f91b231da797b2585f22d2533c472785bd85c4fd343504c9affc5f7828
Instruction Fuzzy Hash: AA313B3260870D9FEB22AA79E845F5A7BE9FF10360F55452AF449D7291DF31AC40C721

Function 0087365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0087369C
_wcslen.LIBCMT ref: 008736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00873797
GetClassNameW.USER32(?,?,00000400), ref: 0087380C
GetDlgCtrlID.USER32(?), ref: 0087385D
GetWindowRect.USER32(?,?), ref: 00873882
GetParent.USER32(?), ref: 008738A0
ScreenToClient.USER32(00000000), ref: 008738A7
GetClassNameW.USER32(?,?,00000100), ref: 00873921
GetWindowTextW.USER32(?,?,00000400), ref: 0087395D

Strings

%s%u, xrefs: 00873734

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3142e38d9b8da3ed7d1b50593d5dcfd4945c5376cd3b4095264845922eeddec0
Instruction ID: 84290beeadb343992b1a3b4e59e0f3d6cba3b2de0966efec7c8a26648a4af316
Opcode Fuzzy Hash: 3142e38d9b8da3ed7d1b50593d5dcfd4945c5376cd3b4095264845922eeddec0
Instruction Fuzzy Hash: 5F91C171204606AFDB18DF24C885BAAF7A8FF45354F00C629FA9DD2194DB30EA45DB92

Function 00874954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00874994
GetWindowTextW.USER32(?,?,00000400), ref: 008749DA
_wcslen.LIBCMT ref: 008749EB
CharUpperBuffW.USER32(?,00000000), ref: 008749F7
_wcsstr.LIBVCRUNTIME ref: 00874A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00874A64
GetWindowTextW.USER32(?,?,00000400), ref: 00874A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00874AE6
GetClassNameW.USER32(?,?,00000400), ref: 00874B20
GetWindowRect.USER32(?,?), ref: 00874B8B

Strings

ThumbnailClass, xrefs: 00874A6F, 00874AF1

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 6fd376aca80e392e2d3137d3a3d9af205bdf3d877f81b5b08249003ee000ba30
Instruction ID: d7f1c1073af4a0c1d91380801deca315945975c6d2b9c34a78c2c73dd2fe213c
Opcode Fuzzy Hash: 6fd376aca80e392e2d3137d3a3d9af205bdf3d877f81b5b08249003ee000ba30
Instruction Fuzzy Hash: B491BE711042059FDB05DF58C981BAAB7E8FF84314F04946AFD89DA19AEB30ED45CBA2

Function 0087BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(008E1990,000000FF,00000000,00000030), ref: 0087BFAC
SetMenuItemInfoW.USER32(008E1990,00000004,00000000,00000030), ref: 0087BFE1
Sleep.KERNEL32(000001F4), ref: 0087BFF3
GetMenuItemCount.USER32(?), ref: 0087C039
GetMenuItemID.USER32(?,00000000), ref: 0087C056
GetMenuItemID.USER32(?,-00000001), ref: 0087C082
GetMenuItemID.USER32(?,?), ref: 0087C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0087C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0087C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0087C145

Strings

0, xrefs: 0087BF3D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: f579d21b532b9c0f73ea801cffb721a2603506ebe9f59d3d45b189e7a0623141
Instruction ID: a0a467f98242af3d8034491692433cd5bd0edc8ce26034b9366dec789e160818
Opcode Fuzzy Hash: f579d21b532b9c0f73ea801cffb721a2603506ebe9f59d3d45b189e7a0623141
Instruction Fuzzy Hash: F86181B090024AAFDF11CF68DC88AEE7BA9FB05344F448069F819E3295D735ED05CBA1

Function 0089CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0089CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0089CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0089CD48

Part of subcall function 0089CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0089CCAA
Part of subcall function 0089CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0089CCBD
Part of subcall function 0089CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0089CCCF
Part of subcall function 0089CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0089CD05
Part of subcall function 0089CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0089CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0089CCF3

Strings

RegDeleteKeyExW, xrefs: 0089CCC9
advapi32.dll, xrefs: 0089CCB8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 8ae14009db217c4f2ff72329295b6bd0c06f498c74afe8329945b18180aa5157
Instruction ID: a471f42764baec8893905b9946a81dca487d3ece20d9c649573841940229c156
Opcode Fuzzy Hash: 8ae14009db217c4f2ff72329295b6bd0c06f498c74afe8329945b18180aa5157
Instruction Fuzzy Hash: AC316C71A01129BBEB20AB54DC88EFFBB7CFF46754F040165E906E2240DA349E45EAA0

Function 00883D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00883D40
_wcslen.LIBCMT ref: 00883D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00883D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00883DBE
RemoveDirectoryW.KERNEL32(?), ref: 00883DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00883E55
CloseHandle.KERNEL32(00000000), ref: 00883E60
CloseHandle.KERNEL32(00000000), ref: 00883E6B

Strings

\??\%s, xrefs: 00883D5B
\, xrefs: 00883D77
:, xrefs: 00883D82

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 11afec250c2a53d4dcf89dc9b0dacda7390e14c499ecdd1e0e03c5de50ec7af4
Instruction ID: 02c14dc3df66e199655686aac34b31d58e374e95bec7fdecbfb413e7cab9b323
Opcode Fuzzy Hash: 11afec250c2a53d4dcf89dc9b0dacda7390e14c499ecdd1e0e03c5de50ec7af4
Instruction Fuzzy Hash: 6231B271A00209ABDB21ABA4DC49FEF37BCFF89B00F1041B5F909D6161EB7497448B64

Function 0087E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0087E6B4

Part of subcall function 0082E551: timeGetTime.WINMM(?,?,0087E6D4), ref: 0082E555

Sleep.KERNEL32(0000000A), ref: 0087E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0087E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0087E727
SetActiveWindow.USER32 ref: 0087E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0087E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0087E773
Sleep.KERNEL32(000000FA), ref: 0087E77E
IsWindow.USER32 ref: 0087E78A
EndDialog.USER32(00000000), ref: 0087E79B

Strings

BUTTON, xrefs: 0087E719

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 85a31b00e925d5eda0c37ad9d827bb753618fa9639d0da775776f4f0ab559b76
Instruction ID: 60658990388f472e86f1355df645c65a07fd17521ecb21dd0f60498a1fc73aae
Opcode Fuzzy Hash: 85a31b00e925d5eda0c37ad9d827bb753618fa9639d0da775776f4f0ab559b76
Instruction Fuzzy Hash: 4C218170200245AFFF109F64ECC9A253B6DF76A349B108565F51DC66B5DBB1EC00DB25

Function 0087E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0087EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0087EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0087EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0087EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0087EAA7

Strings

close PlayMe, xrefs: 0087EA6E, 0087EA9B
status PlayMe mode, xrefs: 0087EA58
alias PlayMe, xrefs: 0087EA36
play PlayMe, xrefs: 0087EAA2
open , xrefs: 0087EA0C
play PlayMe wait, xrefs: 0087EA91

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8e41f01833e5c85471e922fa0b0c691af75738d81ce46ad6c51469cb14328fa8
Instruction ID: 3c4a6acec5c4bbb9dc6932541cebd508d0a775376675805fe8c74c7ac1055641
Opcode Fuzzy Hash: 8e41f01833e5c85471e922fa0b0c691af75738d81ce46ad6c51469cb14328fa8
Instruction Fuzzy Hash: 3C118F21A5022D79D720A7A5DC5ADFBAF7CFFD5B40F00052AB821E22D0EE705955C5B1

Function 00879F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0087A012
SetKeyboardState.USER32(?), ref: 0087A07D
GetAsyncKeyState.USER32(000000A0), ref: 0087A09D
GetKeyState.USER32(000000A0), ref: 0087A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0087A0E3
GetKeyState.USER32(000000A1), ref: 0087A0F4
GetAsyncKeyState.USER32(00000011), ref: 0087A120
GetKeyState.USER32(00000011), ref: 0087A12E
GetAsyncKeyState.USER32(00000012), ref: 0087A157
GetKeyState.USER32(00000012), ref: 0087A165
GetAsyncKeyState.USER32(0000005B), ref: 0087A18E
GetKeyState.USER32(0000005B), ref: 0087A19C

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 36dc2b96e1362427def81f3e8a4420fb814975ec94cea4e09a95c18d5708277b
Instruction ID: 7f6de711b750ffdeec00c886a5752501aed53e29ba2bb27ada0be3243a15f4ac
Opcode Fuzzy Hash: 36dc2b96e1362427def81f3e8a4420fb814975ec94cea4e09a95c18d5708277b
Instruction Fuzzy Hash: ED51E72090878869FB39DB6488107AEBFB5FF52340F48C589D5CAD61C6DA54DA4CC763

Function 00875CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00875CE2
GetWindowRect.USER32(00000000,?), ref: 00875CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00875D59
GetDlgItem.USER32(?,00000002), ref: 00875D69
GetWindowRect.USER32(00000000,?), ref: 00875D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00875DCF
GetDlgItem.USER32(?,000003E9), ref: 00875DDD
GetWindowRect.USER32(00000000,?), ref: 00875DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00875E31
GetDlgItem.USER32(?,000003EA), ref: 00875E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00875E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00875E67

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 4c1cddc95296cddcd61f20cbcd622382d024a6cbaad865d49484ff8f9184f230
Instruction ID: 43c3972705daa46087ad1ec786ea8b2b3e825b3ce24efbe477a806d7aebee1f4
Opcode Fuzzy Hash: 4c1cddc95296cddcd61f20cbcd622382d024a6cbaad865d49484ff8f9184f230
Instruction Fuzzy Hash: C551FD71A00609AFDB18CF68DD89AAEBBB5FB59300F148129F519E6694D770EE04CB50

Function 00828BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00828F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00828BE8,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828FC5

DestroyWindow.USER32(?), ref: 00828C81
KillTimer.USER32(00000000,?,?,?,?,00828BBA,00000000,?), ref: 00828D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00866973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 008669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000,?), ref: 008669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00828BBA,00000000), ref: 008669D4
DeleteObject.GDI32(00000000), ref: 008669E6

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fedc2389f49be907e8669b4665f57a19fa38448a7be915d56d162daecf961d5c
Instruction ID: 107366fb3f20fa379bf482bd8d57e02c242d2d5bd8cf062578303534e3877024
Opcode Fuzzy Hash: fedc2389f49be907e8669b4665f57a19fa38448a7be915d56d162daecf961d5c
Instruction Fuzzy Hash: 8161AA30502664DFDF21AF28EA88B29BBF1FB51316F554518E042DBA60CB35A8E0CF90

Function 00829838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00829944: GetWindowLongW.USER32(?,000000EB), ref: 00829952

GetSysColor.USER32(0000000F), ref: 00829862

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e0c6ee776396087ca89e5d8a777ec8227cc28250f0e7204297f69749a81a7348
Instruction ID: b934076efa5552902271ab929a3d13388fe2ea178d5081ae6e183c328b45d052
Opcode Fuzzy Hash: e0c6ee776396087ca89e5d8a777ec8227cc28250f0e7204297f69749a81a7348
Instruction Fuzzy Hash: 58419031504654AFEB245F38AC88BB93BA5FB17334F194669F9E2C72E1D7319882DB10

Function 008796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0085F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00879717
LoadStringW.USER32(00000000,?,0085F7F8,00000001), ref: 00879720

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0085F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00879742
LoadStringW.USER32(00000000,?,0085F7F8,00000001), ref: 00879745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00879866

Strings

Line %d:, xrefs: 008797A0
Line %d (File "%s"):, xrefs: 0087978F
Error: , xrefs: 0087981D
%s (%d) : ==> %s: %s %s, xrefs: 0087984A
^ ERROR, xrefs: 008797FB

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: bd1e34f43a376bd025650091bc937e67191c38c85fcdfa32beb282c0c3547e65
Instruction ID: e76d5fb62028e7c509f38640da4b6aecedf1fa50ac367957124cc2c0c9e0b1e4
Opcode Fuzzy Hash: bd1e34f43a376bd025650091bc937e67191c38c85fcdfa32beb282c0c3547e65
Instruction Fuzzy Hash: 09414D72800219AADB04EBE8DD96DEEB77CFF15350F104025F645F2192EA356F88CB62

Function 008706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00870804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0087082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00870837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0087083C

Strings

\CLSID, xrefs: 00870724
\IPC$, xrefs: 00870784
SOFTWARE\Classes\, xrefs: 0087070E

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 5943c65b59586971bee84414ae287796e4ad57971f0ee8da5d359cac70b428e4
Instruction ID: 06b48684e2932b48cd275e172a384aad5f79c24f921fcfff9b24997d56e6e921
Opcode Fuzzy Hash: 5943c65b59586971bee84414ae287796e4ad57971f0ee8da5d359cac70b428e4
Instruction Fuzzy Hash: B441D672C10229EBDB15EBA4DC958EEB778FF04350F05412AE915E3261EB30AE44CF91

Function 008A3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008A403B
CreateCompatibleDC.GDI32(00000000), ref: 008A4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008A4055
SelectObject.GDI32(00000000,00000000), ref: 008A405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 008A4068
DeleteDC.GDI32(00000000), ref: 008A4072
GetWindowLongW.USER32(?,000000EC), ref: 008A407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 008A4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 008A409E

Strings

static, xrefs: 008A3FD3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 49287540bf0e7bc2a549826ff3c2559ed1f645498172c155b4f88b4f8fbb74c1
Instruction ID: 446615994a480ec5b839d3dd521db63778ec35d8411569687f4fb730bee7cff5
Opcode Fuzzy Hash: 49287540bf0e7bc2a549826ff3c2559ed1f645498172c155b4f88b4f8fbb74c1
Instruction Fuzzy Hash: 0C315C32501619AFEF219FA8CC09FDA3BA8FF0E324F110225FA55E65A0D775D850DBA0

Function 00893C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00893C5C
CoInitialize.OLE32(00000000), ref: 00893C8A
CoUninitialize.OLE32 ref: 00893C94
_wcslen.LIBCMT ref: 00893D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00893DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00893ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00893F0E
CoGetObject.OLE32(?,00000000,008AFB98,?), ref: 00893F2D
SetErrorMode.KERNEL32(00000000), ref: 00893F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00893FC4
VariantClear.OLEAUT32(?), ref: 00893FD8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 560ac5782b6b194425a613bbb4a1ff12b2fad6d10adefcfa81c44212004845e8
Instruction ID: 211a34ea043c4215c0ed0806dd89c7d28c97fc62c2e837b74cb3087254424920
Opcode Fuzzy Hash: 560ac5782b6b194425a613bbb4a1ff12b2fad6d10adefcfa81c44212004845e8
Instruction Fuzzy Hash: 9DC12571608205AFDB00EF68C88496BB7E9FF89748F14491DF98ADB211DB31EE45CB52

Function 00887A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00887AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00887B8F
SHGetDesktopFolder.SHELL32(?), ref: 00887BA3
CoCreateInstance.OLE32(008AFD08,00000000,00000001,008D6E6C,?), ref: 00887BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00887C74
CoTaskMemFree.OLE32(?,?), ref: 00887CCC
SHBrowseForFolderW.SHELL32(?), ref: 00887D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00887D7A
CoTaskMemFree.OLE32(00000000), ref: 00887D81
CoTaskMemFree.OLE32(00000000), ref: 00887DD6
CoUninitialize.OLE32 ref: 00887DDC

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: afcf45e745b9149fe2edf0890e0cd51afd48ad053bc0e51309adee6ceea28534
Instruction ID: a330f53fe3de4bc1803b27aba4dd33442d5dbc29d4f30680b1da193e3296db80
Opcode Fuzzy Hash: afcf45e745b9149fe2edf0890e0cd51afd48ad053bc0e51309adee6ceea28534
Instruction Fuzzy Hash: C3C12C75A04109AFDB14DFA4C884DAEBBF9FF48314B1484A9E819DB761D730ED41CB90

Function 008A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A5515
CharNextW.USER32(00000158), ref: 008A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A55AC

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 42798054cd3c043234fc8232e33f53841524dbbf2b11a79c04b76518f568d986
Instruction ID: b7b3f8d02d75b75127416e6791c2ad16cfcc81d21fd79cd6dd9473ef03b28e71
Opcode Fuzzy Hash: 42798054cd3c043234fc8232e33f53841524dbbf2b11a79c04b76518f568d986
Instruction Fuzzy Hash: CF619B71901A08EBEF10CF54DC849FE7BB9FB0B724F144149F925EAA90D7748A80DB61

Function 0086FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0086FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0086FB08
VariantInit.OLEAUT32(?), ref: 0086FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0086FB3A
VariantCopy.OLEAUT32(?,?), ref: 0086FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0086FBA1
VariantClear.OLEAUT32(?), ref: 0086FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0086FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0086FBCC
VariantClear.OLEAUT32(?), ref: 0086FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0086FBE9

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a61c353833d0b558378ce8a91857c16507bc675921c93a94b2ba1169f6728a87
Instruction ID: 38057d97637906d8355e2026385f6da75c283806a9f443059983249868d020cd
Opcode Fuzzy Hash: a61c353833d0b558378ce8a91857c16507bc675921c93a94b2ba1169f6728a87
Instruction Fuzzy Hash: C2416235A002199FDB00DF68E8549EDBBB9FF09354F018069E945E7261CB30E945CF95

Function 00879C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00879CA1
GetAsyncKeyState.USER32(000000A0), ref: 00879D22
GetKeyState.USER32(000000A0), ref: 00879D3D
GetAsyncKeyState.USER32(000000A1), ref: 00879D57
GetKeyState.USER32(000000A1), ref: 00879D6C
GetAsyncKeyState.USER32(00000011), ref: 00879D84
GetKeyState.USER32(00000011), ref: 00879D96
GetAsyncKeyState.USER32(00000012), ref: 00879DAE
GetKeyState.USER32(00000012), ref: 00879DC0
GetAsyncKeyState.USER32(0000005B), ref: 00879DD8
GetKeyState.USER32(0000005B), ref: 00879DEA

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d8af4398b7451e722584167fd4583567d07a8da7bfb6139d9ddc7c4f5d014763
Instruction ID: 72417bd45de4559bfcc7fde1a7383339d83a1ecdcd336b5b3b8f3888b975bf28
Opcode Fuzzy Hash: d8af4398b7451e722584167fd4583567d07a8da7bfb6139d9ddc7c4f5d014763
Instruction Fuzzy Hash: 2B41A834504BC96DFF31966488043B5BEA1FF52344F08C09ADACAD65C6EBE5D9C8C792

Function 0089055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008905BC
inet_addr.WSOCK32(?), ref: 0089061C
gethostbyname.WSOCK32(?), ref: 00890628
IcmpCreateFile.IPHLPAPI ref: 00890636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008907B9
WSACleanup.WSOCK32 ref: 008907BF

Strings

Ping, xrefs: 00890676

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: bbba7fb9c88f71261c0d196e88feaec6a48b7255df14980393afef032abd30c2
Instruction ID: 5e10986b997a712b75b5f7ba118d1f46583b4a79149294c810b8d7481ed8e8d7
Opcode Fuzzy Hash: bbba7fb9c88f71261c0d196e88feaec6a48b7255df14980393afef032abd30c2
Instruction Fuzzy Hash: F9917F35604201AFD710DF19D488B16BBE4FF44328F1985A9F469DB6A2C731ED85CF92

Function 00898CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00898CF3

Part of subcall function 00878E54: _wcslen.LIBCMT ref: 00878E77

_wcslen.LIBCMT ref: 00898D4E
_wcslen.LIBCMT ref: 00898D9C
_wcslen.LIBCMT ref: 00898DDC
_wcslen.LIBCMT ref: 00898E6E

Strings

cdecl, xrefs: 00898D48, 00898D4D
winapi, xrefs: 00898D96, 00898D9B
stdcall, xrefs: 00898DD6, 00898DDB
none, xrefs: 00898E65, 00898E6A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: f1d6fcc52421c3cb5bc9d9e893564319bce66e1d20c90bc123e0c4f3daf80aef
Instruction ID: 8cacf5986f209b7782412fa18878f91d9053fdb37cd4985cfc456a7184b058d7
Opcode Fuzzy Hash: f1d6fcc52421c3cb5bc9d9e893564319bce66e1d20c90bc123e0c4f3daf80aef
Instruction Fuzzy Hash: C1519E31A00117DBCF14EFACC9509BEB7A5FF66324B294229E966E7284EB35DD40C790

Function 0089372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00893774
CoUninitialize.OLE32 ref: 0089377F
CoCreateInstance.OLE32(?,00000000,00000017,008AFB78,?), ref: 008937D9
IIDFromString.OLE32(?,?), ref: 0089384C
VariantInit.OLEAUT32(?), ref: 008938E4
VariantClear.OLEAUT32(?), ref: 00893936

Strings

NULL Pointer assignment, xrefs: 0089381E
Failed to create object, xrefs: 008937E4, 0089389A
Invalid parameter, xrefs: 00893865

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: aff4c68a3fe628bfb0d4db03b34157cd98958842bbaf8aaaefdc42066c3a332c
Instruction ID: 5679e8fc4665ab9fdfc9ef35c66806b5cc48315b1f081cda2849229d6e8106ba
Opcode Fuzzy Hash: aff4c68a3fe628bfb0d4db03b34157cd98958842bbaf8aaaefdc42066c3a332c
Instruction Fuzzy Hash: C9619F70608311AFD710EF54C848B6ABBE8FF49714F144929F995EB291D770EE48CB92

Function 00883388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008833CF

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008833F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00883504
^ ERROR , xrefs: 0088349E
"%s" (%d) : ==> %s:, xrefs: 00883522
Line %d (File "%s"):, xrefs: 00883443, 0088345C
Error: , xrefs: 008834D1
Incorrect parameters to object property !, xrefs: 008834AB

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 330c55b9e32d5e5048da3a6d5e3133145bb3eba82c8e81b655c03c362314d539
Instruction ID: 74bb861e58a51ac85ed075dd4147617eb390274967bb702c0b95d26f2365a1f4
Opcode Fuzzy Hash: 330c55b9e32d5e5048da3a6d5e3133145bb3eba82c8e81b655c03c362314d539
Instruction Fuzzy Hash: A9518A71800209AADF14EBA4DD46EEEB778FF04740F104166F515F22A2EB356F98DB62

Function 0087B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0087B5FC
_wcslen.LIBCMT ref: 0087B608
_wcslen.LIBCMT ref: 0087B64D
_wcslen.LIBCMT ref: 0087B68C
_wcslen.LIBCMT ref: 0087B6C7

Strings

APPEND, xrefs: 0087B6C1, 0087B6C6
REMOVE, xrefs: 0087B602, 0087B607
KEYS, xrefs: 0087B647, 0087B64C
EXISTS, xrefs: 0087B686, 0087B68B

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: faf38e021d33cfd6919ab23b0586c707a4909ec878e04c0edf65e44f4043f589
Instruction ID: 6181028bc26b588207e668c775808f23624601e8eda098095a5e8b8d979c6e9a
Opcode Fuzzy Hash: faf38e021d33cfd6919ab23b0586c707a4909ec878e04c0edf65e44f4043f589
Instruction Fuzzy Hash: 9441DE32A000269BCB105F7DC8906BE77A6FFB1754B248229E629D7288F735CD81C790

Function 00885393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00885416
GetLastError.KERNEL32 ref: 00885420
SetErrorMode.KERNEL32(00000000,READY), ref: 008854A7

Strings

READY, xrefs: 00885460, 00885468
INVALID, xrefs: 00885459
READONLY, xrefs: 00885452
NOTREADY, xrefs: 0088544B
UNKNOWN, xrefs: 00885444

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 720a9dee1ebf921fef32b93c2194d14f7ee4d28d522eece762b3afc70c6812fd
Instruction ID: ae3b272595fb2339e9dab5c83b74453055f6126cf19bed5986d7382cee417099
Opcode Fuzzy Hash: 720a9dee1ebf921fef32b93c2194d14f7ee4d28d522eece762b3afc70c6812fd
Instruction Fuzzy Hash: 5431A3B5A006089FD710EF68C484AAA7BF4FF45305F148069E505DB392EB71ED86CB91

Function 008A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 008A3C79
SetMenu.USER32(?,00000000), ref: 008A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A3D10
IsMenu.USER32(?), ref: 008A3D24
CreatePopupMenu.USER32 ref: 008A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008A3D5B
DrawMenuBar.USER32 ref: 008A3D63

Strings

0, xrefs: 008A3C54
F, xrefs: 008A3D4E

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 9748f50de1885d48193ac8de7a6b876db4018e24046bde072cb8886e12420386
Instruction ID: 8934534bb893224dbcd9a5716ee9b96ec8a4780c5d42d307bd3566f62f6a9625
Opcode Fuzzy Hash: 9748f50de1885d48193ac8de7a6b876db4018e24046bde072cb8886e12420386
Instruction Fuzzy Hash: BF413875A01209EFEB14DF64D884BAABBB5FF4A350F140029F946E7760D770AA10CB94

Function 00871EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00871F64
GetDlgCtrlID.USER32 ref: 00871F6F
GetParent.USER32 ref: 00871F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00871F8E
GetDlgCtrlID.USER32(?), ref: 00871F97
GetParent.USER32(?), ref: 00871FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00871FAE

Strings

ComboBox, xrefs: 00871EEC
ListBox, xrefs: 00871F21

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 50eff79b68e6a8cd492fa3ef6a82d85c8e1ed40620c982ac82771155022d2119
Instruction ID: aaf3404d2e91fad1978af5806caa04d64f96ab8eae0e6db2f40ca4611acb6a09
Opcode Fuzzy Hash: 50eff79b68e6a8cd492fa3ef6a82d85c8e1ed40620c982ac82771155022d2119
Instruction Fuzzy Hash: 6B21F270A00214BBDF01EFA8CC85DEEBBB8FF16350B00411AF9A5E3295CB348904DB61

Function 00871FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00872043
GetDlgCtrlID.USER32 ref: 0087204E
GetParent.USER32 ref: 0087206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0087206D
GetDlgCtrlID.USER32(?), ref: 00872076
GetParent.USER32(?), ref: 0087208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0087208D

Strings

ComboBox, xrefs: 00871FCD
ListBox, xrefs: 00872002

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 34ec40fa42def27a05e6997568c4c68d0437a7c965ac0334ad322a482e18e3db
Instruction ID: f7742876e33574746057275cb399375f8f2b35ddeeee9fcf4a629bf6015a62ea
Opcode Fuzzy Hash: 34ec40fa42def27a05e6997568c4c68d0437a7c965ac0334ad322a482e18e3db
Instruction Fuzzy Hash: D721CF71900218BBDF10EFA4CC85EEEBBB8FF15340F00401AF995E72A5DA798954DB61

Function 008A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 008A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 008A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 008A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 008A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 008A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 008A3C13

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e87a7c5dc48afd9c1b2ea62dd430c42132247719934b456ab602517a539b56d6
Instruction ID: 49961f6a216c592fbf1d2016c2e659c77397034f04155e69615c5b85a574a6c8
Opcode Fuzzy Hash: e87a7c5dc48afd9c1b2ea62dd430c42132247719934b456ab602517a539b56d6
Instruction Fuzzy Hash: 45617D75900248AFEB11DF68CC85EEE77B8FB0A710F100059FA15E7291C774AE41DB60

Function 0087B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0087B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B165
GetWindowThreadProcessId.USER32(00000000), ref: 0087B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0087B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0087A1E1,?,00000001), ref: 0087B21D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 5bd7c2ca15d11edb4ee946de560ef9a0ef3a7681d843fbd7f006f13342c300cf
Instruction ID: 3938c800c6f57659c36ff11748ea7c8fe60fa675735c36fd04b2ad935c79143f
Opcode Fuzzy Hash: 5bd7c2ca15d11edb4ee946de560ef9a0ef3a7681d843fbd7f006f13342c300cf
Instruction Fuzzy Hash: 0C3191B5510608BFEB10DF64DC88B6D7BAAFB62325F108419FA09DB191D7B4DE408F64

Function 00842C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00842C94

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 00842CA0
_free.LIBCMT ref: 00842CAB
_free.LIBCMT ref: 00842CB6
_free.LIBCMT ref: 00842CC1
_free.LIBCMT ref: 00842CCC
_free.LIBCMT ref: 00842CD7
_free.LIBCMT ref: 00842CE2
_free.LIBCMT ref: 00842CED
_free.LIBCMT ref: 00842CFB

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e091495acf67c7c18493d1ae598793bc3d8629afc1a9fc49b670b672c78346a0
Instruction ID: 6df76ff7bd89801dea2a454fba054351cc33ae4fe019166598b3a23d4eae4b4d
Opcode Fuzzy Hash: e091495acf67c7c18493d1ae598793bc3d8629afc1a9fc49b670b672c78346a0
Instruction Fuzzy Hash: BB11A27610410CAFDB02EF99D882DDD3FA9FF05350F9144A5FA489F222DA31EE509B92

Function 00887DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00887FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00887FC1
GetFileAttributesW.KERNEL32(?), ref: 00887FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00888005
SetCurrentDirectoryW.KERNEL32(?), ref: 00888017
SetCurrentDirectoryW.KERNEL32(?), ref: 00888060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008880B0

Strings

*.*, xrefs: 00888066

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 78fad077df2805565a22505c7d871a13c58363e7ed6d1300303dd6939903300b
Instruction ID: 99e6bf4b6351ff897d900aca5d4ced6d8951c2f8fe054373cbfb45a8029c9fd7
Opcode Fuzzy Hash: 78fad077df2805565a22505c7d871a13c58363e7ed6d1300303dd6939903300b
Instruction Fuzzy Hash: 4F81B1725082459BCB20FF18C4849AAB3E8FF89714F644C6EF889C7251EB75ED45CB92

Function 00815BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00815C7A

Part of subcall function 00815D0A: GetClientRect.USER32(?,?), ref: 00815D30
Part of subcall function 00815D0A: GetWindowRect.USER32(?,?), ref: 00815D71
Part of subcall function 00815D0A: ScreenToClient.USER32(?,?), ref: 00815D99

GetDC.USER32 ref: 008546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00854708
SelectObject.GDI32(00000000,00000000), ref: 00854716
SelectObject.GDI32(00000000,00000000), ref: 0085472B
ReleaseDC.USER32(?,00000000), ref: 00854733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008547C4

Strings

U, xrefs: 00854693

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ce6811eb7fe0ad6dbb7e38da6f7ca7b13c742e86d9c61d9aa8efbd5f14bb9690
Instruction ID: 4137a0626c53febc464dc85a216585e7c5a77c3c538d68d66eb0a771974b94f7
Opcode Fuzzy Hash: ce6811eb7fe0ad6dbb7e38da6f7ca7b13c742e86d9c61d9aa8efbd5f14bb9690
Instruction Fuzzy Hash: DC71F134500209DFDF218F64C984AFA3BB5FF8A32AF145269ED55DA266C73098C9DF50

Function 0088359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008835E4

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

LoadStringW.USER32(008E2390,?,00000FFF,?), ref: 0088360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00883724
"%s" (%d) : ==> %s:, xrefs: 00883742
Line %d (File "%s"):, xrefs: 0088366B
Error: , xrefs: 008836EF
^ ERROR, xrefs: 008836C9

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: dc22ef90b2a8e0c8eaff051e8755a34989948c3eb0f7dbb26cc2d90b87111529
Instruction ID: 0f5de109b6aee3f7c28e196da00b03782dbaa0bf05cc94a92d06263959965015
Opcode Fuzzy Hash: dc22ef90b2a8e0c8eaff051e8755a34989948c3eb0f7dbb26cc2d90b87111529
Instruction Fuzzy Hash: 87516D71800219AADF14EBA4DC52EEEBB39FF14710F144125F515B22A1EB346BD8DBA2

Function 0088C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0088C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0088C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0088C2CA
GetLastError.KERNEL32 ref: 0088C322
SetEvent.KERNEL32(?), ref: 0088C336
InternetCloseHandle.WININET(00000000), ref: 0088C341

Strings

, xrefs: 0088C2BB

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 57cfda2516c468bb56fbc5fcc9fb543c32ae49d95b3317c9d0867f8e00151854
Instruction ID: 1a0653a032fd854d698666d7ba1758ee2ba5de86d6c5a34708329432db1888ac
Opcode Fuzzy Hash: 57cfda2516c468bb56fbc5fcc9fb543c32ae49d95b3317c9d0867f8e00151854
Instruction Fuzzy Hash: 31317AB1600608AFE721AFA99C88ABB7BFCFB4A744F10851EF446D2644DB34DD059B71

Function 0087989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00853AAF,?,?,Bad directive syntax error,008ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008798BC
LoadStringW.USER32(00000000,?,00853AAF,?), ref: 008798C3

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00879987

Strings

Line %d:, xrefs: 00879912
Line %d (File "%s"):, xrefs: 0087992D
%s (%d) : ==> %s.: %s %s, xrefs: 008798F1
Error: , xrefs: 00879955
., xrefs: 0087996D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: da922e27c4a666eb8d97a06f38c860113e1db76a82c814b15dd09d01dd87879a
Instruction ID: ccaa9893f79439ecd07958b490e1ceb94e27209c439c66ac3d31d449154c991a
Opcode Fuzzy Hash: da922e27c4a666eb8d97a06f38c860113e1db76a82c814b15dd09d01dd87879a
Instruction Fuzzy Hash: BF21943180021EABDF15AF94CC06EEE7779FF14300F044466F629A21A2EB75A668DB51

Function 0087209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0087214D

Strings

details, xrefs: 008720FB
list, xrefs: 0087212F
smallicons, xrefs: 00872115
SHELLDLL_DefView, xrefs: 008720CC
largeicons, xrefs: 008720E1

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c8cc2bcbbd6122309f33db6f031275068684d22569dc1dd94fdecc8b70995829
Instruction ID: 455a3bcfd63462d7f9828b0d3bd4cb32b8f51ba3cbb41299efa2c97e663841e1
Opcode Fuzzy Hash: c8cc2bcbbd6122309f33db6f031275068684d22569dc1dd94fdecc8b70995829
Instruction Fuzzy Hash: 35115976288706B9FA01A228DC07CA6339CFB15324F20411BFB08E41D5FF65F8015664

Function 00848D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ca2a283f43fcf816b3fd5933dccb176b5d82d72a68527a9a564bebf7fc9ab8
Instruction ID: d2a2706be8c83b768b2bfb3ae96e9dd842ac08a2677cd3568d566c629d5b9065
Opcode Fuzzy Hash: 39ca2a283f43fcf816b3fd5933dccb176b5d82d72a68527a9a564bebf7fc9ab8
Instruction Fuzzy Hash: CDC1AD74E0424DEFDB21DFA8D841BAEBBB4FF49310F144199E954EB292CB709941CB61

Function 0084CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0084CEB7
_free.LIBCMT ref: 0084CF22
_free.LIBCMT ref: 0084CF48
_free.LIBCMT ref: 0084CF71
_free.LIBCMT ref: 0084CFA9
_free.LIBCMT ref: 0084CFDA
_free.LIBCMT ref: 0084D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0084D09C
_free.LIBCMT ref: 0084D0B5

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 104fbd1e3db9e59f7d787d9822dfccaaede7c161e6fac741825a7d1b9afd429d
Instruction ID: 6c13c3b7d788813796ffe2df883a7b09285bd27e6b3c63a7d1c5d020a54e88ab
Opcode Fuzzy Hash: 104fbd1e3db9e59f7d787d9822dfccaaede7c161e6fac741825a7d1b9afd429d
Instruction Fuzzy Hash: 9D614771A0534CAFDB21AFB89C81A6E7BA9FF01310F04416DF940DB242DFB59D4587A1

Function 008A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 008A5186
ShowWindow.USER32(?,00000000), ref: 008A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008A51D1

Part of subcall function 008A6FBA: DeleteObject.GDI32(00000000), ref: 008A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 008A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 008A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 008A5296

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 40e58569590ef448322b2ea44f27cabb24cb1ce60d6fdeee4ce7d30785d2bca4
Instruction ID: 2861fad47e6c3b1e08ca80a80d1d6b60ebe12fd2e9ea240c8cda918353108ac3
Opcode Fuzzy Hash: 40e58569590ef448322b2ea44f27cabb24cb1ce60d6fdeee4ce7d30785d2bca4
Instruction Fuzzy Hash: BB518D30A40A08BEFF209F28DC4ABE93BA5FB06325F144011F625DAAE1C775A9D0DB41

Function 00828B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00866890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00828874,00000000,00000000,00000000,000000FF,00000000), ref: 00866901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0086691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00828874,00000000,00000000,00000000,000000FF,00000000), ref: 0086692D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f5d7cf573d1d2068c26b4063f15759f02af10a8a70db96d3bfb28e69db321341
Instruction ID: ed26b91fcfb24290af97a71a90fe5027698f401c8a4435e4157e7dfb315b129a
Opcode Fuzzy Hash: f5d7cf573d1d2068c26b4063f15759f02af10a8a70db96d3bfb28e69db321341
Instruction Fuzzy Hash: FC516970600249EFEF20CF24DC95BAA7BB5FB58764F104528F956D72A0EB70A9A0DB50

Function 0088C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0088C182
GetLastError.KERNEL32 ref: 0088C195
SetEvent.KERNEL32(?), ref: 0088C1A9

Part of subcall function 0088C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0088C272
Part of subcall function 0088C253: GetLastError.KERNEL32 ref: 0088C322
Part of subcall function 0088C253: SetEvent.KERNEL32(?), ref: 0088C336
Part of subcall function 0088C253: InternetCloseHandle.WININET(00000000), ref: 0088C341

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 70dafde0cbd10a6896cc8c70410a1176a16e93a1b4687c2da6be17dadabdb606
Instruction ID: e0b192aa8881b0a8b3483124d3fe2fb4f9690ae3600b3a10c2af74b3adfa76cb
Opcode Fuzzy Hash: 70dafde0cbd10a6896cc8c70410a1176a16e93a1b4687c2da6be17dadabdb606
Instruction Fuzzy Hash: A5318D71200605AFEB21AFB9DC48A76BBF8FF19300B00841DF956C2A64DB31E814DBB0

Function 008725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00872601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00872605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0087260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00872623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00872627

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b4529ef30112c3ab66f49999aaf6ede03c4530d37cfc7264c8e9015c4722e221
Instruction ID: 4a6d797f6641b250759e5e3db7d788cc37c6f5edcb23b30a7f3db93aa274b435
Opcode Fuzzy Hash: b4529ef30112c3ab66f49999aaf6ede03c4530d37cfc7264c8e9015c4722e221
Instruction Fuzzy Hash: 9C01D431390624BBFB1067689C8AF597F59FB5EB12F104005F318EE0D5C9E264459A6A

Function 00871803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00871449,?,?,00000000), ref: 0087180C
HeapAlloc.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 00871813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00871449,?,?,00000000), ref: 00871828
GetCurrentProcess.KERNEL32(?,00000000,?,00871449,?,?,00000000), ref: 00871830
DuplicateHandle.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 00871833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00871449,?,?,00000000), ref: 00871843
GetCurrentProcess.KERNEL32(00871449,00000000,?,00871449,?,?,00000000), ref: 0087184B
DuplicateHandle.KERNEL32(00000000,?,00871449,?,?,00000000), ref: 0087184E
CreateThread.KERNEL32(00000000,00000000,00871874,00000000,00000000,00000000), ref: 00871868

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 6c3d7da245e2f464ee413e4d9053f81122bf09f9f4576019d307936b5a776a68
Instruction ID: 61cc98bf464bdc736debd4142b79081080866b709bbacb125a84cc2bfce83dc1
Opcode Fuzzy Hash: 6c3d7da245e2f464ee413e4d9053f81122bf09f9f4576019d307936b5a776a68
Instruction Fuzzy Hash: B701AC75340304BFF610ABA5DC4DF577BACFB8AB11F004411FA05DB691DA7498008B20

Function 0089A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0087D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0087D501
Part of subcall function 0087D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0087D50F
Part of subcall function 0087D4DC: CloseHandle.KERNELBASE(00000000), ref: 0087D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0089A16D
GetLastError.KERNEL32 ref: 0089A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0089A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0089A268
GetLastError.KERNEL32(00000000), ref: 0089A273
CloseHandle.KERNEL32(00000000), ref: 0089A2C4

Strings

SeDebugPrivilege, xrefs: 0089A18F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 95a4e4a130e49dfbdf657d10b7c22fc8a30774460586937a1954d663962b07b8
Instruction ID: 08cb46f75aea1b22f8bcc2a309b9038d8c5d74c89f5f57d3858440274de9e85e
Opcode Fuzzy Hash: 95a4e4a130e49dfbdf657d10b7c22fc8a30774460586937a1954d663962b07b8
Instruction Fuzzy Hash: 9A616D302082419FDB14EF58C494F55BBA5FF44318F18849CE4668BBA2DB76EC85CBD2

Function 008A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 008A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008A3954
_wcslen.LIBCMT ref: 008A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008A39F4

Strings

SysListView32, xrefs: 008A38F7

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: eeddeae30ff6ca45753255523ff733c8d5d02c686135e600cb5835a739c84e32
Instruction ID: 28afd0388d90b9077ee7e575a6f4532230397ca660be7c27eb2415825037a7e9
Opcode Fuzzy Hash: eeddeae30ff6ca45753255523ff733c8d5d02c686135e600cb5835a739c84e32
Instruction Fuzzy Hash: 0C41A371A00218ABEF219F64CC49FEA7BA9FF09350F14052AF958E7281D7759E84CB90

Function 0087BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0087BCFD
IsMenu.USER32(00000000), ref: 0087BD1D
CreatePopupMenu.USER32 ref: 0087BD53
GetMenuItemCount.USER32(01375B08), ref: 0087BDA4
InsertMenuItemW.USER32(01375B08,?,00000001,00000030), ref: 0087BDCC

Strings

2, xrefs: 0087BD37
0, xrefs: 0087BCA8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 7fcb4b6ff169c6930faf8c1b83f4c6f3c3d8a31c4fed07a8e90d57659d36918e
Instruction ID: 7e1ef10cd941ea462f11a9221d5126847a1949881041c06cf12d6a1b9dff72fc
Opcode Fuzzy Hash: 7fcb4b6ff169c6930faf8c1b83f4c6f3c3d8a31c4fed07a8e90d57659d36918e
Instruction Fuzzy Hash: FB518A70A002099FDB21CFA8D888BAEBFF6FF45354F148119E419D72A9E770D940CB62

Function 0087C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0087C913

Strings

warning, xrefs: 0087C8FC
blank, xrefs: 0087C895
info, xrefs: 0087C8B4
question, xrefs: 0087C8CC
stop, xrefs: 0087C8E4

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 94a0e475e052044b9b400fadb81e1b97a251e345c6d479989429738ba82c533b
Instruction ID: e08ec870101569f42e0a1d90f3364c7b9a6b0cceee7c14282695c1bc4a4394d2
Opcode Fuzzy Hash: 94a0e475e052044b9b400fadb81e1b97a251e345c6d479989429738ba82c533b
Instruction Fuzzy Hash: F911EB3168930EBAA7015B549C82DEA6B9CFF15358B10812FF608E7382E774ED0052A9

Function 0087DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0087DE42
gethostname.WSOCK32(?,00000100), ref: 0087DE5C
gethostbyname.WSOCK32(?), ref: 0087DE69
inet_ntoa.WSOCK32(?), ref: 0087DEAB
_strcat.LIBCMT ref: 0087DEB9
WSACleanup.WSOCK32 ref: 0087DEDE

Strings

0.0.0.0, xrefs: 0087DE87

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: a45f8c645a7b1873bb26161c8cef87e05bcf82249a896b0845d617bb2957c583
Instruction ID: de42b8bf0a1aa5087299476b58638b748601095e6cf7dd4c6239e94a0cfaf87d
Opcode Fuzzy Hash: a45f8c645a7b1873bb26161c8cef87e05bcf82249a896b0845d617bb2957c583
Instruction Fuzzy Hash: 59113A32904218ABDB21AB28DC0AEDE77BCFF55311F004179F409DA091EF74DA808AA1

Function 008A9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

GetSystemMetrics.USER32(0000000F), ref: 008A9FC7
GetSystemMetrics.USER32(0000000F), ref: 008A9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 008AA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 008AA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 008AA263
ShowWindow.USER32(00000003,00000000), ref: 008AA282
InvalidateRect.USER32(?,00000000,00000001), ref: 008AA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 008AA2CA

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 7950cceea7c062c8726b0dc2e959b46e2a08cc0acc9f96ad41fbe5b49a320475
Instruction ID: 51a84a59191c33f73db369404d07da65032f0e8b1578714cb6eff0be5e8f0f93
Opcode Fuzzy Hash: 7950cceea7c062c8726b0dc2e959b46e2a08cc0acc9f96ad41fbe5b49a320475
Instruction Fuzzy Hash: E5B17A31600219EFEF18CF68C9857AE7BB2FF4A711F088069EC45DBA95DB31A950CB51

Function 0087ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0087ED2A
_wcslen.LIBCMT ref: 0087ED3B
_wcslen.LIBCMT ref: 0087ED79
_wcslen.LIBCMT ref: 0087EDAF
_wcslen.LIBCMT ref: 0087EDDF
_wcslen.LIBCMT ref: 0087EDEF
_wcslen.LIBCMT ref: 0087EE2B
_wcslen.LIBCMT ref: 0087EE5A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d7e823e0a352177ea7fb8e52f2f0821e93ccd48b3f2b51670c5d57575da96d3c
Instruction ID: 568ae74cbb5cd9623901e65381b256e1a13c550e2424bedb79479c7d247e9c15
Opcode Fuzzy Hash: d7e823e0a352177ea7fb8e52f2f0821e93ccd48b3f2b51670c5d57575da96d3c
Instruction Fuzzy Hash: 22417765C1121875CB11EBF8888AACF77A8FF89710F509562F518E3121FB78E255C3E6

Function 0082F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0082F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0086F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 0086F454

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d5c024785e872efe6fc2489c99e5c343838902a7d9272dfc290cbdd7a5725d18
Instruction ID: 814dca7f420cf453302ae3ac921ec0a8168c0c1d6202635777317416e501c05f
Opcode Fuzzy Hash: d5c024785e872efe6fc2489c99e5c343838902a7d9272dfc290cbdd7a5725d18
Instruction Fuzzy Hash: 5141F831608690BAD7399B2DB98872A7FB1FB56314F15443CE387D6A63DA31E8C0CB51

Function 008A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008A2D1B
GetDC.USER32(00000000), ref: 008A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 008A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 008A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008A2DE1

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 67cf69fcbba1203ac2095740e8fea1ce7b5347bd8543cee83f4421e2d358601c
Instruction ID: fcd55419ade65b0d4fd0528473ffd8d2b6b393c899f6f1d94f6893c616f64b7d
Opcode Fuzzy Hash: 67cf69fcbba1203ac2095740e8fea1ce7b5347bd8543cee83f4421e2d358601c
Instruction Fuzzy Hash: 02318772201614BBFB218F548C8AFEB3BA9FB1A711F044065FE08DA292D6759C50CBA0

Function 00875622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00875637
_memcmp.LIBVCRUNTIME ref: 00875659
_memcmp.LIBVCRUNTIME ref: 00875671
_memcmp.LIBVCRUNTIME ref: 00875684
_memcmp.LIBVCRUNTIME ref: 0087569E
_memcmp.LIBVCRUNTIME ref: 008756B1
_memcmp.LIBVCRUNTIME ref: 008756C9
_memcmp.LIBVCRUNTIME ref: 008756E4

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7fa0abfc0038d76296524c9c9935b57e2bfbcd262ccc88ec3c19b680662efa72
Instruction ID: d9bab49044317d0e0708d2eb11a20bb2f3d575470c7c5ed6f9dc181dd60aaf00
Opcode Fuzzy Hash: 7fa0abfc0038d76296524c9c9935b57e2bfbcd262ccc88ec3c19b680662efa72
Instruction Fuzzy Hash: 11212961640A1977E71855258D82FFA335CFF71794F448020FE0CDAB8AFBA8EE1081E6

Function 00894FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0089502E, 00895383
Not an Object type, xrefs: 00895007

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 02911b2ae7f56595d90ace2504f890d773db8a646dc046cf8729a34354431dd9
Instruction ID: 4ccb9fba8269456a5fbd169046b832ff2142e097b8530085a088dc16854debd8
Opcode Fuzzy Hash: 02911b2ae7f56595d90ace2504f890d773db8a646dc046cf8729a34354431dd9
Instruction Fuzzy Hash: 2AD1B171A0060A9FDF11DFA8C881BAEB7B5FF48344F188169E915EB281E770DD45CB90

Function 00851522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 008515CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00851651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008516E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008516FB

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00851777
__freea.LIBCMT ref: 008517A2
__freea.LIBCMT ref: 008517AE

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2b64ed26ba92d56ac26c70cc0c4a1052f7e818ee97f26f867dd9f414a46a678d
Instruction ID: 0eb7534d8dd2865860226dc7c2b1176b0eca33e14278e692d10de0e38226fffc
Opcode Fuzzy Hash: 2b64ed26ba92d56ac26c70cc0c4a1052f7e818ee97f26f867dd9f414a46a678d
Instruction Fuzzy Hash: 58919171F0021A9ADF208E78C889BEE7BA5FF49715F184659EC02E7141EB35DC48CBA0

Function 00894523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00894648
VariantInit.OLEAUT32(?), ref: 00894749
VariantClear.OLEAUT32(?), ref: 00894753
VariantClear.OLEAUT32(?), ref: 008947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008945D8, 00894706, 008947BE
Incorrect Object type in FOR..IN loop, xrefs: 0089472C

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 6ec9d929d233c97bfef693f460515361aa490ad19be4937ecd0c1da3fb5858d2
Instruction ID: 2cf3272162f9900fb3b131bbc59ccefdb942ca4339f006ec513029bccae6df33
Opcode Fuzzy Hash: 6ec9d929d233c97bfef693f460515361aa490ad19be4937ecd0c1da3fb5858d2
Instruction Fuzzy Hash: FC918C71A0021DABDF20EFA4C884FAEBBB8FF46714F148559F515EB281D7709946CBA0

Function 00881187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0088125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00881284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0088135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00881430

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 59cb24dcc417230e9a31624bde9c7f1f23c3727800093e38a0bee977ad75b98a
Instruction ID: 3ed429001a582b237cf0342330dfd755c018ad874d96f6485f5fc4725532994f
Opcode Fuzzy Hash: 59cb24dcc417230e9a31624bde9c7f1f23c3727800093e38a0bee977ad75b98a
Instruction Fuzzy Hash: 2691E271A002199FDF10EF98C888BBEB7BDFF45315F104029E941EB292DB74A946CB95

Function 0082948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 42778a37a00f072ce297ec0e2cd5bdcb6d43f7d76c2b1d848df533da3e3df41f
Instruction ID: 70aa0cde7efb53b33d3d951b937f9bf7f22083b807600b74ed20d4e71c1f1faa
Opcode Fuzzy Hash: 42778a37a00f072ce297ec0e2cd5bdcb6d43f7d76c2b1d848df533da3e3df41f
Instruction Fuzzy Hash: 85912571E00219EFCB10CFA9D984AEEBBB8FF49324F144059E955F7251D378A981CBA0

Function 00893947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0089396B
CharUpperBuffW.USER32(?,?), ref: 00893A7A
_wcslen.LIBCMT ref: 00893A8A
VariantClear.OLEAUT32(?), ref: 00893C1F

Part of subcall function 00880CDF: VariantInit.OLEAUT32(00000000), ref: 00880D1F
Part of subcall function 00880CDF: VariantCopy.OLEAUT32(?,?), ref: 00880D28
Part of subcall function 00880CDF: VariantClear.OLEAUT32(?), ref: 00880D34

Strings

Incorrect Parameter format, xrefs: 008939A6, 00893BA1
AUTOIT.ERROR, xrefs: 00893A80, 00893A85

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b38597d1b0d2b457a458f024a66d303667c3abca6438fcc2f0646dd9a18f3092
Instruction ID: 381817fc9963af4f2d62900d3276e7142e4b1ac082b170aca5b3be2db9fa4e66
Opcode Fuzzy Hash: b38597d1b0d2b457a458f024a66d303667c3abca6438fcc2f0646dd9a18f3092
Instruction Fuzzy Hash: 319113756083059FCB04EF68C48096ABBE5FF89314F18892DF88AD7351DB31EA45CB92

Function 00894BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0087000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?,?,0087035E), ref: 0087002B
Part of subcall function 0087000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870046
Part of subcall function 0087000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870054
Part of subcall function 0087000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?), ref: 00870064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00894C51
_wcslen.LIBCMT ref: 00894D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00894DCF
CoTaskMemFree.OLE32(?), ref: 00894DDA

Strings

NULL Pointer assignment, xrefs: 00894E23, 00894E52

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0a2910f66cb679823f72564cf2e92a1d7fc99f895020a7695138ab4f26150be1
Instruction ID: 62f7abec79aafd9fde36be978ef3050fe8d0fd8c15df8f5800bf46ceebee47ab
Opcode Fuzzy Hash: 0a2910f66cb679823f72564cf2e92a1d7fc99f895020a7695138ab4f26150be1
Instruction Fuzzy Hash: 70911571D0021DAFDF14EFA4D890EEEB7B8FF08314F108169E919A7251EB349A458F61

Function 008A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 008A2183
GetMenuItemCount.USER32(00000000), ref: 008A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008A21DD
_wcslen.LIBCMT ref: 008A2213
GetMenuItemID.USER32(?,?), ref: 008A224D
GetSubMenu.USER32(?,?), ref: 008A225B

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008A22E3

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 60324d91e5f59e7bdcbbcc2a8746fdb3a7a03b6362d4f14d3a80c7ca4c9055c2
Instruction ID: 8a665e8f97eafc110c55f2ce08cbe742bc94e7c0f6cd2496bdc6fc3316b541a3
Opcode Fuzzy Hash: 60324d91e5f59e7bdcbbcc2a8746fdb3a7a03b6362d4f14d3a80c7ca4c9055c2
Instruction Fuzzy Hash: F1718E35A00215AFDB20DF68C841AAEB7F5FF49310F148459E916EB751DB34ED41CB91

Function 008A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01375C98), ref: 008A7F37
IsWindowEnabled.USER32(01375C98), ref: 008A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 008A801E
SendMessageW.USER32(01375C98,000000B0,?,?), ref: 008A8051
IsDlgButtonChecked.USER32(?,?), ref: 008A8089
GetWindowLongW.USER32(01375C98,000000EC), ref: 008A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008A80C3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c934df81ab4efb8f5b6875a2b447d58dd8a8b7ee0d299f233a1a9ab2839c89c6
Instruction ID: 7bfe91844e2917c05ffe050ca425c801feca8adeabbdb552eb1a5e24076db871
Opcode Fuzzy Hash: c934df81ab4efb8f5b6875a2b447d58dd8a8b7ee0d299f233a1a9ab2839c89c6
Instruction Fuzzy Hash: 38718934608244EFFB219F64CC94FAABBB9FF0A300F144059E945D7A61DB31AA55EB20

Function 0087AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0087AEF9
GetKeyboardState.USER32(?), ref: 0087AF0E
SetKeyboardState.USER32(?), ref: 0087AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0087AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0087AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0087AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0087B020

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 89d4621985484a7c39ce2cc21f846ff8886d4a9fc1b968fdcc90cf8352c851ba
Instruction ID: 33a99dbde33afc1968d0a7607c3268fadad898fdfb594c4f7267fe47cb68ab15
Opcode Fuzzy Hash: 89d4621985484a7c39ce2cc21f846ff8886d4a9fc1b968fdcc90cf8352c851ba
Instruction Fuzzy Hash: 195104A16047D53DFB3A82348845BBE7EAABB46304F08C589E1DDC58D3C798E8C4D352

Function 0087ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0087AD19
GetKeyboardState.USER32(?), ref: 0087AD2E
SetKeyboardState.USER32(?), ref: 0087AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0087ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0087ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0087AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0087AE38

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: aaeca2b9031f2608062bc0cca36f1ecb2f8fb1eabaa1d5f627f996af86b3e25c
Instruction ID: 4b3781c652a2dcb32c86ab328c312986c2f4e6072bad7ba9b6d92dad0a857095
Opcode Fuzzy Hash: aaeca2b9031f2608062bc0cca36f1ecb2f8fb1eabaa1d5f627f996af86b3e25c
Instruction Fuzzy Hash: C251C5A15047D53DFB3A83648C95BBE7EA9FB86300F08C489E1DDD68C6D294EC84D752

Function 0084542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00853CD6,?,?,?,?,?,?,?,?,00845BA3,?,?,00853CD6,?,?), ref: 00845470
__fassign.LIBCMT ref: 008454EB
__fassign.LIBCMT ref: 00845506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00853CD6,00000005,00000000,00000000), ref: 0084552C
WriteFile.KERNEL32(?,00853CD6,00000000,00845BA3,00000000,?,?,?,?,?,?,?,?,?,00845BA3,?), ref: 0084554B
WriteFile.KERNEL32(?,?,00000001,00845BA3,00000000,?,?,?,?,?,?,?,?,?,00845BA3,?), ref: 00845584

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 80da4c42a1db080242869f9ab43e5be0e77f7c4561ca4bdb59109225137c5702
Instruction ID: 3f6f4d0fb785ecb971c9fc8c5e336b151066d841016747b135c1fa74180a337b
Opcode Fuzzy Hash: 80da4c42a1db080242869f9ab43e5be0e77f7c4561ca4bdb59109225137c5702
Instruction Fuzzy Hash: DF51E3B0A0064DAFDB11CFA8D895AEEBBF9FF09300F15451AF555E7292E7309A41CB60

Function 00832D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00832D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00832D53
_ValidateLocalCookies.LIBCMT ref: 00832DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00832E0C
_ValidateLocalCookies.LIBCMT ref: 00832E61

Strings

csm, xrefs: 00832DF6

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 44aa3e4b4c5d8ef22457d68293bfcf152aaaa9ae8b8a55b4c982e41a14b1f631
Instruction ID: 2519ebbb97768f8adae416334e7c17beba880da7f06dcbb522b5608686b1f228
Opcode Fuzzy Hash: 44aa3e4b4c5d8ef22457d68293bfcf152aaaa9ae8b8a55b4c982e41a14b1f631
Instruction Fuzzy Hash: 5A418C34A0020DEBCF10DF68C845A9EBBA5FF85328F148165E915EB392DB35AA15CBD1

Function 008910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
Part of subcall function 0089304E: _wcslen.LIBCMT ref: 0089309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00891112
WSAGetLastError.WSOCK32 ref: 00891121
WSAGetLastError.WSOCK32 ref: 008911C9
closesocket.WSOCK32(00000000), ref: 008911F9

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d6eb21cdfded9dd29f68995d0a6e8e8df0233cd922102bf092b32e98da8195f5
Instruction ID: f2717c2f1d67d344b12423ea05b33808d4ff7d31b1eb2ae6e14478b846b77dfd
Opcode Fuzzy Hash: d6eb21cdfded9dd29f68995d0a6e8e8df0233cd922102bf092b32e98da8195f5
Instruction Fuzzy Hash: 8B41D431600205AFEF10AF18C888BA9BBE9FF45364F188059F915DB291DB74ED81CBA1

Function 0087CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0087CF22,?), ref: 0087DDFD

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0087CF22,?), ref: 0087DE16

lstrcmpiW.KERNEL32(?,?), ref: 0087CF45
MoveFileW.KERNEL32(?,?), ref: 0087CF7F
_wcslen.LIBCMT ref: 0087D005
_wcslen.LIBCMT ref: 0087D01B
SHFileOperationW.SHELL32(?), ref: 0087D061

Strings

\*.*, xrefs: 0087CFF3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 6335745657ca6298711d7ff16851cfec12b392945d9dba8a4cfe80ff2ea9b2a7
Instruction ID: 789d712bffeef1b8987f604361bd2070f4ff653fc27aaaf4a2a35338963cda82
Opcode Fuzzy Hash: 6335745657ca6298711d7ff16851cfec12b392945d9dba8a4cfe80ff2ea9b2a7
Instruction Fuzzy Hash: E74142719052185FDF12EFA4C981ADEB7B8FF49380F0040EAE549EB145EE74E688CB51

Function 008A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 008A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 008A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 008A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 008A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 008A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 008A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A2F0B

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3ccfd5d6c443ae5e36e4406cd436f4c9f23036e2d97b853e9b6ece2944c2e02c
Instruction ID: fbab4a08932be16223c4ca9284c096d919ba355cbc0d4d3b47250a2e22a91273
Opcode Fuzzy Hash: 3ccfd5d6c443ae5e36e4406cd436f4c9f23036e2d97b853e9b6ece2944c2e02c
Instruction Fuzzy Hash: C531E130604294AFEB21DF5CDC88F657BE1FB9A710F1501A4F901CF6A2CB71A8A0DB41

Function 00877726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0087778F
SysAllocString.OLEAUT32(00000000), ref: 00877792
SysAllocString.OLEAUT32(?), ref: 008777B0
SysFreeString.OLEAUT32(?), ref: 008777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008777DE
SysAllocString.OLEAUT32(?), ref: 008777EC

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 411a69ff5447d73901a3c46315d4a6d6e497e21f952488098806345b0c8a1a58
Instruction ID: ab802792089b92afd14a04dfbe79168e1a0022f43fb7669558252f410c735ddf
Opcode Fuzzy Hash: 411a69ff5447d73901a3c46315d4a6d6e497e21f952488098806345b0c8a1a58
Instruction Fuzzy Hash: 6721B076604219AFEB14DFA8DC88CBB77ECFB093A47008025FA18DB165D670DC41C764

Function 008777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00877868
SysAllocString.OLEAUT32(00000000), ref: 0087786B
SysAllocString.OLEAUT32 ref: 0087788C
SysFreeString.OLEAUT32 ref: 00877895
StringFromGUID2.OLE32(?,?,00000028), ref: 008778AF
SysAllocString.OLEAUT32(?), ref: 008778BD

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 79653b9439621646b9c206e7bc256388269ea57b884a524dcc379116c46612ab
Instruction ID: 3f68255f2af33869cb9c6c2befebca7033dc2362b1e79d7de22e2b5fb7837ccd
Opcode Fuzzy Hash: 79653b9439621646b9c206e7bc256388269ea57b884a524dcc379116c46612ab
Instruction Fuzzy Hash: 20216035608218AFEB109FA8DC88DBA77ECFB097607108135F919CB2A5DA74DC41CB69

Function 008804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0088052E

Strings

nul, xrefs: 00880567

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 849e4582fb02f90544b8a9064625d9e63365d36ea2c31d60a35bfc260d5750a3
Instruction ID: a59fdfc204b9c09e468b5dedc28c98ccf9fd81d57bd119762be09233a451cc7b
Opcode Fuzzy Hash: 849e4582fb02f90544b8a9064625d9e63365d36ea2c31d60a35bfc260d5750a3
Instruction Fuzzy Hash: 80213D75600305AFDB60AF69DC44A9A77E4FF45724F204A19F8A1E62E1E7709958CF30

Function 008805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00880601

Strings

nul, xrefs: 00880639

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3c009bd4d5fd66a703a80190741526ff815129618392a5a7689c29842787e738
Instruction ID: 6c613343cd4feeecbb2e8785d80594f6a9a4e313ec38543aa5d1de3ee7448fa5
Opcode Fuzzy Hash: 3c009bd4d5fd66a703a80190741526ff815129618392a5a7689c29842787e738
Instruction Fuzzy Hash: A62181755003059FDB60AF698C04A9A77E4FFA5724F200B19F8A1E72E0E7709864CF20

Function 008A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0081600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
Part of subcall function 0081600E: GetStockObject.GDI32(00000011), ref: 00816060
Part of subcall function 0081600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008A4145

Strings

Msctls_Progress32, xrefs: 008A40E3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c13d5487db977a2465090fb125f6867dc59cad3f08ca6375ba56f24fd5fd489b
Instruction ID: add745b5157f803081b7b7a03e1085df5723cafcec251d3c06a172c7475b2c9b
Opcode Fuzzy Hash: c13d5487db977a2465090fb125f6867dc59cad3f08ca6375ba56f24fd5fd489b
Instruction Fuzzy Hash: 2B1190B214021DBEFF118E64CC85EE77F9DFF09798F005121BA18E6150CAB29C619BA4

Function 0084D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0084D7A3: _free.LIBCMT ref: 0084D7CC

_free.LIBCMT ref: 0084D82D

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084D838
_free.LIBCMT ref: 0084D843
_free.LIBCMT ref: 0084D897
_free.LIBCMT ref: 0084D8A2
_free.LIBCMT ref: 0084D8AD
_free.LIBCMT ref: 0084D8B8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: e0b3f7f2c545c1e874a6e9a482f29263a3d30fe51ad632c298dc8fa4746682b6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 5111F971544B08AAEA21BFB5CC46FCB7F9CFF04700F804825B299E6692DA75A5058662

Function 0087DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0087DA74
LoadStringW.USER32(00000000), ref: 0087DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0087DA91
LoadStringW.USER32(00000000), ref: 0087DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0087DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0087DAB9

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 3dcfab05ada66b28a97f6226d29d3d78676af7620619d97e22045be82d88521c
Instruction ID: 60c190476077b3002e2db3fe689c9b5251df8dda362ed7277b3f3b1538591e29
Opcode Fuzzy Hash: 3dcfab05ada66b28a97f6226d29d3d78676af7620619d97e22045be82d88521c
Instruction Fuzzy Hash: 87014BF29002187FF710ABA49D89EEA776CFB09301F404496B74AE2441EA749E848B74

Function 0088096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0136D3D0,0136D3D0), ref: 0088097B
EnterCriticalSection.KERNEL32(0136D3B0,00000000), ref: 0088098D
TerminateThread.KERNEL32(?,000001F6), ref: 0088099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008809A9
CloseHandle.KERNEL32(?), ref: 008809B8
InterlockedExchange.KERNEL32(0136D3D0,000001F6), ref: 008809C8
LeaveCriticalSection.KERNEL32(0136D3B0), ref: 008809CF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e3243154a9b06686e0c69d3d9972d9a1cb8d6024d72a9c7632837aace24021c9
Instruction ID: 38f1ce82c4f2279c02f0eaafe1077900a83071f5287d0b5114491f2e753c0b0a
Opcode Fuzzy Hash: e3243154a9b06686e0c69d3d9972d9a1cb8d6024d72a9c7632837aace24021c9
Instruction Fuzzy Hash: 9DF0EC32542A12BBE7515FA4EE8DBD6BB39FF06702F402025F20290CA1DB759465CF90

Function 00815D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00815D30
GetWindowRect.USER32(?,?), ref: 00815D71
ScreenToClient.USER32(?,?), ref: 00815D99
GetClientRect.USER32(?,?), ref: 00815ED7
GetWindowRect.USER32(?,?), ref: 00815EF8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 397b78bf4389a16cc47f188510b19a22630dddd77b7bd53c62b592a4973f12a6
Instruction ID: 6c706b80d444f2cb20546e42c52c33f82323fa42eb8d5571213a644157420d2c
Opcode Fuzzy Hash: 397b78bf4389a16cc47f188510b19a22630dddd77b7bd53c62b592a4973f12a6
Instruction Fuzzy Hash: 71B17974A0074ADBDB10CFA8C4807EEB7F5FF58314F14941AE8AAD7250DB30AA95DB50

Function 008401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008400D6
__allrem.LIBCMT ref: 008400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0084010B
__allrem.LIBCMT ref: 00840122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00840140

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 908df50457970ae771974849dae04a3d1b467e7238ba4de22139128350ee8ac1
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 8481C771A00B0A9BD720AE6DCC41B6B73E9FF91324F244539F651D7282EB70D9008F91

Function 00891D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00893149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0089101C,00000000,?,?,00000000), ref: 00893195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00891DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00891DE1
WSAGetLastError.WSOCK32 ref: 00891DF2
inet_ntoa.WSOCK32(?), ref: 00891E8C
htons.WSOCK32(?,?,?,?,?), ref: 00891EDB
_strlen.LIBCMT ref: 00891F35

Part of subcall function 008739E8: _strlen.LIBCMT ref: 008739F2

Part of subcall function 00816D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0082CF58,?,?,?), ref: 00816DBA
Part of subcall function 00816D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0082CF58,?,?,?), ref: 00816DED

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 02dc12cd1993b85bce76b905466a4bfbf2112d5b654a12c964ef32f7f65cea8c
Instruction ID: e48d600b536655c8514ffb6c0b7f037a021318400fe5d6f77305b9a99db4dc0c
Opcode Fuzzy Hash: 02dc12cd1993b85bce76b905466a4bfbf2112d5b654a12c964ef32f7f65cea8c
Instruction Fuzzy Hash: 21A1D231108305AFDB14EB24C899E6A77A5FF84318F58895CF456DB2A2DB31ED81CB92

Function 008461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008382D9,008382D9,?,?,?,0084644F,00000001,00000001,8BE85006), ref: 00846258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0084644F,00000001,00000001,8BE85006,?,?,?), ref: 008462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008463D8
__freea.LIBCMT ref: 008463E5

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

__freea.LIBCMT ref: 008463EE
__freea.LIBCMT ref: 00846413

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 890c7553ec466c3754c397b2123071da2fd3365960fa4f25ca406f767ef50a4a
Instruction ID: fabab229cc223bcd0b8a1159b4dbe838b1c9c8d6b71b1c5b5638f133313e49f0
Opcode Fuzzy Hash: 890c7553ec466c3754c397b2123071da2fd3365960fa4f25ca406f767ef50a4a
Instruction Fuzzy Hash: BB51F572A0025EABEF258F64CC81EAF77A9FF46710F154229FC05D6240EB34DC60C662

Function 0089BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089BD25
RegCloseKey.ADVAPI32(00000000), ref: 0089BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0089BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0089BDF3
RegCloseKey.ADVAPI32(?), ref: 0089BDFF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 6a1aedb105d55808985ad1039f435de89e51964ff056e42752227172894737ec
Instruction ID: 9c124fa964434d0f9a6328c093096905e6e895f4974f32505acc0263516bcbe3
Opcode Fuzzy Hash: 6a1aedb105d55808985ad1039f435de89e51964ff056e42752227172894737ec
Instruction Fuzzy Hash: A281D430108241EFD714EF24D981E6ABBE9FF84308F18445CF5598B2A2DB31ED45CB92

Function 0086F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0086F7B9
SysAllocString.OLEAUT32(00000001), ref: 0086F860
VariantCopy.OLEAUT32(0086FA64,00000000), ref: 0086F889
VariantClear.OLEAUT32(0086FA64), ref: 0086F8AD
VariantCopy.OLEAUT32(0086FA64,00000000), ref: 0086F8B1
VariantClear.OLEAUT32(?), ref: 0086F8BB

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e213e0188eb6d6d38a605af1055e19f8529aacf7ed1e78ac1e6eb8298dc3aefe
Instruction ID: 0ce2c24d0044c96843db78e00cd9a449fc8b149da65f9bd335bf0d8337d5c40e
Opcode Fuzzy Hash: e213e0188eb6d6d38a605af1055e19f8529aacf7ed1e78ac1e6eb8298dc3aefe
Instruction Fuzzy Hash: F151D531600314BADF10AB69E895B69B7A8FF45314F215476EA05DF293DB70CC40C757

Function 0088910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008894E5
_wcslen.LIBCMT ref: 00889506
_wcslen.LIBCMT ref: 0088952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00889585

Strings

X, xrefs: 00889412

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 5175b14ec81350c56df5a71c2d0d18a4b89cc6f218546bee71e22b6971b12365
Instruction ID: 4986c21e5784752fc18fdb8511fb96dbd5dd982fc3364144687bd7a91d50aa11
Opcode Fuzzy Hash: 5175b14ec81350c56df5a71c2d0d18a4b89cc6f218546bee71e22b6971b12365
Instruction Fuzzy Hash: E1E170315043009FD724EF28D881AAAB7E5FF85314F08856DE999DB3A2DB31ED45CB92

Function 0082920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

BeginPaint.USER32(?,?,?), ref: 00829241
GetWindowRect.USER32(?,?), ref: 008292A5
ScreenToClient.USER32(?,?), ref: 008292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008292D3
EndPaint.USER32(?,?,?,?,?), ref: 00829321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008671EA

Part of subcall function 00829339: BeginPath.GDI32(00000000), ref: 00829357

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 8b941adba3d4da861d5ff253420de8927611d9750ed5cb86be8b4a6835078c28
Instruction ID: 4953935d01614026069910bf2cf886655a2ac5403b61a3b25af6e88502b22371
Opcode Fuzzy Hash: 8b941adba3d4da861d5ff253420de8927611d9750ed5cb86be8b4a6835078c28
Instruction Fuzzy Hash: 48419230104255AFDB11DF24DC88FBA7BF8FB56724F140269F9A4CB2A2C7319885DB62

Function 008807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0088080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00880847
EnterCriticalSection.KERNEL32(?), ref: 00880863
LeaveCriticalSection.KERNEL32(?), ref: 008808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00880921

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: d87a25b39b7d689281b5dbca0381a01d59610d875d1345faab5183fad07f8b95
Instruction ID: 97c1c09b8b0bb1b37da1e2528bcb4fd6910d61e205d9ce07195dcc1bd9c1ebe0
Opcode Fuzzy Hash: d87a25b39b7d689281b5dbca0381a01d59610d875d1345faab5183fad07f8b95
Instruction Fuzzy Hash: 07415871A00205EBEF15AF58DC85AAA77B8FF04310F1440B9E900EA297DB30DE64DFA1

Function 008A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0086F3AB,00000000,?,?,00000000,?,0086682C,00000004,00000000,00000000), ref: 008A824C
EnableWindow.USER32(?,00000000), ref: 008A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008A82D1
ShowWindow.USER32(?,00000004), ref: 008A82E5
EnableWindow.USER32(?,00000001), ref: 008A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 008A832F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8cf9a876dc7c5bb911b91e42a30a2989fec43bed5230ad46e8978703e54ff130
Instruction ID: 54bf42c32fabe735bb12fa964f3e29d472ad1df16a1202422e8cbcc8552709fe
Opcode Fuzzy Hash: 8cf9a876dc7c5bb911b91e42a30a2989fec43bed5230ad46e8978703e54ff130
Instruction Fuzzy Hash: 92418234601644EFEF25CF25D8D9BE47BE1FB0B714F1841A9E6488F6A2CB31A851CB60

Function 00874C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00874C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00874CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00874CEA
_wcslen.LIBCMT ref: 00874D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00874D10
_wcsstr.LIBVCRUNTIME ref: 00874D1A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: fba781de54f5e4326719251f0475d8ada520a6b2e59654680c47380e9a015b21
Instruction ID: 03cb17eb58e13c9116c321fb2313c496dc40858aa84b12aa3cf2721857143011
Opcode Fuzzy Hash: fba781de54f5e4326719251f0475d8ada520a6b2e59654680c47380e9a015b21
Instruction Fuzzy Hash: 13210731204214BBFB669B39AC49E7B7FACFF46750F10903DF809CA196EB65DC4092A1

Function 0088581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00813AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00813A97,?,?,00812E7F,?,?,?,00000000), ref: 00813AC2

_wcslen.LIBCMT ref: 0088587B
CoInitialize.OLE32(00000000), ref: 00885995
CoCreateInstance.OLE32(008AFCF8,00000000,00000001,008AFB68,?), ref: 008859AE
CoUninitialize.OLE32 ref: 008859CC

Strings

.lnk, xrefs: 00885876, 008858C1, 00885985

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b4c498229136260778ff0d98862d059759023bcf8c53e4aef6d52f6547bbd3db
Instruction ID: dc0a413d1caf724311832d4f66e59fd7a8b9ff61121baa062f935c6cdf3b351d
Opcode Fuzzy Hash: b4c498229136260778ff0d98862d059759023bcf8c53e4aef6d52f6547bbd3db
Instruction Fuzzy Hash: A4D143716086019FC714EF28C480A6ABBE6FF89724F14885DF889DB361DB31ED45CB92

Function 0087175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00870FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00870FCA
Part of subcall function 00870FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00870FD6
Part of subcall function 00870FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00870FE5
Part of subcall function 00870FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00870FEC
Part of subcall function 00870FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00871002

GetLengthSid.ADVAPI32(?,00000000,00871335), ref: 008717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008717BA
HeapAlloc.KERNEL32(00000000), ref: 008717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008717DA
GetProcessHeap.KERNEL32(00000000,00000000,00871335), ref: 008717EE
HeapFree.KERNEL32(00000000), ref: 008717F5

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 71c549b2d0fc57d8c3dea8781ffb7a4afb97f7d97a3489986b0a796f3d623837
Instruction ID: c287dc3669ad41d6d8603cdef7af3be79336bb2fb987844643bd9ce41e70d399
Opcode Fuzzy Hash: 71c549b2d0fc57d8c3dea8781ffb7a4afb97f7d97a3489986b0a796f3d623837
Instruction Fuzzy Hash: D3118E71610605FFEF189FA8CC49BAE7BA9FB46399F108018F445D7628D735E944CB60

Function 008714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00871506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00871515
CloseHandle.KERNEL32(00000004), ref: 00871520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0087154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00871563

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 55d4f103e32fe1d50eb19279ab4f58b3bc79fab52348ad51fa6d594dc2f698b5
Instruction ID: 1cb463768898732bdc4af13678b8ca6cd40078eeab98da4c54d6185bd3a41d23
Opcode Fuzzy Hash: 55d4f103e32fe1d50eb19279ab4f58b3bc79fab52348ad51fa6d594dc2f698b5
Instruction Fuzzy Hash: 4B11267250020DABEF118FA8DD49BDE7BAAFF49748F048025FA09A2560C375CE64DB60

Function 00833382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00833379,00832FE5), ref: 00833390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0083339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008333B7
SetLastError.KERNEL32(00000000,?,00833379,00832FE5), ref: 00833409

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 35a9f1d85ea93826fac31a80b8fb719792632652addbd0106dd292d6ce013c85
Instruction ID: c73dfd7fad4422cf9083f8d83e5c15a589bcff93cf0a8af1320c2af897f5c5ed
Opcode Fuzzy Hash: 35a9f1d85ea93826fac31a80b8fb719792632652addbd0106dd292d6ce013c85
Instruction Fuzzy Hash: E901D43364E712BEAA2527797C86A676F94FBA5379F20832AF410C53F0EF114D01A5C5

Function 00842D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00845686,00853CD6,?,00000000,?,00845B6A,?,?,?,?,?,0083E6D1,?,008D8A48), ref: 00842D78
_free.LIBCMT ref: 00842DAB
_free.LIBCMT ref: 00842DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0083E6D1,?,008D8A48,00000010,00814F4A,?,?,00000000,00853CD6), ref: 00842DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0083E6D1,?,008D8A48,00000010,00814F4A,?,?,00000000,00853CD6), ref: 00842DEC
_abort.LIBCMT ref: 00842DF2

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f852c100371b8bcd9737db8233ef09cec7ca2e8db67c725e29f274cfdecbad28
Instruction ID: 989a69dba07be89eafd82ea3462224152ec7ba480fc23ccbc736140142a10aa8
Opcode Fuzzy Hash: f852c100371b8bcd9737db8233ef09cec7ca2e8db67c725e29f274cfdecbad28
Instruction Fuzzy Hash: F7F0C83190DA1D67D612773DBC0AF1E3A59FFC27A5F640519F824D22D2EF7488014162

Function 008A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00829639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296A2
Part of subcall function 00829639: BeginPath.GDI32(?), ref: 008296B9
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 008A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 008A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 008A8A70
LineTo.GDI32(?,00000000,00000003), ref: 008A8A80
EndPath.GDI32(?), ref: 008A8A90
StrokePath.GDI32(?), ref: 008A8AA0

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a4262048931d3c8a7ad926f1740df1e1acc08e8f8b500f545a99e1268d739167
Instruction ID: aa9fc65547969822506b436fc71b37a789f94fe6ab7fe01a9b68fc4c60a886bc
Opcode Fuzzy Hash: a4262048931d3c8a7ad926f1740df1e1acc08e8f8b500f545a99e1268d739167
Instruction Fuzzy Hash: 14110976000158FFEF129F94DC88EAA7F6CFB09350F008012FA199A5A1D771AD55DBA0

Function 008751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00875218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00875229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00875230
ReleaseDC.USER32(00000000,00000000), ref: 00875238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0087524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00875261

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: fbc241248d2aaa85f51b2a6497c70e47d628fa17918573f3394e813a365c5340
Instruction ID: 8062e9420107747b4ee0e9d07450c381f45b5647a8f7713fa3afd342f8ac26e2
Opcode Fuzzy Hash: fbc241248d2aaa85f51b2a6497c70e47d628fa17918573f3394e813a365c5340
Instruction Fuzzy Hash: 8C014F75A00718BBEB109BA69C49A5EBFB8FB49751F044065FA04E7681DA70DC00CFA0

Function 00811BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00811BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00811BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00811C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00811C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00811C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00811C22

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9793ae4ce71b431f56d3d3ef4fec3d52770578dfa0b0fe19880e06f701a98c7c
Instruction ID: 2337703464a6f9ee212430fa96ea39a66334e7a06e6b9de92bce74c1d70a8111
Opcode Fuzzy Hash: 9793ae4ce71b431f56d3d3ef4fec3d52770578dfa0b0fe19880e06f701a98c7c
Instruction Fuzzy Hash: 4A0167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 0087EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0087EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0087EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0087EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0087EB75

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7e759b3454cc717106e17f0b44f214ae25b8739cb0f419d8951b409b43e62612
Instruction ID: 40168818099cb8d42b4809b61048450c53e67157d579d0993def229f72e36206
Opcode Fuzzy Hash: 7e759b3454cc717106e17f0b44f214ae25b8739cb0f419d8951b409b43e62612
Instruction Fuzzy Hash: 1BF01772240558BBE6219B629C0EEAB7A7CFBDBB11F004159F601E1591EBA05A0186B5

Function 00867439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00867452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00867469
GetWindowDC.USER32(?), ref: 00867475
GetPixel.GDI32(00000000,?,?), ref: 00867484
ReleaseDC.USER32(?,00000000), ref: 00867496
GetSysColor.USER32(00000005), ref: 008674B0

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 437e8727d222653393daad84f1a23778484038ea3146e693da763592178d0442
Instruction ID: a7d42d0348540ced15115b729965fc4cb1676fc43b31d000ef18ab4dde283bf8
Opcode Fuzzy Hash: 437e8727d222653393daad84f1a23778484038ea3146e693da763592178d0442
Instruction Fuzzy Hash: B501A931400219EFEB509FA4DD08BAE7BB6FF05325F210064FA26E25A0CF311E41EB90

Function 00871874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0087187F
UnloadUserProfile.USERENV(?,?), ref: 0087188B
CloseHandle.KERNEL32(?), ref: 00871894
CloseHandle.KERNEL32(?), ref: 0087189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008718A5
HeapFree.KERNEL32(00000000), ref: 008718AC

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 23863f7181cddd2d4649a1fba116ba666bc512aef1ccacc7ea64a9e59b9ce47b
Instruction ID: 7ffbc852af878ce1165dcd9bd31d78e644538c451e1beffe6e0c94e4b1b5982e
Opcode Fuzzy Hash: 23863f7181cddd2d4649a1fba116ba666bc512aef1ccacc7ea64a9e59b9ce47b
Instruction Fuzzy Hash: DBE0E536204101BBEB015FA5ED0C90AFF79FF4AB22B108220F22581970CB329421DF50

Function 0087C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0087C6EE
_wcslen.LIBCMT ref: 0087C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0087C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0087C7CA

Strings

0, xrefs: 0087C6AF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 2a76661f13ea9b1c964d4d31bbfdf3cf8b551b83eba301b5aa732348809ff470
Instruction ID: df52c7669c8f35e50a65e9584c483644c6d0f36b49f666fd1b5ce552c23db30c
Opcode Fuzzy Hash: 2a76661f13ea9b1c964d4d31bbfdf3cf8b551b83eba301b5aa732348809ff470
Instruction Fuzzy Hash: CF51DE716083009BD7189F2CC885A6B77E8FF9A394F048A2DF999E31A5DF70D944CB52

Function 0089AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0089AEA3

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

GetProcessId.KERNEL32(00000000), ref: 0089AF38
CloseHandle.KERNEL32(00000000), ref: 0089AF67

Strings

<, xrefs: 0089AE6B
@, xrefs: 0089AE72

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 60aac315b382719fbda55ccac12d3f8ce79e284dcd103b02b3d7e6c497648ffd
Instruction ID: 6f9ac9b25f206e60ff7a7a1de2099239b1ec9536349287a352b8b34d46d2ab24
Opcode Fuzzy Hash: 60aac315b382719fbda55ccac12d3f8ce79e284dcd103b02b3d7e6c497648ffd
Instruction Fuzzy Hash: A8713774A00219DFCF14EF58C484A9EBBB5FF08314F088499E816AB752CB75ED85CB92

Function 0087719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00877206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0087723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0087724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008772CF

Strings

DllGetClassObject, xrefs: 00877242

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 7bfb60997defd8b72c9d193725d9e0be4d906f8995dfc64fd58d260ac79e23cd
Instruction ID: 9706590ac4e62610e0a26b6e601e8dea8fd3b091979dad5de2e81a96f9597e95
Opcode Fuzzy Hash: 7bfb60997defd8b72c9d193725d9e0be4d906f8995dfc64fd58d260ac79e23cd
Instruction Fuzzy Hash: BF416B71A04204EFDB15CF94C884A9A7BA9FF45314F1480A9BD1ADF20ED7B0D944DBA0

Function 008A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A3E35
IsMenu.USER32(?), ref: 008A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008A3E92
DrawMenuBar.USER32 ref: 008A3EA5

Strings

0, xrefs: 008A3D89

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 72e1b852904cfa11da880d9758c6c624b2288460be1459e812c2ace946b2ec0e
Instruction ID: f0108c91d8539dbbf89e02d42a9729a5c79eaba534e3e949a13a21a24cd9119f
Opcode Fuzzy Hash: 72e1b852904cfa11da880d9758c6c624b2288460be1459e812c2ace946b2ec0e
Instruction Fuzzy Hash: F9413875A01209EFEB10DF54D884AEABBB9FF4A355F04412AF905EBA50D730AE64CF50

Function 00871DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00871E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00871E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00871EA9

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Strings

ComboBox, xrefs: 00871DF0
ListBox, xrefs: 00871E25

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 33d0f3fb01a6c22bab22d15bdb098108199bdbc8b8c5b0d05c16d7adcfe9a76d
Instruction ID: 80961461524de38f45ceebbae78f23e308295c6a18afe0443c3b62b4ba9fb5a1
Opcode Fuzzy Hash: 33d0f3fb01a6c22bab22d15bdb098108199bdbc8b8c5b0d05c16d7adcfe9a76d
Instruction Fuzzy Hash: 61210A72900104BADB149B68DC5ACFF77BCFF46360B108129F869E76D1DB3489459661

Function 0089C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0089C9F1
_wcslen.LIBCMT ref: 0089CA68
_wcslen.LIBCMT ref: 0089CA9E
_wcslen.LIBCMT ref: 0089CAF9
_wcslen.LIBCMT ref: 0089CB2F
_wcslen.LIBCMT ref: 0089CB7F

Strings

HKLM, xrefs: 0089CA98, 0089CA9D
HKEY_LOCAL_MACHINE, xrefs: 0089CA62, 0089CA67

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 295c39dee447c6911c0a553465541e9c988aac2f05a8696e452cb916f8e239f2
Instruction ID: 6bbff2276310ec1b64a55c4550ad0e51616963b3b2d174a3b8b9e36f117c8d59
Opcode Fuzzy Hash: 295c39dee447c6911c0a553465541e9c988aac2f05a8696e452cb916f8e239f2
Instruction Fuzzy Hash: 4031D1B2A001794BCF20FE6C98405BE37D1FBA1750B4D402AE841EB384FA76CD8483A0

Function 008A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008A2F8D
LoadLibraryW.KERNEL32(?), ref: 008A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008A2FA9
DestroyWindow.USER32(?), ref: 008A2FB1

Strings

SysAnimate32, xrefs: 008A2F68

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9543f169b7774eecaa10b553932183d36a731e9a8f38fe63d273cc53ccabd882
Instruction ID: c882540c39c35ab9049b35d48d41c067a3c808a0b7730cc251328533ef558ce6
Opcode Fuzzy Hash: 9543f169b7774eecaa10b553932183d36a731e9a8f38fe63d273cc53ccabd882
Instruction Fuzzy Hash: 5E219A71200209AFFB309F68DC80EBB37B9FB5A368F104229FA50D6990DB71DC919760

Function 00834D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00834D1E,008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002), ref: 00834D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00834DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00834D1E,008428E9,?,00834CBE,008428E9,008D88B8,0000000C,00834E15,008428E9,00000002,00000000), ref: 00834DC3

Strings

mscoree.dll, xrefs: 00834D86
CorExitProcess, xrefs: 00834D98

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f77f4c2ffce647d5ad94eaf6419dd4a3cc7556c05df5bb551fbfb036eef90fee
Instruction ID: 8c62049ae16b9ebb502ac6ff77886f4bc86747e8bbb9df099f01eee671bbac78
Opcode Fuzzy Hash: f77f4c2ffce647d5ad94eaf6419dd4a3cc7556c05df5bb551fbfb036eef90fee
Instruction Fuzzy Hash: E0F03C34A41618ABEB119B94DC49BAEBFE5FB44751F0001A4E806E2660CF75AD40DED5

Function 0086D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0086D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0086D3BF
FreeLibrary.KERNEL32(00000000), ref: 0086D3E5

Strings

X64, xrefs: 0086D2A8
GetSystemWow64DirectoryW, xrefs: 0086D3B9

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 82be257e039231f774a07d78f4730894c6e6dcc0400ca8b0e17cc42f7bcbbda2
Instruction ID: a297cb63ff226854e3e6a3e452b5bee0d5f1d73fb74125c5e2883a26af56a864
Opcode Fuzzy Hash: 82be257e039231f774a07d78f4730894c6e6dcc0400ca8b0e17cc42f7bcbbda2
Instruction Fuzzy Hash: 78F05571F05B208BE77117118C28A6E3720FF12709B568155F602EA321EB20CC84C792

Function 00814E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00814EAE
FreeLibrary.KERNEL32(00000000,?,?,00814EDD,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814EC0

Strings

kernel32.dll, xrefs: 00814E94
Wow64DisableWow64FsRedirection, xrefs: 00814EA8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 6f25a49518c044b1e8791cfb561095a280105b1cc8d5af3a04ae76d5e7ba2fee
Instruction ID: b85881fec64011d4c9bc059d0e947e72b2f4df5f0c9d5441b20d4c3893854add
Opcode Fuzzy Hash: 6f25a49518c044b1e8791cfb561095a280105b1cc8d5af3a04ae76d5e7ba2fee
Instruction Fuzzy Hash: 3BE08635B019225BA2311B256C18B9B7658FF82B727050115FC04D2600DB64CD4284A1

Function 00814E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00814E74
FreeLibrary.KERNEL32(00000000,?,?,00853CDE,?,008E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00814E87

Strings

kernel32.dll, xrefs: 00814E5B
Wow64RevertWow64FsRedirection, xrefs: 00814E6E

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 9585ab067d2a81acf6942d2c3e693e25ca69607aad54d4b13fd926b13867de53
Instruction ID: 3df3d790f6dff00018e60566ed398687ca9ef9fe4181d8eff4372c10332cfbdd
Opcode Fuzzy Hash: 9585ab067d2a81acf6942d2c3e693e25ca69607aad54d4b13fd926b13867de53
Instruction Fuzzy Hash: 5ED01235602A225766221B257C18DCB7A1CFF86B713450615F905E2614DF65CD42C5E0

Function 00882947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882C05
DeleteFileW.KERNEL32(?), ref: 00882C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00882C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00882CC0

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 4066348277fd47f066668ee00d57b3d6960c7cb3e0a4b60d795a035c91fcb645
Instruction ID: d0ec38892414321d62ae7b0a1830bb7ac355c170860e7114373a24bcd1b96136
Opcode Fuzzy Hash: 4066348277fd47f066668ee00d57b3d6960c7cb3e0a4b60d795a035c91fcb645
Instruction Fuzzy Hash: ECB14F71D01129ABDF15EBA8CC85EEEB7BDFF49350F1040A6F509E6141EA319A448FA1

Function 0089A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0089A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0089A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0089A468
CloseHandle.KERNEL32(?), ref: 0089A63D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 3aa6eae858571c74daf40d6758cb4da2215cad5dccc139d87464bf98b416cc31
Instruction ID: 27b453d339398d167e006fa6b31306b76a3c14d5bb1bd42d2f50b98243d691c2
Opcode Fuzzy Hash: 3aa6eae858571c74daf40d6758cb4da2215cad5dccc139d87464bf98b416cc31
Instruction Fuzzy Hash: 01A16D716043009FDB24EF28D886B2AB7E5FF94714F14885DF55ADB292DBB0EC418B92

Function 0087E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0087CF22,?), ref: 0087DDFD

Part of subcall function 0087DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0087CF22,?), ref: 0087DE16

Part of subcall function 0087E199: GetFileAttributesW.KERNEL32(?,0087CF95), ref: 0087E19A

lstrcmpiW.KERNEL32(?,?), ref: 0087E473
MoveFileW.KERNEL32(?,?), ref: 0087E4AC
_wcslen.LIBCMT ref: 0087E5EB
_wcslen.LIBCMT ref: 0087E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0087E650

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: cfc292117daa387525a90c4e2d0f53ce92c75762ac44b0087fa5d7c305f9653c
Instruction ID: 05b726201daf8e20938d714133a81ea4b6961d5603cbac2fcd8b1f922d1b162c
Opcode Fuzzy Hash: cfc292117daa387525a90c4e2d0f53ce92c75762ac44b0087fa5d7c305f9653c
Instruction Fuzzy Hash: 20517EB24087445BC724DB94C8919DB73ECFF88344F00492EE689D3151EE74E68887AB

Function 0089B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 0089C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0089B6AE,?,?), ref: 0089C9B5
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089C9F1
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA68
Part of subcall function 0089C998: _wcslen.LIBCMT ref: 0089CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0089BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0089BB63
RegCloseKey.ADVAPI32(?,?), ref: 0089BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0089BBB3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 05650cd87f910e2f9dab1b0db96b98a9f700a17f21f410d424467b8eb47d9683
Instruction ID: adca6da3d2f0b635c40fcc00d335442d703c13191090965d275f18db2bcb3df3
Opcode Fuzzy Hash: 05650cd87f910e2f9dab1b0db96b98a9f700a17f21f410d424467b8eb47d9683
Instruction Fuzzy Hash: 4A61C031208241EFD714EF14D990E6ABBE9FF84318F18855CF4998B2A2DB31ED45CB92

Function 00878BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00878BCD
VariantClear.OLEAUT32 ref: 00878C3E
VariantClear.OLEAUT32 ref: 00878C9D
VariantClear.OLEAUT32(?), ref: 00878D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00878D3B

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 228207fd30c23ebda0b092dd299a5f675328bbb17c7c39bf1215130ba83fe721
Instruction ID: b442e11746f46f4395e162824327115b1dc0624e97c368362e7d0ebc6cb875bb
Opcode Fuzzy Hash: 228207fd30c23ebda0b092dd299a5f675328bbb17c7c39bf1215130ba83fe721
Instruction Fuzzy Hash: F85189B1A00219EFCB10CF28C884AAABBF8FF8D314B158559E919DB354E730E911CF90

Function 00888AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00888BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00888BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00888C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00888C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00888C5F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 87d4f0c2fca26c2d1b0bcdb6688ab3f5c241deefaa849320068967b50c489a5d
Instruction ID: 9ae282b72db3ea27cf956987baa7b15bc76fd29619bfa79659b18cf7facb33d0
Opcode Fuzzy Hash: 87d4f0c2fca26c2d1b0bcdb6688ab3f5c241deefaa849320068967b50c489a5d
Instruction Fuzzy Hash: 44515D35A00215DFCB01DF68C881AADBBF6FF49314F088458E849AB362DB31ED81CB91

Function 00898EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00898F40
GetProcAddress.KERNEL32(00000000,?), ref: 00898FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00898FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00899032
FreeLibrary.KERNEL32(00000000), ref: 00899052

Part of subcall function 0082F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00881043,?,753CE610), ref: 0082F6E6
Part of subcall function 0082F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0086FA64,00000000,00000000,?,?,00881043,?,753CE610,?,0086FA64), ref: 0082F70D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: b80ea0c358ed2fd48de22e54cf6773e11fa8f7e692dded6fbce9491ea0d33508
Instruction ID: 60b929f097bcce6ee7fefe4b696a56eedd6c8d6b18f006e0c5331054859c23ff
Opcode Fuzzy Hash: b80ea0c358ed2fd48de22e54cf6773e11fa8f7e692dded6fbce9491ea0d33508
Instruction Fuzzy Hash: E2512835600605DFCB11EF58C4948ADBBF5FF49314B0980A8E85ADB762DB31ED85CB91

Function 008A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 008A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 008A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 008A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0088AB79,00000000,00000000), ref: 008A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 008A6CC7

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: be86487edc27d339706033dabdab7b285bcfad06b14370ebdb6f81e7b36ae26d
Instruction ID: bd6812b4266632d4af5f71d46ea338a4ac321d2ff4d322e41208087d612b0896
Opcode Fuzzy Hash: be86487edc27d339706033dabdab7b285bcfad06b14370ebdb6f81e7b36ae26d
Instruction Fuzzy Hash: 7641D535A04104AFEB24DF28CC58FA57BA5FB0B370F190228F895E76E5E771AD61C650

Function 00842051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008420C3
_free.LIBCMT ref: 008420E3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e2b5dff7edb89556bad23e4817dbd98baa6b0be6689f8ec7a23aba83bca66215
Instruction ID: 0c0055029585b6a5ede671083009e926b2b4ba059ae6854e0cbd3e1833c98b1e
Opcode Fuzzy Hash: e2b5dff7edb89556bad23e4817dbd98baa6b0be6689f8ec7a23aba83bca66215
Instruction Fuzzy Hash: 6F41E132A006089FCB20DF78C880A5EB7F5FF88314F5545A9F615EB396DA31AD01CB81

Function 0082912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00829141
ScreenToClient.USER32(00000000,?), ref: 0082915E
GetAsyncKeyState.USER32(00000001), ref: 00829183
GetAsyncKeyState.USER32(00000002), ref: 0082919D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d3beb79cae16491d18229e920deb59dd84695c200b86e5edef35cf6217164da5
Instruction ID: 487ef05559f8078eb386c19c77f42f922bac231d16cb43d34cee7b314fb19e01
Opcode Fuzzy Hash: d3beb79cae16491d18229e920deb59dd84695c200b86e5edef35cf6217164da5
Instruction Fuzzy Hash: 6B41407190861AFBDF159F69D844BEEB774FB06324F204216E465E72D0C7345990CB91

Function 00883874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00883922
TranslateMessage.USER32(?), ref: 0088394B
DispatchMessageW.USER32(?), ref: 00883955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00883966

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: da56ae7c91a1cc332cfa292e2c3afa9ae4aa0af071271a27d38c9fd1ab40bb40
Instruction ID: 54e1788dc8e24537c2bb99be933a865cd014fac9accea3fa1a02fbf96a78e0fe
Opcode Fuzzy Hash: da56ae7c91a1cc332cfa292e2c3afa9ae4aa0af071271a27d38c9fd1ab40bb40
Instruction Fuzzy Hash: 9931D3709043869EEF35EB34DC88BB67FA8FB07B04F040569E466C65A1E7F49A85CB11

Function 0088CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0088C21E,00000000), ref: 0088CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0088CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0088C21E,00000000), ref: 0088CFF2

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: ef259ed670530aeb187e1e11ed7e887c0e2bb80d0025d35379899716ec02a0e7
Instruction ID: a2eefc12e4f49fbb293572487e69442805c34a452a1bd162efcf19371fee9f55
Opcode Fuzzy Hash: ef259ed670530aeb187e1e11ed7e887c0e2bb80d0025d35379899716ec02a0e7
Instruction Fuzzy Hash: 34315E71504205EFEB20EFA9D884AABBBF9FF15354B10442EF606D2545DF70AE40DB60

Function 00871901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00871915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008719E2

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ea9dad20c58bbc962efde06cd4799ad01080e6824f7de6061472e84456c9402e
Instruction ID: 1622a46f3886f23d5150b917ca281bb22efce44ab8c76fee601111a4dea10629
Opcode Fuzzy Hash: ea9dad20c58bbc962efde06cd4799ad01080e6824f7de6061472e84456c9402e
Instruction Fuzzy Hash: BF317871A00219AFDB10CFACC999B9E3BB5FB55315F108229FA25E72D1C770D945CB90

Function 008A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 008A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 008A579D
_wcslen.LIBCMT ref: 008A57AF
_wcslen.LIBCMT ref: 008A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 008A5816

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 2b13f0d87eef7fcde1340343d4e886b8dfe9366d589eb1493fd3ddb22734e601
Instruction ID: 3a73f42fc2894542e092b88369ffe703e3402cede2c68ddfd457d8f160162a41
Opcode Fuzzy Hash: 2b13f0d87eef7fcde1340343d4e886b8dfe9366d589eb1493fd3ddb22734e601
Instruction Fuzzy Hash: 4C21B671904618DAEB20CF64DC84AEE7BB8FF46324F108216F929EB580D77499C5CF91

Function 0082990F Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008298CC
SetTextColor.GDI32(?,?), ref: 008298D6
SetBkMode.GDI32(?,00000001), ref: 008298E9
GetStockObject.GDI32(00000005), ref: 008298F1
GetWindowLongW.USER32(?,000000EB), ref: 00829952

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: fba9b56133fc415a0e82017fc7bcf38dcb72e2a827c1603565bda1500cfb94ad
Instruction ID: 00c066718cb837de5afd814bbebea1668a8ce7d8586a1b89c4821747eaa1f388
Opcode Fuzzy Hash: fba9b56133fc415a0e82017fc7bcf38dcb72e2a827c1603565bda1500cfb94ad
Instruction Fuzzy Hash: D521A1715492909FDB228B34EC59AA53FA0FF13335B19019DE5D2CA1A2D6364992CB50

Function 00890930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00890951
GetForegroundWindow.USER32 ref: 00890968
GetDC.USER32(00000000), ref: 008909A4
GetPixel.GDI32(00000000,?,00000003), ref: 008909B0
ReleaseDC.USER32(00000000,00000003), ref: 008909E8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5c25c11687e209f88ee7c47804089b916926c28287e5f19c291028c5d6a2de1f
Instruction ID: 957d2352b0709b077422092f60b066b5011ea88aa13b213724da1bb7b1cd41ca
Opcode Fuzzy Hash: 5c25c11687e209f88ee7c47804089b916926c28287e5f19c291028c5d6a2de1f
Instruction Fuzzy Hash: 67218435A00204AFDB04EF69D944AAEBBE9FF45700F04846CF84AD7751DB70AC44CB50

Function 0084CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0084CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0084CDE9

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0084CE0F
_free.LIBCMT ref: 0084CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0084CE31

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 42a88adf63b974f84d6a2f45b31112d08fa93c2684b9b4ecaa6abf8d052761e7
Instruction ID: 378cebfd0605599f615f6e3086e9f1bcdaeb3be1f9379b8ff4d593c802daa1ba
Opcode Fuzzy Hash: 42a88adf63b974f84d6a2f45b31112d08fa93c2684b9b4ecaa6abf8d052761e7
Instruction Fuzzy Hash: 8A014F72A0361D7F37611ABAAC88D7B7E6DFEC7BA13150129F905D7201EF618D0291B1

Function 00829639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
SelectObject.GDI32(?,00000000), ref: 008296A2
BeginPath.GDI32(?), ref: 008296B9
SelectObject.GDI32(?,00000000), ref: 008296E2

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6f68c8e08b7de07214907c8fa42bb561097ddc9dd256406bd5def739d5794265
Instruction ID: aebf369782d2319621c43bdd1c05c81116c575f34e95cfd986090fad30061409
Opcode Fuzzy Hash: 6f68c8e08b7de07214907c8fa42bb561097ddc9dd256406bd5def739d5794265
Instruction Fuzzy Hash: EA217F30802355EBDF11AF28EC4CBA93FA8FB21315F900216F850EA1A2D37458D2CF90

Function 00875711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00875726
_memcmp.LIBVCRUNTIME ref: 00875744
_memcmp.LIBVCRUNTIME ref: 00875757
_memcmp.LIBVCRUNTIME ref: 0087576F
_memcmp.LIBVCRUNTIME ref: 00875787

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a881648d6b5de5e7133eddd9446e4f752a53bd242223186b16e7bc57183cae58
Instruction ID: 634e45ce2ec735040f35416cd4ff9cdeceae41a79bf10c671ca393dc5a7247a4
Opcode Fuzzy Hash: a881648d6b5de5e7133eddd9446e4f752a53bd242223186b16e7bc57183cae58
Instruction Fuzzy Hash: C90192A1641A19BAE70C55159D86FBA635CFB627E8F00C020FE1CDA746F7A5ED1082E1

Function 00842DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0083F2DE,00843863,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6), ref: 00842DFD
_free.LIBCMT ref: 00842E32
_free.LIBCMT ref: 00842E59
SetLastError.KERNEL32(00000000,00811129), ref: 00842E66
SetLastError.KERNEL32(00000000,00811129), ref: 00842E6F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 447f8a425c38262dc6a83ecf43315af64649f8c6ab163f904c49406117e3bdf2
Instruction ID: da435009536782110b502a65d46bcc5dce07b8b5f21a795665217bd4463b98dc
Opcode Fuzzy Hash: 447f8a425c38262dc6a83ecf43315af64649f8c6ab163f904c49406117e3bdf2
Instruction Fuzzy Hash: 9101F43220D60D77DA1267396C85E2B2B69FBD23B9BE40129F421E2293EF74CC018121

Function 0087000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?,?,0087035E), ref: 0087002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?), ref: 00870064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0086FF41,80070057,?,?), ref: 00870070

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6f33481e19e967b5f8a7e5d3641040009eb0cc137cdb390baadeaae4ba8b0225
Instruction ID: ee89200bfad049ea9e2f16d94b934cf0854e0747b46e31833a5e60f3711f8597
Opcode Fuzzy Hash: 6f33481e19e967b5f8a7e5d3641040009eb0cc137cdb390baadeaae4ba8b0225
Instruction Fuzzy Hash: B501AD72600604FFEB108F68DC04BAA7AEDFF497A2F148124F909D2314EB75DD409BA0

Function 0087E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0087E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0087E9A5
Sleep.KERNEL32(00000000), ref: 0087E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0087E9B7
Sleep.KERNEL32 ref: 0087E9F3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: fbf59f5f8103581892fc3e979493bcfe4fc9c98e2e04c7b84aa4814f4dd99aa7
Instruction ID: e8671d783757d48a8f54d9dca43c4eb98d644f0c8a34a1dd1580c7c82c7c7990
Opcode Fuzzy Hash: fbf59f5f8103581892fc3e979493bcfe4fc9c98e2e04c7b84aa4814f4dd99aa7
Instruction Fuzzy Hash: 73010532D0162DDBDF00ABE5D859BEDBB78FB0E701F004596EA06F2245CB3495558BA1

Function 008710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00871114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 0087112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00870B9B,?,?,?), ref: 00871136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0087114D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 0c388830020a4137424687fd29f3d82236c65a8105ea0f3265d78c82b3a84637
Instruction ID: da3384582b05139e5089db9d02036d53c6da0f7acf89bd89b8a136f7302226ec
Opcode Fuzzy Hash: 0c388830020a4137424687fd29f3d82236c65a8105ea0f3265d78c82b3a84637
Instruction Fuzzy Hash: B9011975200205BFEB114FA9DC4DA6A3B6EFF8A3A0B604419FA45D7760DA31DD009A60

Function 00870FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00870FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00870FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00870FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00870FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00871002

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e5af3018e422cb32dec97d0c4e8a8ebf0e302fe946984c001202941bfe326b05
Instruction ID: b0be2a920a6126f7b4c69688060500b13668765fe8e622d0dd744adbd4239405
Opcode Fuzzy Hash: e5af3018e422cb32dec97d0c4e8a8ebf0e302fe946984c001202941bfe326b05
Instruction Fuzzy Hash: C5F04935200701ABEB214FA89C4DF563BADFF8AB62F104414FA49C6651DE70DC508A60

Function 00871014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0087102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00871036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0087104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871062

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2a298950b3560cccd696698e5590e0d0fd681424442d0ec41fbf814b16d6e512
Instruction ID: 3f5f91e11c88501fa89fc270732a6624432747475a59cece021461699ccce633
Opcode Fuzzy Hash: 2a298950b3560cccd696698e5590e0d0fd681424442d0ec41fbf814b16d6e512
Instruction Fuzzy Hash: 64F04935200701ABEB219FA8EC4DF563BADFF8A761F104414FA49C6650DE70D8508A60

Function 0088030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880324
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880331
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 0088033E
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 0088034B
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880358
CloseHandle.KERNEL32(?,?,?,?,0088017D,?,008832FC,?,00000001,00852592,?), ref: 00880365

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: edcd758a46512f2c6327ecf3334624bb1b681dc22bc204ee9dad8bc805e3aa96
Instruction ID: a1a26e24c5108b9d86efd86074efbcf5c755b376fb135f8c02dba47dc13eae9d
Opcode Fuzzy Hash: edcd758a46512f2c6327ecf3334624bb1b681dc22bc204ee9dad8bc805e3aa96
Instruction Fuzzy Hash: BB016C72801B159FCB30AF66D890816FBF9FE602153158A3ED19692A31C7B1A959DF80

Function 0084D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0084D752

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 0084D764
_free.LIBCMT ref: 0084D776
_free.LIBCMT ref: 0084D788
_free.LIBCMT ref: 0084D79A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 62f871b8d1889659a193eae531eb8815ee0da2af07252cde60b6ed7707d661fd
Instruction ID: 9296f7bf3507a5bfc472f1f11da9265e27329b60633d580bfba55d4c8c5d612f
Opcode Fuzzy Hash: 62f871b8d1889659a193eae531eb8815ee0da2af07252cde60b6ed7707d661fd
Instruction Fuzzy Hash: 78F01D3254A30DAB9621EB69F9C6D1ABFDDFB44710BE40D06F048E7502CB30FC808A65

Function 00875C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00875C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00875C6F
MessageBeep.USER32(00000000), ref: 00875C87
KillTimer.USER32(?,0000040A), ref: 00875CA3
EndDialog.USER32(?,00000001), ref: 00875CBD

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9b09bdb1dee2706ff4e2d7125fd6430e4948f21d5e4423edb72cef66be2d1bd0
Instruction ID: 16b818071be4168717eeefd5c1ba66fce19e6fb9af3f0e7d9278e30aa7c565a6
Opcode Fuzzy Hash: 9b09bdb1dee2706ff4e2d7125fd6430e4948f21d5e4423edb72cef66be2d1bd0
Instruction Fuzzy Hash: AF018130500B08ABFB219B50DD8EFA677B8FF51B05F04455DA587E14E1DBF4A9848A90

Function 008422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008422BE

Part of subcall function 008429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000), ref: 008429DE
Part of subcall function 008429C8: GetLastError.KERNEL32(00000000,?,0084D7D1,00000000,00000000,00000000,00000000,?,0084D7F8,00000000,00000007,00000000,?,0084DBF5,00000000,00000000), ref: 008429F0

_free.LIBCMT ref: 008422D0
_free.LIBCMT ref: 008422E3
_free.LIBCMT ref: 008422F4
_free.LIBCMT ref: 00842305

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 43381f4fe83f3551d9863e2f3f7b85e4a65cf96ba9a6669297e64bf33ade2765
Instruction ID: 253c4deb202b244bb50cee25d458dc7fd7d5d5185d6bf5a418c9e1ded6ceb265
Opcode Fuzzy Hash: 43381f4fe83f3551d9863e2f3f7b85e4a65cf96ba9a6669297e64bf33ade2765
Instruction Fuzzy Hash: 68F05E708091A59B9A12EF99BC81D0C3F68F7187607800A1BF414DA2B5CB711862EFE5

Function 008295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008295D4
StrokeAndFillPath.GDI32(?,?,008671F7,00000000,?,?,?), ref: 008295F0
SelectObject.GDI32(?,00000000), ref: 00829603
DeleteObject.GDI32 ref: 00829616
StrokePath.GDI32(?), ref: 00829631

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0709e0c9139c3cf92ad96fa9b7ad536e31306cfdf3aca2a975c769d097cfd76b
Instruction ID: b3c50a94adf40547de9b950cfc38650b340b580122a132a971c889b680b6abd4
Opcode Fuzzy Hash: 0709e0c9139c3cf92ad96fa9b7ad536e31306cfdf3aca2a975c769d097cfd76b
Instruction Fuzzy Hash: ABF04F30005648EBEF126F65ED5C7643FA1FB12322F448214F565994F2CB3489D1DF20

Function 00840F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008410F9
__freea.LIBCMT ref: 00841117

Part of subcall function 00841537: _free.LIBCMT ref: 0084154F

Strings

a/p, xrefs: 008411DE
am/pm, xrefs: 0084117A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 41649554c4a1ddda6e9bbf398edd4aa16249b15d8a40e0288bbd445748779cb1
Instruction ID: 5fdee0413b8cd5eeb4361d79ea63106bb2752e7aa3d0283ded9a8a3c1cdf9ef7
Opcode Fuzzy Hash: 41649554c4a1ddda6e9bbf398edd4aa16249b15d8a40e0288bbd445748779cb1
Instruction Fuzzy Hash: CAD1DE31A1020E9ADF289F68C89DABAB7B1FF05704F284159E911EBB50D7799DC0CB91

Function 00897B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00830242: EnterCriticalSection.KERNEL32(008E070C,008E1884,?,?,0082198B,008E2518,?,?,?,008112F9,00000000), ref: 0083024D
Part of subcall function 00830242: LeaveCriticalSection.KERNEL32(008E070C,?,0082198B,008E2518,?,?,?,008112F9,00000000), ref: 0083028A

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 008300A3: __onexit.LIBCMT ref: 008300A9

__Init_thread_footer.LIBCMT ref: 00897BFB

Part of subcall function 008301F8: EnterCriticalSection.KERNEL32(008E070C,?,?,00828747,008E2514), ref: 00830202
Part of subcall function 008301F8: LeaveCriticalSection.KERNEL32(008E070C,?,00828747,008E2514), ref: 00830235

Strings

Variable must be of type 'Object'., xrefs: 00897C3A
G, xrefs: 00897C7F
5, xrefs: 00897C78

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 3db5c8002fe733099a303e52eb6f040c45e95da58bce6a4f715b392524d7a0c0
Instruction ID: 378f778ff601613632eb0f92874d0ca3bfe1a9629d50d43ccbb12665f515a95a
Opcode Fuzzy Hash: 3db5c8002fe733099a303e52eb6f040c45e95da58bce6a4f715b392524d7a0c0
Instruction Fuzzy Hash: 6F918970A14209EFCF04EF98D8919ADB7B5FF49304F188059F806DB292DB71AE85CB52

Function 00872716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0087B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008721D0,?,?,00000034,00000800,?,00000034), ref: 0087B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00872760

Part of subcall function 0087B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0087B3F8

Part of subcall function 0087B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0087B355
Part of subcall function 0087B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00872194,00000034,?,?,00001004,00000000,00000000), ref: 0087B365
Part of subcall function 0087B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00872194,00000034,?,?,00001004,00000000,00000000), ref: 0087B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0087281A

Strings

@, xrefs: 00872832

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b03f31979b71c8fe1999019e2264c3e11692615ead24f86757782d4604eaf87f
Instruction ID: e04bc967268eaf9c8680fde97fd1dd52b0e1a3805ef186f5e0cddd1dba06ca77
Opcode Fuzzy Hash: b03f31979b71c8fe1999019e2264c3e11692615ead24f86757782d4604eaf87f
Instruction Fuzzy Hash: DB411F72900218AFDB10DBA8CD45BDEBBB8FF05700F108095FA59B7185DB71AE85DB91

Function 0084172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00841769
_free.LIBCMT ref: 00841834
_free.LIBCMT ref: 0084183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00841760, 00841767, 00841796, 008417CE

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 13955819af2e51a0aa501a5fd4b85d54051b51e16188c0ac1dccfd05616853be
Instruction ID: 524df0cd09e16bcdfd3f360fcf9fa9e6ce9ada851ad86d15fe89db6edff16341
Opcode Fuzzy Hash: 13955819af2e51a0aa501a5fd4b85d54051b51e16188c0ac1dccfd05616853be
Instruction Fuzzy Hash: BC316D71A4425CEBDF21DB99DC89D9EBBFCFB89310B544166F904DB211D6B08E80CB91

Function 0087C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0087C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0087C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008E1990,01375B08), ref: 0087C395

Strings

0, xrefs: 0087C2DF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 503e71d9d729636b04418efcc4275b5551d0cc0d0087b83fa5ed4c5d13579e73
Instruction ID: 756c7f3130142dce2905ff85324e22512374db8bdc189acc11f349a20c9fae1b
Opcode Fuzzy Hash: 503e71d9d729636b04418efcc4275b5551d0cc0d0087b83fa5ed4c5d13579e73
Instruction Fuzzy Hash: 814156712043019FD7209F29D885B6ABBE8FB85324F148A1DF9A9D73D5D730E904CB62

Function 008A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008ACC08,00000000,?,?,?,?), ref: 008A44AA
GetWindowLongW.USER32 ref: 008A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A44D7

Strings

SysTreeView32, xrefs: 008A447C

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 23587f9a4e4894d6de02ba3d6bedcc0ecf51d5b3519f9710f14db884b495cb35
Instruction ID: 9de2c604cbf10b1e829b87333a6d9cce19363ed06d07c2fd60f20eef70d95470
Opcode Fuzzy Hash: 23587f9a4e4894d6de02ba3d6bedcc0ecf51d5b3519f9710f14db884b495cb35
Instruction Fuzzy Hash: 6F319C31201605AFEF208E38DC45BEA7BA9FB4A334F205725F975E25D0D7B4AC909B50

Function 0089304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0089335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00893077,?,?), ref: 00893378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0089307A
_wcslen.LIBCMT ref: 0089309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00893106

Strings

255.255.255.255, xrefs: 00893095, 0089309A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 2e663dc0273502947d0f5ba944558a1fc918940c82b9f8e60cc3aa5ec7b2147c
Instruction ID: 9b310032cadc4a259e90056e185f885259427069ac9b769fd231bc22395bafd4
Opcode Fuzzy Hash: 2e663dc0273502947d0f5ba944558a1fc918940c82b9f8e60cc3aa5ec7b2147c
Instruction Fuzzy Hash: 0731D3392002059FCF20EF68C885EAA77E0FF55318F288059E915CB7A2DB36EE45C761

Function 008A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008A3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008A3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 008A3F78

Strings

SysMonthCal32, xrefs: 008A3F0B

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d101c4c3be42b879beafbeaa0464949b228b0ab920a7d2b4360aedaefeb3a514
Instruction ID: 07d0061374dd1d2b2d984ea14c8d48bda9147267539c7bfe75464a41cc938c52
Opcode Fuzzy Hash: d101c4c3be42b879beafbeaa0464949b228b0ab920a7d2b4360aedaefeb3a514
Instruction Fuzzy Hash: 76219C32610219BFEF218F94DC46FEA3B79FF49714F110215FA15AB1D0DAB5AD908BA0

Function 008A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008A471A

Strings

msctls_updown32, xrefs: 008A4684

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f939df726f4f2a83c16492a673b03379a5ca935d99fa401599974cd0e54b05de
Instruction ID: 6abec5156b7dd2e113903eae3d29bbd116e8be216a22360c2e1769fee626a160
Opcode Fuzzy Hash: f939df726f4f2a83c16492a673b03379a5ca935d99fa401599974cd0e54b05de
Instruction Fuzzy Hash: 9D214CB5600248AFEB10DF68DCC1DAB77ADFB9B3A4B040059FA01DB261DB70EC51CA61

Function 008795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0087961D

Strings

#requireadmin, xrefs: 008795D9
#OnAutoItStartRegister, xrefs: 008795F3
#notrayicon, xrefs: 008795B7

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 44d0a41384de926cf63f921985ff30a53650ff99c9d3eb6e923f4cc8e5538f7c
Instruction ID: ef3a8045a5999bea28da92258f3af03958b3123b2619e4bf22d0b915f4231249
Opcode Fuzzy Hash: 44d0a41384de926cf63f921985ff30a53650ff99c9d3eb6e923f4cc8e5538f7c
Instruction Fuzzy Hash: 6E213B7210422166D331EA299C02FB773ACFFA1314F108029F9CDD7149EB55ED81C2D6

Function 008A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008A3876

Strings

Listbox, xrefs: 008A380F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3a179f5a666ae81e60d6bf1b1bfec0dfac1bb2078cf0dc7405648f22c2c91b8f
Instruction ID: 8932e2f165a332976d5831fb03690821ec6cb72adc245aea9cbdb05cd1f80ad5
Opcode Fuzzy Hash: 3a179f5a666ae81e60d6bf1b1bfec0dfac1bb2078cf0dc7405648f22c2c91b8f
Instruction Fuzzy Hash: 85218E72610218BBFF218F54CC85FAB376EFF8A754F108125F9149B590DA75DC528BA0

Function 008849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00884A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00884A5C
SetErrorMode.KERNEL32(00000000,?,?,008ACC08), ref: 00884AD0

Strings

%lu, xrefs: 00884A6F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f0cea8f5935274c7b6033fc254f5b78f0206a688aebe0b201e4e1fe37a70e2b8
Instruction ID: b567fcc41e8af2189c777bde43fa98fb1c81de4000a877078b85ed6c298d0272
Opcode Fuzzy Hash: f0cea8f5935274c7b6033fc254f5b78f0206a688aebe0b201e4e1fe37a70e2b8
Instruction Fuzzy Hash: 7E315E75A00119AFDB10DF58C885EAA7BF8FF09308F1480A9E909DB352DB75EE45CB61

Function 008A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008A4271

Strings

msctls_trackbar32, xrefs: 008A4226

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4369454715c02ce989f01f607bca4648c5939d4fe0720bf19a84cc8d5f567a86
Instruction ID: 5bab714a6eb6b6248163b3f24236fdf01d4d44edfcf5d9d067d13c14169ac188
Opcode Fuzzy Hash: 4369454715c02ce989f01f607bca4648c5939d4fe0720bf19a84cc8d5f567a86
Instruction Fuzzy Hash: 9911E331240248BEFF205E28CC46FAB3BACFF96B54F110124FA55E6090D6B1DC519B60

Function 00872F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00816B57: _wcslen.LIBCMT ref: 00816B6A

Part of subcall function 00872DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00872DC5
Part of subcall function 00872DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00872DD6
Part of subcall function 00872DA7: GetCurrentThreadId.KERNEL32 ref: 00872DDD
Part of subcall function 00872DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00872DE4

GetFocus.USER32 ref: 00872F78

Part of subcall function 00872DEE: GetParent.USER32(00000000), ref: 00872DF9

GetClassNameW.USER32(?,?,00000100), ref: 00872FC3
EnumChildWindows.USER32(?,0087303B), ref: 00872FEB

Strings

%s%d, xrefs: 00872FFF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: eb582b516551dbeca6f8521bd78ba54a3d5ba5c841bb9a41fe5efb9a9ef49258
Instruction ID: 000e411ac42f4a24e38765281c8ac581b02d30d97930df346d50818b3bae0177
Opcode Fuzzy Hash: eb582b516551dbeca6f8521bd78ba54a3d5ba5c841bb9a41fe5efb9a9ef49258
Instruction Fuzzy Hash: CB11E4716002096BDF10BF788C85EED3B6AFF94314F048079F90DDB256EE3099459B62

Function 008A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008A58EE
DrawMenuBar.USER32(?), ref: 008A58FD

Strings

0, xrefs: 008A588F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 4f0e89b0bcbf5182327e4b590d961c5a349ff9037ac7ff81ca4800b3a64e159f
Instruction ID: d79603d81fc7f8a8b1f0234cba6b397bdc0a4eb05638a5f8cabb4ee0721517a0
Opcode Fuzzy Hash: 4f0e89b0bcbf5182327e4b590d961c5a349ff9037ac7ff81ca4800b3a64e159f
Instruction Fuzzy Hash: 34015B31500218EEEB219F15EC44BAFBBB4FF46360F1480A9F949DA552DB308AC4DF21

Function 0087007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93edae1f780acef7607408cb36c24467d2573c3111f0dd7ebd19af59b8ae7db
Instruction ID: a674420898bac3a123476b380722b27479a30620ea25abcfb93f0f04c0dd7bc9
Opcode Fuzzy Hash: d93edae1f780acef7607408cb36c24467d2573c3111f0dd7ebd19af59b8ae7db
Instruction Fuzzy Hash: C5C15B75A0020AEFDB14CFA8C894AAEB7B5FF48704F208598E509EB255D731EE41CF90

Function 00843E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00843F0B
__alldvrm.LIBCMT ref: 0084410C
__alldvrm.LIBCMT ref: 0084412E

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: bdd3aa2d138fd32e9761ab77202e9b0e78ca374822361d79d2c0961c51e7ef86
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 67A14671E0078E9FEB25CF18C8917AEBBE4FF61354F14416EE585DB282C6388985C751

Function 0089342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00893459
CoUninitialize.OLE32 ref: 00893463
VariantInit.OLEAUT32(?), ref: 0089346E
VariantClear.OLEAUT32(?), ref: 0089371B

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 02f4400a57079815fba8c626903e4506b9b13aa8b5baedd3150d98860d271fea
Instruction ID: fe9880188b10c011bc80e0b225d3e5a36c7e57b30e0c7b10b181cf1f035e9d8b
Opcode Fuzzy Hash: 02f4400a57079815fba8c626903e4506b9b13aa8b5baedd3150d98860d271fea
Instruction Fuzzy Hash: F7A13D756042109FCB11EF68C485A5AB7E9FF88714F09885DF98ADB362DB30ED41CB52

Function 00870436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008AFC08,?), ref: 008705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008AFC08,?), ref: 00870608
CLSIDFromProgID.OLE32(?,?,00000000,008ACC40,000000FF,?,00000000,00000800,00000000,?,008AFC08,?), ref: 0087062D
_memcmp.LIBVCRUNTIME ref: 0087064E

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0483db154575b93e934328fce3879abc29c1bf8e03dc871b8b3b8acce51174ea
Instruction ID: 1b8caa126e3dd3b9c995dc00dbe1d6d367a7298840d45c9140e5ea7279e5b0c6
Opcode Fuzzy Hash: 0483db154575b93e934328fce3879abc29c1bf8e03dc871b8b3b8acce51174ea
Instruction Fuzzy Hash: A281E971A00209EFCB04DF94C984DEEB7B9FF89315B208558E516EB254DB71AE46CF60

Function 0089A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0089A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0089A6BA

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Process32NextW.KERNEL32(00000000,?), ref: 0089A79C
CloseHandle.KERNEL32(00000000), ref: 0089A7AB

Part of subcall function 0082CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00853303,?), ref: 0082CE8A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 38147824b9a2868636974e0e343b1733d379a1739a7811c298bf4440aa08b667
Instruction ID: 0f08d981f3fe2be853bd64791ea702b4db2d24db2ba27e6c9137a4145dd5b283
Opcode Fuzzy Hash: 38147824b9a2868636974e0e343b1733d379a1739a7811c298bf4440aa08b667
Instruction Fuzzy Hash: 0B515B71508310AFD714EF28D886AABBBE8FF89754F00492DF595D7252EB30D944CB92

Function 00851391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008514C0

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 672f744f3447d2cd063c7dd696c9500d30e45b35e6467c4bd001fe2e097314c2
Instruction ID: d01f969fcb6dfbc7fc5695d221e4f46e2030c880d7de4799ae7a9fb73a9ab19b
Opcode Fuzzy Hash: 672f744f3447d2cd063c7dd696c9500d30e45b35e6467c4bd001fe2e097314c2
Instruction Fuzzy Hash: D9414C35A00104ABDF216BBDDC8DBBF3AA6FF81371F144225FC19D6292E6B4484553A7

Function 008A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008A62E2
ScreenToClient.USER32(?,?), ref: 008A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 008A6382

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 96d7adc506ee0a029fa13765b21b23f2c1fce436aeaec421446f3c0aa19347b9
Instruction ID: 492b881e8a57786133ff15c9183488376116d6438774d2d0e4fd85fbf605df35
Opcode Fuzzy Hash: 96d7adc506ee0a029fa13765b21b23f2c1fce436aeaec421446f3c0aa19347b9
Instruction Fuzzy Hash: 16514A70A00209EFEF10DF68D880AAE7BB5FF56360F148169F815DB694E770AD91CB50

Function 00891AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00891AFD
WSAGetLastError.WSOCK32 ref: 00891B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00891B8A
WSAGetLastError.WSOCK32 ref: 00891B94

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: b922aff71c0cb142b93f436522e42be5006d97ac11e9f5a52e4ccb99d5eae879
Instruction ID: 93791ad3dae93623745be24a84403d97412971f50af63c1c06956d1cfcaabcf7
Opcode Fuzzy Hash: b922aff71c0cb142b93f436522e42be5006d97ac11e9f5a52e4ccb99d5eae879
Instruction Fuzzy Hash: 0B41AF346402006FEB20AF28C88AF6577A5FF44718F588448F5169F3D2D672ED828B91

Function 0084B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1225d5204238bf20b7509eae421cc2f0ac13e3faf93d1b3bda4a5500361c30ba
Instruction ID: 692cff2035023ea6240168e260a26bf56bd9a502c00166662f6a8358fc0527e0
Opcode Fuzzy Hash: 1225d5204238bf20b7509eae421cc2f0ac13e3faf93d1b3bda4a5500361c30ba
Instruction Fuzzy Hash: 78410471A00308AFD7249F7CCC46BAABBA9FB88720F10852AF555DB682D771D9018781

Function 008856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00885783
GetLastError.KERNEL32(?,00000000), ref: 008857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008857FA

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6f3d906f4b584d8995183e460b498ecbaa6e824d2861b2088463d9daf7e36aab
Instruction ID: f6ba009f8e429f25e2b05d8a004b5c5063004948f7593f931015dc2c89299e08
Opcode Fuzzy Hash: 6f3d906f4b584d8995183e460b498ecbaa6e824d2861b2088463d9daf7e36aab
Instruction Fuzzy Hash: 1A41FB35600610DFCB11EF19C545A9ABBF6FF49720B198498E84A9B362CB34FD41CB92

Function 0084D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00836D71,00000000,00000000,008382D9,?,008382D9,?,00000001,00836D71,8BE85006,00000001,008382D9,008382D9), ref: 0084D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0084D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0084D9AB
__freea.LIBCMT ref: 0084D9B4

Part of subcall function 00843820: RtlAllocateHeap.NTDLL(00000000,?,008E1444,?,0082FDF5,?,?,0081A976,00000010,008E1440,008113FC,?,008113C6,?,00811129), ref: 00843852

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: c7aeac4a2b1e0bc14ea050de4d3da000f2a20009ab3b24445dd402bd7d1842a5
Instruction ID: de722104b89663ece983ae1241342df0e2e60f491f5cc2d6dbbbc14b5732fce7
Opcode Fuzzy Hash: c7aeac4a2b1e0bc14ea050de4d3da000f2a20009ab3b24445dd402bd7d1842a5
Instruction Fuzzy Hash: 0531BC72A0020AABDF249F69DC45EAE7FA5FB41710F054268FC04DB2A0EB35DD51CBA1

Function 008A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 008A5352
GetWindowLongW.USER32(?,000000F0), ref: 008A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008A53A8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0077c2ebab92b3f714f106d35e6fc4e855c89abb7395403b6e41d99f8364dd9f
Instruction ID: 1e9e20cdf1d3294bd825ee9255f0b720e075fe04c585ac9e6155e6fdde2111de
Opcode Fuzzy Hash: 0077c2ebab92b3f714f106d35e6fc4e855c89abb7395403b6e41d99f8364dd9f
Instruction Fuzzy Hash: 5D31BC30A55A0CEFFF249A14CC56BE977A5FB97390F584001FA11D6BE1C7B099C09B42

Function 0087AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0087ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0087AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0087AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0087ACC6

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fcf8206580bfd3b6b6a68f149f03a694fa7b616059fa42bad8c333780e0183a2
Instruction ID: 6e3cc8169bef93ee6b16cc8db4a581f2a5222ec5adcc1feca24462275a45a528
Opcode Fuzzy Hash: fcf8206580bfd3b6b6a68f149f03a694fa7b616059fa42bad8c333780e0183a2
Instruction Fuzzy Hash: A731E530A00618BFFB2ACB65C805BFE7AA5FBC5320F08C21AE489D21D9C375C9859752

Function 008A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 008A769A
GetWindowRect.USER32(?,?), ref: 008A7710
PtInRect.USER32(?,?,008A8B89), ref: 008A7720
MessageBeep.USER32(00000000), ref: 008A778C

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e19c37178fd2f5c4dc14de76c2920d27583b8cf159f9dc467588171697dd4658
Instruction ID: 5e45a9593f3564b9fe6b3d5f01604565b7821b0a96fa1a35beac7e57dc1c0391
Opcode Fuzzy Hash: e19c37178fd2f5c4dc14de76c2920d27583b8cf159f9dc467588171697dd4658
Instruction Fuzzy Hash: C0418B34A09254DFEB01DF58CC98EA9BBF5FB4A314F1940A8E914DFA61D730A941DF90

Function 008A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008A16EB

Part of subcall function 00873A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00873A57
Part of subcall function 00873A3D: GetCurrentThreadId.KERNEL32 ref: 00873A5E
Part of subcall function 00873A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008725B3), ref: 00873A65

GetCaretPos.USER32(?), ref: 008A16FF
ClientToScreen.USER32(00000000,?), ref: 008A174C
GetForegroundWindow.USER32 ref: 008A1752

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 93b50d38704a9c82858349d586bbf17cdcb464296c28b17c38a4b39cc0612bdd
Instruction ID: e4fc89d3d97fcea4a51578b8904faf9ff7dc9092e23ea4bdbc322ba48e2b21ab
Opcode Fuzzy Hash: 93b50d38704a9c82858349d586bbf17cdcb464296c28b17c38a4b39cc0612bdd
Instruction Fuzzy Hash: C3312C75D00249AFDB00EFA9C8858EEBBFDFF49304B5080A9E415E7611EA31DE45CBA1

Function 0087DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

_wcslen.LIBCMT ref: 0087DFCB
_wcslen.LIBCMT ref: 0087DFE2
_wcslen.LIBCMT ref: 0087E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0087E018

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: ca962358a774832dd039aec81ea3d76bf0646ec56ec30c3cce34ebc7ce6c656c
Instruction ID: 27eeb7578f45dc0c8f898412ca71760c8e5469243fb954b548e7b43abff10c0d
Opcode Fuzzy Hash: ca962358a774832dd039aec81ea3d76bf0646ec56ec30c3cce34ebc7ce6c656c
Instruction Fuzzy Hash: 16219471900614AFCB109F68D982BAEB7F8FF89750F144065E909FB345D6749D40CBE2

Function 008A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

GetCursorPos.USER32(?), ref: 008A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00867711,?,?,?,?,?), ref: 008A9016
GetCursorPos.USER32(?), ref: 008A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00867711,?,?,?), ref: 008A9094

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 802ae1c3accfb1fb24e8e784ca2e05d0968f9a3f3b79b9ea6641d144f2789ecb
Instruction ID: 37203aff76f6772b7496d162f0d39eda045ff7b5586eb3444ab0e87a13f11ac5
Opcode Fuzzy Hash: 802ae1c3accfb1fb24e8e784ca2e05d0968f9a3f3b79b9ea6641d144f2789ecb
Instruction Fuzzy Hash: 4D21BF35600418EFEF258F94C898EEA7BF9FB4A3A0F104065F9458B661C3319990DB60

Function 0087D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,008ACB68), ref: 0087D2FB
GetLastError.KERNEL32 ref: 0087D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0087D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008ACB68), ref: 0087D376

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1da8667c7786cd399d4d30a26973308c83160d3d8297c2878514bb7639ccaff9
Instruction ID: 54524df990ed233b841e45423b6238b2ed6baa6227f45b31dfa8d05ebd821971
Opcode Fuzzy Hash: 1da8667c7786cd399d4d30a26973308c83160d3d8297c2878514bb7639ccaff9
Instruction Fuzzy Hash: 012151705093019F8710DF28C8818AA77F8FE56768F508A1DF4A9C73A1EB31D946CB93

Function 00871571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00871014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0087102A
Part of subcall function 00871014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00871036
Part of subcall function 00871014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871045
Part of subcall function 00871014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0087104C
Part of subcall function 00871014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00871062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008715BE
_memcmp.LIBVCRUNTIME ref: 008715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00871617
HeapFree.KERNEL32(00000000), ref: 0087161E

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d8f67d9c109542e4c6189ec2a4df19a35806e38819ed02f636a3e77cfe7caee3
Instruction ID: e1847ddd93bb3e6c3e97eeefebf7608d05226d2cfdce96467c4c34756ebe5688
Opcode Fuzzy Hash: d8f67d9c109542e4c6189ec2a4df19a35806e38819ed02f636a3e77cfe7caee3
Instruction Fuzzy Hash: 72215531E00108ABDF14DFA8C949BEEB7B8FF94344F188459E449EB645E730AA05DBA0

Function 008A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 008A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 008A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 008A2840

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 9287424edcaed299af986f08545ab4d9e6a0997779b024516ef239ad85a2b6f2
Instruction ID: 9bbc0fe5c44e02afb23a26ae2828b828ef227f5f535d77ddd4a5b4c5d4aeefc5
Opcode Fuzzy Hash: 9287424edcaed299af986f08545ab4d9e6a0997779b024516ef239ad85a2b6f2
Instruction Fuzzy Hash: 0121D631604515AFE724DB28C844FAA7799FF46324F148158F426CBAD2CB75FD82C791

Function 008778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00878D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0087790A,?,000000FF,?,00878754,00000000,?,0000001C,?,?), ref: 00878D8C
Part of subcall function 00878D7D: lstrcpyW.KERNEL32(00000000,?,?,0087790A,?,000000FF,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00878DB2
Part of subcall function 00878D7D: lstrcmpiW.KERNEL32(00000000,?,0087790A,?,000000FF,?,00878754,00000000,?,0000001C,?,?), ref: 00878DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00877923
lstrcpyW.KERNEL32(00000000,?,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00877949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00878754,00000000,?,0000001C,?,?,00000000), ref: 00877984

Strings

cdecl, xrefs: 0087797B

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1e605e39a30c2a7d09c049b73e2dbfd56e31ecc66b40acf08886588b46c5e4dd
Instruction ID: 6f7c5b75f43cd821c646bfaeba85ce21e971f0e5142ec2e2b341117d9f828401
Opcode Fuzzy Hash: 1e605e39a30c2a7d09c049b73e2dbfd56e31ecc66b40acf08886588b46c5e4dd
Instruction Fuzzy Hash: 5511D63A201201ABDB155F38D845E7A7BA9FF95350B50802AFA4ACB368EB35D811D791

Function 008A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 008A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 008A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0088B7AD,00000000), ref: 008A7D6B

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 79504c950d7234db5e68035243993189fd9a2a9f87de340fb081938df71cca93
Instruction ID: 89bb729273058218c7ad3c90d4f201cd902f36a574f83983d7d59ac7c618b2dd
Opcode Fuzzy Hash: 79504c950d7234db5e68035243993189fd9a2a9f87de340fb081938df71cca93
Instruction Fuzzy Hash: 4E11A231604665AFEB109F28CC08A6A3BA5FF47370B154728F835DB6F0E7309950DB50

Function 008A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008A56BB
_wcslen.LIBCMT ref: 008A56CD
_wcslen.LIBCMT ref: 008A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 008A5816

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: cfc0959a789f41a619c80e8ee77ef59740836dbd3523c96c304e6cdde703f927
Instruction ID: 2c41c547b402ba1ecd8245d7faee0a8443883dd5996f5d04bbb0c5c77d5a45cf
Opcode Fuzzy Hash: cfc0959a789f41a619c80e8ee77ef59740836dbd3523c96c304e6cdde703f927
Instruction Fuzzy Hash: 7711E471600A18A6EF20DF65DC85AEE3B6CFF16764F104026F915D6481EB7489C0CBA5

Function 00841D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b35ac9c1d304358c4ff1709fdecfb3e7c738738f940dd3d85cbede0a03cca5
Instruction ID: 1ea641b4aad8be634e6ff706453ad176409a5936bccea32bc40b1d38cf4df933
Opcode Fuzzy Hash: 09b35ac9c1d304358c4ff1709fdecfb3e7c738738f940dd3d85cbede0a03cca5
Instruction Fuzzy Hash: 64014BF2A0961E7EFA212AB86CC5F676A1DFF423B8B341325F531E11D2DB709C809161

Function 00871A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00871A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00871A8A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 216ca4fb950dc030157d9e5b0d35c3b597bfbcc100f6239a4354c09cf711a1aa
Instruction ID: fb5fde697ae645fcad23c2c298370b157a69ab05346f17c271405f9ff8a0a19c
Opcode Fuzzy Hash: 216ca4fb950dc030157d9e5b0d35c3b597bfbcc100f6239a4354c09cf711a1aa
Instruction Fuzzy Hash: F211183A901229BFEF109BA88985FADFB78FB14750F204091E604B7294D671AE509B94

Function 0087E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0087E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0087E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0087E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0087E24D

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b7def3bfc5ff49444ee988c3f04f27ccaa2fcb467596e5e36079eeab1e31d691
Instruction ID: 77a5064ba95d423b978095cb804219649e47c058c7e0e9f77e401e263b7ce2cc
Opcode Fuzzy Hash: b7def3bfc5ff49444ee988c3f04f27ccaa2fcb467596e5e36079eeab1e31d691
Instruction Fuzzy Hash: 30112B72A04258BBDB019FA89C49A9F7FACFB46315F008255F828D7395D774CD0087A0

Function 0083D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0083CFF9,00000000,00000004,00000000), ref: 0083D218
GetLastError.KERNEL32 ref: 0083D224
__dosmaperr.LIBCMT ref: 0083D22B
ResumeThread.KERNEL32(00000000), ref: 0083D249

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: da2e0f283d007c36e2b3fccf6a900bf368fdbbdbc8bd140bd4ca7a5c8f464bbe
Instruction ID: 8d5bb60d8960a5651c0f9fae930802bee3ae347f43d13a1c569f81bd338128be
Opcode Fuzzy Hash: da2e0f283d007c36e2b3fccf6a900bf368fdbbdbc8bd140bd4ca7a5c8f464bbe
Instruction Fuzzy Hash: 7F01C036805208BBDB215BA9EC09AAF7A69FFC2731F104229F925D21D1CF719901C6E1

Function 008A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00829BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00829BB2

GetClientRect.USER32(?,?), ref: 008A9F31
GetCursorPos.USER32(?), ref: 008A9F3B
ScreenToClient.USER32(?,?), ref: 008A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 008A9F7A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 3b4f92ec2c5e2b5a5cf768c7c0d99e5be3e9cf186a9c2f094185845a84507d4c
Instruction ID: 4a7621b270078d10fa37634397c8430c2c8eaeccfbea6f28f2349c71a9c12c65
Opcode Fuzzy Hash: 3b4f92ec2c5e2b5a5cf768c7c0d99e5be3e9cf186a9c2f094185845a84507d4c
Instruction Fuzzy Hash: E211363290415AAFEF10DFA8D8899EE77B8FB06311F000455FA41E3540DB30BA81CBA1

Function 0081600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
GetStockObject.GDI32(00000011), ref: 00816060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f98cb10c6f42464350d607d70f5cd10c59bbb080bce9bf8a812bf6998f532a7e
Instruction ID: dc22e2270e1e73e54e7b9313f03b35b6d3b4378cf3e1b16d65ee66283a0090fd
Opcode Fuzzy Hash: f98cb10c6f42464350d607d70f5cd10c59bbb080bce9bf8a812bf6998f532a7e
Instruction Fuzzy Hash: 02116172501948BFEF129F949C44EEA7BADFF1D364F040115FA54A2110D732DCA0DB90

Function 00833B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00833B56

Part of subcall function 00833AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00833AD2
Part of subcall function 00833AA3: ___AdjustPointer.LIBCMT ref: 00833AED

_UnwindNestedFrames.LIBCMT ref: 00833B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00833B7C
CallCatchBlock.LIBVCRUNTIME ref: 00833BA4

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: f2d0ce4de731a3d39ffe9c9cb3b120496c0fb00301fa09308771886bbdf8b20d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 3401E932100149BBDF125E99CC46EEB7B69FF98764F044414FE48A6121C736E961DBE1

Function 00843073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008113C6,00000000,00000000,?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue), ref: 008430A5
GetLastError.KERNEL32(?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue,008B2290,FlsSetValue,00000000,00000364,?,00842E46), ref: 008430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0084301A,008113C6,00000000,00000000,00000000,?,0084328B,00000006,FlsSetValue,008B2290,FlsSetValue,00000000), ref: 008430BF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a495ce06e9082e76bb100198867c74f8200dfab9ae63a0a3f2e3c88c143f3194
Instruction ID: 0d39aabcaaada561ce6bfa8659a9df9b04534d8e5dcd2aac2d4f39c0f551cf95
Opcode Fuzzy Hash: a495ce06e9082e76bb100198867c74f8200dfab9ae63a0a3f2e3c88c143f3194
Instruction Fuzzy Hash: 03014E32301A2AABDB314B789C44A577BD8FF06B71B200720F905E7240CB21DD01C6E0

Function 00877464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0087747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00877497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008774CA

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f6fa6737ca62b5028bb1e93edc27462fc249eea587cac4ddf6956ec3640d1998
Instruction ID: cd7025eb0b5b219e1f9f82a4429908403823ee5d5422c83ed54ca29c391ebaf8
Opcode Fuzzy Hash: f6fa6737ca62b5028bb1e93edc27462fc249eea587cac4ddf6956ec3640d1998
Instruction Fuzzy Hash: 81118EB12093159BF7208F24DC08B927BFCFB04B04F10C569A61AD6555D7B0E944DB98

Function 0087B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0087ACD3,?,00008000), ref: 0087B126

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ece8c9bbfa408220dc36c8bf1943defcfa2e8b072f81a4e6acd6d960005f1601
Instruction ID: 335c273efdcec33ea3252cc758ec1f4fa3484ad3f24924cc69df86959124c64e
Opcode Fuzzy Hash: ece8c9bbfa408220dc36c8bf1943defcfa2e8b072f81a4e6acd6d960005f1601
Instruction Fuzzy Hash: 38117C30E0152DD7DF00AFE4E9687EEBB78FF0A311F008085D945B2145DB3085918B65

Function 008A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008A7E33
ScreenToClient.USER32(?,?), ref: 008A7E4B
ScreenToClient.USER32(?,?), ref: 008A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 008A7E8A

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 547bfc000c1d22890f980df8f9cea52fac6fe52a32fb891f4bdcfa4ca125752f
Instruction ID: 05452f8a6072fac080d38dfc86925273f481c0acbb3d1987428ea5d766fe31cd
Opcode Fuzzy Hash: 547bfc000c1d22890f980df8f9cea52fac6fe52a32fb891f4bdcfa4ca125752f
Instruction Fuzzy Hash: A81156B9D0020AAFDB41CF98C8849EEBBF5FF19310F505056E915E3610D735AA54CF50

Function 00872DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00872DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00872DD6
GetCurrentThreadId.KERNEL32 ref: 00872DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00872DE4

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: caf9b77eaf14c7a95523af6734b9df01d90c9784492d8ecbe835efa11231e334
Instruction ID: c9f204e13d289a1f9c3bb234e9a601e5c815049e4e487c11bd16eea94a466b06
Opcode Fuzzy Hash: caf9b77eaf14c7a95523af6734b9df01d90c9784492d8ecbe835efa11231e334
Instruction Fuzzy Hash: D1E012B16052287BE7305B739C0DFEB7E6CFF57BA1F404119F50AD14909AA5C941C6B0

Function 008A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00829639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00829693
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296A2
Part of subcall function 00829639: BeginPath.GDI32(?), ref: 008296B9
Part of subcall function 00829639: SelectObject.GDI32(?,00000000), ref: 008296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 008A8887
LineTo.GDI32(?,?,?), ref: 008A8894
EndPath.GDI32(?), ref: 008A88A4
StrokePath.GDI32(?), ref: 008A88B2

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4194ab208ed2d62784bcb0a96af73e61ebd53745f1fd397012b763e14bf84223
Instruction ID: d8fb30f4e1c3d7ee76d523d780a7196f2420225211d8d7a97e5c6e77a1fedd9e
Opcode Fuzzy Hash: 4194ab208ed2d62784bcb0a96af73e61ebd53745f1fd397012b763e14bf84223
Instruction Fuzzy Hash: 17F03A36045658FAEB126F94AC0DFCE3E59BF06310F448000FA11A54E2CB795551CBA9

Function 008298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008298CC
SetTextColor.GDI32(?,?), ref: 008298D6
SetBkMode.GDI32(?,00000001), ref: 008298E9
GetStockObject.GDI32(00000005), ref: 008298F1

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 82a88f8ad3401d7700bc26ef8ad905bf42bcc5f4bf3e85cb1151fa6e60a6ede6
Instruction ID: e85a301ed0767817e4dceed4a52940ca3ebba8dccd31675d4aa79d360dbe61b6
Opcode Fuzzy Hash: 82a88f8ad3401d7700bc26ef8ad905bf42bcc5f4bf3e85cb1151fa6e60a6ede6
Instruction Fuzzy Hash: 3DE06D31244280AAEB215B74BC0DBE83F61FB13336F048219F6FA984E1C77246809B10

Function 0087162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00871634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008711D9), ref: 0087163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008711D9), ref: 00871648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008711D9), ref: 0087164F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4ddf26440a961d8ba8e26641bf14a24f5231e0e95527ce489558c8959c61eb62
Instruction ID: 5cb9d100a12dee9a0f3ffd42428f2f0f0492014f60551e8dc2331866d5919947
Opcode Fuzzy Hash: 4ddf26440a961d8ba8e26641bf14a24f5231e0e95527ce489558c8959c61eb62
Instruction Fuzzy Hash: 34E08C32602211EBEB201FA5AE0DB873BBCFF56792F148808F249C9480EA388540CB60

Function 0086D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0086D858
GetDC.USER32(00000000), ref: 0086D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0086D882
ReleaseDC.USER32(?), ref: 0086D8A3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1bce8d339edf1806da5962e74b54f92e6d232b5e6229b747f3f0744b4817cb54
Instruction ID: 36bdff0617f8f45a55eb48bac9e64bbb2dd6fedc5241512380eade3e18de9dd5
Opcode Fuzzy Hash: 1bce8d339edf1806da5962e74b54f92e6d232b5e6229b747f3f0744b4817cb54
Instruction Fuzzy Hash: FAE01AB0800208DFDB419FA0D80C66DBBB5FB19310F109419E806E7750CB388941AF40

Function 0086D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0086D86C
GetDC.USER32(00000000), ref: 0086D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0086D882
ReleaseDC.USER32(?), ref: 0086D8A3

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5e7415956cef5788422355c7576713a226b4b0ee8d55a63a3dcd15fce1b84e83
Instruction ID: b5eea3b0b73ec0060532e985c5607dd124d347e47e3385808e0d169001aad6c7
Opcode Fuzzy Hash: 5e7415956cef5788422355c7576713a226b4b0ee8d55a63a3dcd15fce1b84e83
Instruction Fuzzy Hash: FCE012B0800204EFDB41AFA0D80866EBBB5FB18310B109008E80AE7760CB389942AF40

Function 00884D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00817620: _wcslen.LIBCMT ref: 00817625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00884ED4

Strings

LPT, xrefs: 00884DFB
*, xrefs: 00884E10

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 84421fdaf09ff374fe5f9792ffd7ebd89058ee103018b9c2a97f79e158f8aed2
Instruction ID: 1cf7b925eaf80a0c34e1e1c543900a46ed6a081e7db964ff9365f092490cacea
Opcode Fuzzy Hash: 84421fdaf09ff374fe5f9792ffd7ebd89058ee103018b9c2a97f79e158f8aed2
Instruction Fuzzy Hash: A2914A75A002059FCB14EF58C484EAABBB5FF44318F18909DE90A9F362DB35ED85CB91

Function 0083E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0083E30D

Strings

pow, xrefs: 0083E2E5, 0083E302

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5def7ce09ad62495d409d33ef6f4bc13ea5623d90ae562cfed03a0b16ba5aed8
Instruction ID: eed8ba0503fbd399c0b0042d102b0402cf0c1847dd5716c3cc96a5936a14dfd3
Opcode Fuzzy Hash: 5def7ce09ad62495d409d33ef6f4bc13ea5623d90ae562cfed03a0b16ba5aed8
Instruction Fuzzy Hash: 48512B61E1C20A96DB157728C9413BA3BA4FB80B40F744E68F0D5C63EDEF358C959AC6

Function 0082E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0082E1B1

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7c68b429e5d68b61367992833169be3608f474c44932c1f8fc789585fc06c15f
Instruction ID: 4556106f470561206a6db3c08deeac102d2a16df287557cd272e8d0a81a1994a
Opcode Fuzzy Hash: 7c68b429e5d68b61367992833169be3608f474c44932c1f8fc789585fc06c15f
Instruction Fuzzy Hash: 9951233950025ADFDF15DF68D485AFA7BA8FF26310F244059F892DB2D0D6349D82CBA1

Function 0082F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0082F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0082F2BB

Strings

@, xrefs: 0082F2AF

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: be47045f6b66b0bdfb8cdd3fd2d91c67a9cd1206e5822491f6b46767a44836af
Instruction ID: 7da5f998818ab42650d68e552cf76a7c59f5f7981ff1be1eed4cabc25172b6a1
Opcode Fuzzy Hash: be47045f6b66b0bdfb8cdd3fd2d91c67a9cd1206e5822491f6b46767a44836af
Instruction Fuzzy Hash: 09512571418B449BD320AF14D886BABBBFCFF85300F81885DF2D9811A5EB709569CB67

Function 00895745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008957E0
_wcslen.LIBCMT ref: 008957EC

Strings

CALLARGARRAY, xrefs: 008957E6, 008957EB

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: c7b8de6b44f4770eeca8b8ac9feed71a9efeabc8e1a7dfca4dd79deb018b01e8
Instruction ID: effa3ddb0e226fc93bd8c3f64d8fd70fbdfb6fb6f779f8499781985bd480b2cf
Opcode Fuzzy Hash: c7b8de6b44f4770eeca8b8ac9feed71a9efeabc8e1a7dfca4dd79deb018b01e8
Instruction Fuzzy Hash: A941AE71A002099FCF04EFA9C8859EEBBB5FF59724F148069E505E7291E7309D81CB91

Function 0088D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0088D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0088D13A

Strings

|, xrefs: 0088D10B

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 32e93493c287f7c2e00d6278ce898fd2f4e9cd67e9a91db773c25a824288c465
Instruction ID: dd0c2e8da79077e7c41627ed5b7c2bc27eda91f4085055af24e4694837bf177b
Opcode Fuzzy Hash: 32e93493c287f7c2e00d6278ce898fd2f4e9cd67e9a91db773c25a824288c465
Instruction Fuzzy Hash: CE311975D00219ABCF15EFA8CC85AEEBFB9FF04300F100119F815E6166EB31AA56CB61

Function 008A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 008A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008A365C

Strings

static, xrefs: 008A35BC

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 18c7db22b66633bf473f5e510e9772702302503f41620cbe72430220cb92675c
Instruction ID: 00dc7420d71a048c6abe6c0ec381e18b52da38ad663ba00b93b3bece0a34727c
Opcode Fuzzy Hash: 18c7db22b66633bf473f5e510e9772702302503f41620cbe72430220cb92675c
Instruction Fuzzy Hash: 28318B71500604AEEB109F68DC80EFB73A9FF99724F008619F8A5D7280DA31AD91DB60

Function 008A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 008A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008A4634

Strings

', xrefs: 008A458E

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 950e127f3647ddbf4f30ece5d7768d15126ef2df46d9186fe7b94bb70208dcfa
Instruction ID: 0bf9d817e3adad4fe23feab810267e167f6e9b366ef4784aec4e54a9c85b72f9
Opcode Fuzzy Hash: 950e127f3647ddbf4f30ece5d7768d15126ef2df46d9186fe7b94bb70208dcfa
Instruction Fuzzy Hash: 51312874A0120A9FEF14CF69C980BDABBB5FF8A300F105069E904EB741D7B0A941CF90

Function 008A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A3287

Strings

Combobox, xrefs: 008A3249

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d1373fc561a16150c0e4ab401aa0d09e384df0be69368b89288b0d167568788c
Instruction ID: 7c067a09a8394a5ccffd7e103a6c9d000e478924f014b4dd36bfa042bc5be73f
Opcode Fuzzy Hash: d1373fc561a16150c0e4ab401aa0d09e384df0be69368b89288b0d167568788c
Instruction Fuzzy Hash: B011B2713002087FFF219E94DC85FBB3B6AFB9A3A5F104129F918E7690D6319D5187A0

Function 008A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0081600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0081604C
Part of subcall function 0081600E: GetStockObject.GDI32(00000011), ref: 00816060
Part of subcall function 0081600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0081606A

GetWindowRect.USER32(00000000,?), ref: 008A377A
GetSysColor.USER32(00000012), ref: 008A3794

Strings

static, xrefs: 008A3757

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f2e86444e8a81d2b79acb4de1d783748215f0754e8829ed52baa4a9a5885c213
Instruction ID: 0e14cf02875783ca7e5c1eeee1e3f7a9077e1ff5f16a2163c447d1649ce35172
Opcode Fuzzy Hash: f2e86444e8a81d2b79acb4de1d783748215f0754e8829ed52baa4a9a5885c213
Instruction Fuzzy Hash: 0811F9B2610209AFEF01DFA8CC45EFA7BB8FB09354F004525F955E2250E775E9519B60

Function 0088CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0088CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0088CDA6

Strings

<local>, xrefs: 0088CD66

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a99e7740e1c2e68787fcc6e86141af69f5ba67435f6903dffe216a9401de8810
Instruction ID: 04ba3b047b8d678203356d3ae68de9d5b3562bfaa62c10c5c620c539fb01e870
Opcode Fuzzy Hash: a99e7740e1c2e68787fcc6e86141af69f5ba67435f6903dffe216a9401de8810
Instruction Fuzzy Hash: 8C11A371205636BAD7746B668C45EE7BEA8FB127A4F004226B109C3184D6749841D7F0

Function 008A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008A34BA

Strings

edit, xrefs: 008A348F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 22a6e565d55c22cd88fce54aa9b97c8bb93bbcfdb687999a9d6965398f8b51ed
Instruction ID: f3b2856bd3e267dbafb9a2bc4cb5c9b123dc9b31c8922b1164eef5c656518fc2
Opcode Fuzzy Hash: 22a6e565d55c22cd88fce54aa9b97c8bb93bbcfdb687999a9d6965398f8b51ed
Instruction Fuzzy Hash: 1E116D71501208ABFB118E64DC44AAB3B6AFB2A378F504324F961D79D0C771DD919B68

Function 00876C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

CharUpperBuffW.USER32(?,?,?), ref: 00876CB6
_wcslen.LIBCMT ref: 00876CC2

Strings

STOP, xrefs: 00876CBC, 00876CC1

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 094e6db393e83843d9ded90f7438879dc6bda3dcc2e04bf627a1771464d241cb
Instruction ID: b41f7b547dbe74b910470fc6992e6f5e886f0907743b8c119f75df931a58b85e
Opcode Fuzzy Hash: 094e6db393e83843d9ded90f7438879dc6bda3dcc2e04bf627a1771464d241cb
Instruction Fuzzy Hash: 7C010432A109268ACB219FBDCC809BF37A8FFA1710B104528E966D6198FB32D960C650

Function 00871CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00871D4C

Strings

ComboBox, xrefs: 00871CEB
ListBox, xrefs: 00871D16

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6c8ce1730ac12f9836299670a07a548e607a9e8f2651ba250e5ed8f9f097e3b7
Instruction ID: e531934f340717fc4f21d8d8b70de52a75fa001daac7a6b7489ac931e99446ca
Opcode Fuzzy Hash: 6c8ce1730ac12f9836299670a07a548e607a9e8f2651ba250e5ed8f9f097e3b7
Instruction Fuzzy Hash: 2E012D316001186BCF14EBACCC55CFE7768FF43390B00461AF876D73C5EA3099089A61

Function 00871BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00871C46

Strings

ComboBox, xrefs: 00871BE5
ListBox, xrefs: 00871C10

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 60fb58d43199c612b91f494e11673e5b0d8caa68ee32c80cfc6b4f9856321838
Instruction ID: 97efb2f01797dae4c7a5ee1a49cef128f5b836c715748fe7fe9445c844588d8b
Opcode Fuzzy Hash: 60fb58d43199c612b91f494e11673e5b0d8caa68ee32c80cfc6b4f9856321838
Instruction Fuzzy Hash: A701D87168010866CF05E7D8C9569FF73ACFF51340F20001AE85AE7685EA20DB0896B2

Function 00871C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00871CC8

Strings

ComboBox, xrefs: 00871C69
ListBox, xrefs: 00871C94

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6de89846e7f303fea54a5b666a86feca7152a545d528d5869405c8496b1db967
Instruction ID: f9d184419b2ce5dc4f2ef4ca7f824033314464e91e528798622f664b9f6cb4ac
Opcode Fuzzy Hash: 6de89846e7f303fea54a5b666a86feca7152a545d528d5869405c8496b1db967
Instruction Fuzzy Hash: BF01A77168011866DF15EBD8CA16AFE73ACFF51340B144016B886F3685EA20DF0896B2

Function 00871D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00819CB3: _wcslen.LIBCMT ref: 00819CBD

Part of subcall function 00873CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00873CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00871DD3

Strings

ComboBox, xrefs: 00871D75
ListBox, xrefs: 00871DA0

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: fbb43e2c249fc3cdf9e5453718bf4fea1e8899c539ac35746caaa7e716a38299
Instruction ID: 9a0997873958864754af28ee19d33841b9d2eca4189adede1b3b651edc636cb1
Opcode Fuzzy Hash: fbb43e2c249fc3cdf9e5453718bf4fea1e8899c539ac35746caaa7e716a38299
Instruction Fuzzy Hash: 41F0A971A4121866DB14E7ACCC56FFE776CFF02350F040916F8A6E36C5DA609A0896A2

Function 0089747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00897493
_wcslen.LIBCMT ref: 008974B9

Strings

3, 3, 16, 1, xrefs: 00897483

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: df59a66127e7b75d86255d5a14dc38a940b4f97438c8431816359d7ee2eac021
Instruction ID: b0c9570cc18cc8bc6e0a15935c1d22ab9417d6bbdfd743e821ef7492abd84201
Opcode Fuzzy Hash: df59a66127e7b75d86255d5a14dc38a940b4f97438c8431816359d7ee2eac021
Instruction Fuzzy Hash: F9E02B02224220109731327DDCC1B7F5B89FFC9760B18282BFD85C2377EA989D9193E6

Function 00870B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00870B23

Strings

Error allocating memory., xrefs: 00870B1C
AutoIt, xrefs: 00870B17

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: dbc1b14c4c3b9337e389da45c198b71e03bc5b8b26dd5e3afe255dc60378f1db
Instruction ID: f003c798c29efb58c17c4ba14deffd7daae0921fd8f06882e0de7f2b10ad85f7
Opcode Fuzzy Hash: dbc1b14c4c3b9337e389da45c198b71e03bc5b8b26dd5e3afe255dc60378f1db
Instruction Fuzzy Hash: FCE0D83124431836E21037987C03F897B84FF06B60F100427FB98D5AC38FE1649046EA

Function 00830D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0082F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00830D71,?,?,?,0081100A), ref: 0082F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0081100A), ref: 00830D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0081100A), ref: 00830D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00830D7F

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8190aac6d4c11a093638a9498259bc1541b4818d842ea91f4d7eb9de85701a3e
Instruction ID: c2c17584899b51a69c9f51e3184ddb519db6c7a06f50f157ff63199430157ddf
Opcode Fuzzy Hash: 8190aac6d4c11a093638a9498259bc1541b4818d842ea91f4d7eb9de85701a3e
Instruction Fuzzy Hash: 57E06D702007518BE3209FFCE8583467BE4FF05740F004A2DE582CAA52DBB4E4888FD1

Function 00883017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0088302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00883044

Strings

aut, xrefs: 00883038

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a952069d7203b2fc5545cb149153b4abcbc31a347afea88ba88cad3c8140f0c1
Instruction ID: f138cb5a82abec90377433de8f33b86f40ed7874e53840673b3f74f947d3e15f
Opcode Fuzzy Hash: a952069d7203b2fc5545cb149153b4abcbc31a347afea88ba88cad3c8140f0c1
Instruction Fuzzy Hash: 21D05B7150032867DA209794AD0DFC73B6CE705750F0002527655D2191DAB49544CAD0

Function 0086D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0086D220

Strings

%.3d, xrefs: 0086D22B
X64, xrefs: 0086D2A8

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: c2e8ae44ad7932f4c2359f2d58d83c29fc0771bb3bf49f0e7fbace9d9b2811d0
Instruction ID: 5de2fe68ec3711abb88604ae65c2ef43707bd995798b97fb8d0b07f9e017f95c
Opcode Fuzzy Hash: c2e8ae44ad7932f4c2359f2d58d83c29fc0771bb3bf49f0e7fbace9d9b2811d0
Instruction Fuzzy Hash: 59D05BB1D0831CE9CB9097D0DC559B9B37CFB08305F918463F906D1241E738E548A761

Function 008A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008A233F

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Strings

Shell_TrayWnd, xrefs: 008A2325

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f5487fce4cea312ee9a729e91246d7a89b117aeae2203d3b98b4d194167e5686
Instruction ID: 49ac0c524c9ecfa5996180fa75af021079cc36840f2b1e3d72b1fe6b69be35fc
Opcode Fuzzy Hash: f5487fce4cea312ee9a729e91246d7a89b117aeae2203d3b98b4d194167e5686
Instruction Fuzzy Hash: ACD01236794314B7F6A4BB70DC4FFCA7A14FB15B10F008A167759EA2D4D9F4A801CA54

Function 008A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008A236C
PostMessageW.USER32(00000000), ref: 008A2373

Part of subcall function 0087E97B: Sleep.KERNEL32 ref: 0087E9F3

Strings

Shell_TrayWnd, xrefs: 008A2365

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3d581e3807a6fef973aa98eabfe49f13599ecd58d07a38c9ce50a8a41b6fa038
Instruction ID: eccca48c20e6be6db2eceb6058761953ab3a2f23f69dda266fa4498532d1c7ee
Opcode Fuzzy Hash: 3d581e3807a6fef973aa98eabfe49f13599ecd58d07a38c9ce50a8a41b6fa038
Instruction Fuzzy Hash: 6FD0C9327813147AF6A4AB709C4FFCA6A14BB16B10F008A167755EA2D4D9A4A8018A54

Function 0084BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0084BE93
GetLastError.KERNEL32 ref: 0084BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0084BEFC

Memory Dump Source

Source File: 00000000.00000002.1758105727.0000000000811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.1758085045.0000000000810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758180588.00000000008D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758253100.00000000008DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1758289963.00000000008E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 3991960f86941f8e40a85fa42166253ba18fd24a506b2fc5271580cf8a9ca21d
Instruction ID: bc90a83e0f63a8a24ae0db000ca94e4479e4d5985ebaf6e7c2cad2ae98afea84
Opcode Fuzzy Hash: 3991960f86941f8e40a85fa42166253ba18fd24a506b2fc5271580cf8a9ca21d
Instruction Fuzzy Hash: 3141A23460420AABDB218FA9CC44AAABBA5FF42310F144169F95DD72A2DF30DD05DB61

Analysis Process: firefox.exePID: 7704, Parent PID: 7688COMMON

Executed Functions

Function 0000002FE8721D4D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1815720040.0000002FE8721000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000002FE8721000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_2fe8721000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f2c66e649810fb146dddf3c0c3c8222795a3014ada3ccca081216b3790ee66
Instruction ID: c36e32eacba230637482f4b6f9b6f6705b2afd0e570f855c8dbc5358ae76cf70
Opcode Fuzzy Hash: f5f2c66e649810fb146dddf3c0c3c8222795a3014ada3ccca081216b3790ee66
Instruction Fuzzy Hash: 8C51CC7161490DAFDF88EB58C858BA8B7B1FF9C361F260129D009E3661DB71BC52CB90

Function 0000002FE8727B0C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1815720040.0000002FE8721000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000002FE8721000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_2fe8721000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a8705fd3745299fb8495b4f44a4031c32b66fea7b7e62b8b31eeb472a19d8a
Instruction ID: 80ca02f6907b95f1a46b5e654c67405f5deeb7654ac8ea926feac33b1e658237
Opcode Fuzzy Hash: 89a8705fd3745299fb8495b4f44a4031c32b66fea7b7e62b8b31eeb472a19d8a
Instruction Fuzzy Hash: 6CF05E3110890D9FEF94EA08D845BA8B7B1FB9C3E5F160065A40DE76A1C620A8508B90

Function 0000002FE8729435 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1815720040.0000002FE8721000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000002FE8721000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_2fe8721000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19340d941f23357a4cf7f7f25175d55cdeee9ffe85931ee990c4f817d12f783
Instruction ID: c3d1d60c49bba373986b1ad12c1d2445fcd14c837c6480fd357cd0e2ab60f416
Opcode Fuzzy Hash: d19340d941f23357a4cf7f7f25175d55cdeee9ffe85931ee990c4f817d12f783
Instruction Fuzzy Hash: B2E012312189085FDB8CDB54C459B7877B2FB6C315F2500AED009E72E3DA62A842CB50

Function 0000002FE8728D1B Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1815720040.0000002FE8721000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000002FE8721000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_2fe8721000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874fe315c850fbfb1db557c08452305dc62b53c2ff352b5e178fe7ed2a4b631a
Instruction ID: 05a4f01696b3742d800de16da7a317611732795b8d7fd0623f21663732b6aa68
Opcode Fuzzy Hash: 874fe315c850fbfb1db557c08452305dc62b53c2ff352b5e178fe7ed2a4b631a
Instruction Fuzzy Hash: 26D05E7251880D9BDF68DBC8D819BB8B3B1F79C361F190269940DE3A60C67268518781

Non-executed Functions

Function 0000002FE872A576 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000003.1815720040.0000002FE8721000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000002FE8721000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_3_2fe8721000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4154211b3b46602c72bfe45741d280616d54372364f306e800ca3471ba66356d
Instruction ID: cd55812efa6d2df5f436863f95e6e52fe1ab8e4a6b568a8f7c17f4b57b166904
Opcode Fuzzy Hash: 4154211b3b46602c72bfe45741d280616d54372364f306e800ca3471ba66356d
Instruction Fuzzy Hash: 6FC02B004C938557E2170C25040123CF1B54B433D0F52F0B98001971B34D498C021219

Analysis Process: firefox.exePID: 7492, Parent PID: 7704COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000026DBACB3332 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000026DBACB3397

Strings

A, xrefs: 0000026DBACB338F
#, xrefs: 0000026DBACB1705
>, xrefs: 0000026DBACB33F9
>, xrefs: 0000026DBACB743F
z, xrefs: 0000026DBACB4976
4, xrefs: 0000026DBACB7419
#, xrefs: 0000026DBACB33C2
z, xrefs: 0000026DBACB33CB
>, xrefs: 0000026DBACB419C
#, xrefs: 0000026DBACB4471

Memory Dump Source

Source File: 00000010.00000002.2963554208.0000026DBACB1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000026DBACB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_26dbacb1000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: 9b9f1b9c29ca25420aeb26a32565494c62cd7d77a1a1e0157ab2b668b5c9a37e
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: 3DA3E331B18A4C8BDB2EDF28DC852A973E5FB98304F54422ED94BC7255DE35E9128BC1

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 52.222.236.80 52.222.236.80
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1932841288.000001ADF8DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1890760923.000001AE002DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894390407.000001ADF96A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1890760923.000001AE002DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894390407.000001ADF96A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1933367590.000001ADF8D6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1932841288.000001ADF8DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1919742523.000001AE001E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1919742523.000001AE001E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1890760923.000001AE002DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894390407.000001ADF96A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797573827.000001ADF9864000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1890760923.000001AE002DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894390407.000001ADF96A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2958052034.0000017ECD40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2958052034.0000017ECD40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1928689343.000001ADF9EEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2958242672.0000026DBA603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2958052034.0000017ECD40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1933812083.000001ADF8D1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1939192079.000001ADF8D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1797573827.000001ADF9864000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: upgrade-spotlight-rolloutfeatureUpdate:upgradeDialogimages/duckduckgo-com@2x.svgimages/aliexpress-com@2x.pngfavicons/duckduckgo-com.icoimages/facebook-com@2x.pngrs-experiment-loader-timerupdateSessionStoreForStoragefavicons/facebook-com.icoimages/leboncoin-fr@2x.pngimages/wikipedia-org@2x.pngbound onEnabledPrefChangeimages/twitter-com@2x.pngSSF_updateSessionStoreForStoragefavicons/wikipedia-org.icoimages/youtube-com@2x.pngDEFAULT_REPLACEMENT_CHARACTERfavicons/leboncoin-fr.pngnimbus-desktop-experimentshttps://www.facebook.com/https://www.amazon.co.uk/http://www.w3.org/1999/xlinkmain/nimbus-desktop-experimentshttps://www.aliexpress.com/https://www.wikipedia.org/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1933367590.000001ADF8D6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1932841288.000001ADF8DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1928978741.000001ADF97E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1933367590.000001ADF8D6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796133805.000001ADF9789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:51798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:51799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.80:443 -> 192.168.2.4:51800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:51803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:51804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:51805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:51806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:51867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:51870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:51871 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52077
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51871
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51798
Source: unknown	Network traffic detected: HTTP traffic on port 51806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 51798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 51870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51804
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 51867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f8de9437-4d1e-4f17-aa03-f198cdf45683.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_f8de9437-4d1e-4f17-aa03-f198cdf45683.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre